x86/mpx, mm/core: Fix recursive munmap() corruption

[linux-2.6-microblaze.git] / arch / x86 / mm / mpx.c

diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index c805db6..7aeb9fe 100644 (file)
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_struct *mm,
  * the virtual address region start...end have already been split if
  * necessary, and the 'vma' is the first vma in this range (start -> end).
  */
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
-               unsigned long start, unsigned long end)
+void mpx_notify_unmap(struct mm_struct *mm, unsigned long start,
+                     unsigned long end)
 {
+       struct vm_area_struct *vma;
        int ret;
 
        /*
@@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
         * which should not occur normally. Being strict about it here
         * helps ensure that we do not have an exploitable stack overflow.
         */
-       do {
+       vma = find_vma(mm, start);
+       while (vma && vma->vm_start < end) {
                if (vma->vm_flags & VM_MPX)
                        return;
                vma = vma->vm_next;
-       } while (vma && vma->vm_start < end);
+       }
 
        ret = mpx_unmap_tables(mm, start, end);
        if (ret)