* [BUGFIX][PATCH] shmdt cannot detach not-alined shm segment cleanly.
@ 2006-02-09 1:21 KAMEZAWA Hiroyuki
0 siblings, 0 replies; only message in thread
From: KAMEZAWA Hiroyuki @ 2006-02-09 1:21 UTC (permalink / raw)
To: Linux Kernel Mailing List
This is a patch for a problem of shmdt().
It is found by a test, not a serious problem.
-- Kame
sys_shmdt() can manages shm segments which is covered by multiple vmas.
(This can happen when a user uses mprotect() after shmat().)
This works well if shm is aligned to PAGE_SIZE, but if not, the last segment
cannot be detached. It is because a comparison in sys_shmdt()
(vma->vm_end - addr) < size
addr == return address of shmat()
size == shmsize, argments to shmget()
size should be aligned to PAGE_SIZE before being compared with vma->vm_end,
which is aligned.
Signed-Off-By:KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Index: linux-2.6.16-rc2.org/ipc/shm.c
===================================================================
--- linux-2.6.16-rc2.org.orig/ipc/shm.c
+++ linux-2.6.16-rc2.org/ipc/shm.c
@@ -870,6 +870,7 @@ asmlinkage long sys_shmdt(char __user *s
* could possibly have landed at. Also cast things to loff_t to
* prevent overflows and make comparisions vs. equal-width types.
*/
+ size = PAGE_ALIGN(size);
while (vma && (loff_t)(vma->vm_end - addr) <= size) {
next = vma->vm_next;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-02-09 1:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-09 1:21 [BUGFIX][PATCH] shmdt cannot detach not-alined shm segment cleanly KAMEZAWA Hiroyuki
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.