[PATCH] shmdt cannot detach not-alined shm segment cleanly.

sys_shmdt() can manage shm segments which are covered by multiple vmas. (This can happen when a user uses mprotect() after shmat().) This works well if shm is aligned to PAGE_SIZE, but if not, the last segment cannot be detached. It is because a comparison in sys_shmdt() (vma->vm_end - addr) < size addr == return address of shmat() size == shmsize, argments to shmget() size should be aligned to PAGE_SIZE before being compared with vma->vm_end, which is aligned. Signed-off-by: KAMEZAWA Hiroyuki <[email protected]> Cc: Manfred Spraul <[email protected]> Acked-by: Hugh Dickins <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
mna · Feb 10, 2006 · 8e36709 · 8e36709
1 parent c22db94
commit 8e36709
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/ipc/shm.c b/ipc/shm.c
@@ -870,6 +870,7 @@ asmlinkage long sys_shmdt(char __user *shmaddr)
 	 * could possibly have landed at. Also cast things to loff_t to
 	 * prevent overflows and make comparisions vs. equal-width types.
 	 */
+	size = PAGE_ALIGN(size);
 	while (vma && (loff_t)(vma->vm_end - addr) <= size) {
 		next = vma->vm_next;