mm: fix prctl_set_vma_anon_name

prctl_set_vma_anon_name could attempt to set the name across
two vmas at the same time due to a typo, which might corrupt
the vma list.  Fix it to use tmp instead of end to limit
the name setting to a single vma at a time.

Change-Id: Ie32d8ddb0fd547efbeedd6528acdab5ca5b308b4
Reported-by: Jed Davis <jld@mozilla.com>
Signed-off-by: Colin Cross <ccross@android.com>

diff --git a/kernel/sys.c b/kernel/sys.c
index ab7fda5fbe188559fcb7924fa5944e8439c8e856..65d3e55bd2820dc4f43e5061bb8246bc245f4967 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2187,7 +2187,7 @@ static int prctl_set_vma_anon_name(unsigned long start, unsigned long end,
                        tmp = end;
 
                /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */
-               error = prctl_update_vma_anon_name(vma, &prev, start, end,
+               error = prctl_update_vma_anon_name(vma, &prev, start, tmp,
                                (const char __user *)arg);
                if (error)
                        return error;