Commit 556637cd authored by Johannes Weiner's avatar Johannes Weiner Committed by Linus Torvalds

mm: fix possible off-by-one in walk_pte_range()

After the loop in walk_pte_range() pte might point to the first address after
the pmd it walks.  The pte_unmap() is then applied to something bad.

Spotted by Roel Kluin and Andreas Schwab.
Signed-off-by: default avatarJohannes Weiner <hannes@saeurebad.de>
Cc: Roel Kluin <12o3l@tiscali.nl>
Cc: Andreas Schwab <schwab@suse.de>
Acked-by: default avatarMatt Mackall <mpm@selenic.com>
Acked-by: default avatarMikael Pettersson <mikpe@it.uu.se>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent f022bfd5
...@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, ...@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
int err = 0; int err = 0;
pte = pte_offset_map(pmd, addr); pte = pte_offset_map(pmd, addr);
do { for (;;) {
err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private); err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
if (err) if (err)
break; break;
} while (pte++, addr += PAGE_SIZE, addr != end); addr += PAGE_SIZE;
if (addr == end)
break;
pte++;
}
pte_unmap(pte); pte_unmap(pte);
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment