mm: fix possible off-by-one in walk_pte_range()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

After the loop in walk_pte_range() pte might point to the first address after
the pmd it walks. The pte_unmap() is then applied to something bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
Cc: Roel Kluin <12o3l@tiscali.nl>
Cc: Andreas Schwab <schwab@suse.de>
Acked-by: Matt Mackall <mpm@selenic.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Johannes Weiner and committed by

Linus Torvalds 18 years ago 556637cd f022bfd5

+6 -2

1 changed file

expand all

pagewalk.c

+6 -2

mm/pagewalk.c

··· 9 9 int err = 0; 10 10 11 11 pte = pte_offset_map(pmd, addr); 12 - do { 12 + for (;;) { 13 13 err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private); 14 14 if (err) 15 15 break; 16 - } while (pte++, addr += PAGE_SIZE, addr != end); 16 + addr += PAGE_SIZE; 17 + if (addr == end) 18 + break; 19 + pte++; 20 + } 17 21 18 22 pte_unmap(pte); 19 23 return err;