aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Weiner <hannes@saeurebad.de>2008-04-28 05:11:47 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-04-28 11:58:16 -0400
commit556637cdabcd5918c7d4a1a2679b8f86fc81e891 (patch)
treea5bb95b50e88535966af3ad49017196b757fca64
parentf022bfd58253099102218db5249220a7f4787114 (diff)
mm: fix possible off-by-one in walk_pte_range()
After the loop in walk_pte_range() pte might point to the first address after the pmd it walks. The pte_unmap() is then applied to something bad. Spotted by Roel Kluin and Andreas Schwab. Signed-off-by: Johannes Weiner <hannes@saeurebad.de> Cc: Roel Kluin <12o3l@tiscali.nl> Cc: Andreas Schwab <schwab@suse.de> Acked-by: Matt Mackall <mpm@selenic.com> Acked-by: Mikael Pettersson <mikpe@it.uu.se> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--mm/pagewalk.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417ef8b7..0afd2387e507 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
9 int err = 0; 9 int err = 0;
10 10
11 pte = pte_offset_map(pmd, addr); 11 pte = pte_offset_map(pmd, addr);
12 do { 12 for (;;) {
13 err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private); 13 err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
14 if (err) 14 if (err)
15 break; 15 break;
16 } while (pte++, addr += PAGE_SIZE, addr != end); 16 addr += PAGE_SIZE;
17 if (addr == end)
18 break;
19 pte++;
20 }
17 21
18 pte_unmap(pte); 22 pte_unmap(pte);
19 return err; 23 return err;