diff options
author | Johannes Weiner <hannes@saeurebad.de> | 2008-04-28 17:15:47 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-05-01 14:44:38 -0700 |
commit | de15f7b048a6fe9df998a4fd854a0ac9eb87b80f (patch) | |
tree | 0add65fb2e4e05964fd2eece130e658b2258c07f | |
parent | 35a398abdc1b5111b62bca9174bc5ccf973ab6dc (diff) |
mm: fix possible off-by-one in walk_pte_range()
commit 556637cdabcd5918c7d4a1a2679b8f86fc81e891 upstream
After the loop in walk_pte_range() pte might point to the first address after
the pmd it walks. The pte_unmap() is then applied to something bad.
Spotted by Roel Kluin and Andreas Schwab.
Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
Cc: Roel Kluin <12o3l@tiscali.nl>
Cc: Andreas Schwab <schwab@suse.de>
Acked-by: Matt Mackall <mpm@selenic.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | mm/pagewalk.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/mm/pagewalk.c b/mm/pagewalk.c index 1cf1417ef8b..0afd2387e50 100644 --- a/mm/pagewalk.c +++ b/mm/pagewalk.c @@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, int err = 0; pte = pte_offset_map(pmd, addr); - do { + for (;;) { err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private); if (err) break; - } while (pte++, addr += PAGE_SIZE, addr != end); + addr += PAGE_SIZE; + if (addr == end) + break; + pte++; + } pte_unmap(pte); return err; |