diff options
author | Hugh Dickins <hugh@veritas.com> | 2007-10-19 14:30:18 +0200 |
---|---|---|
committer | Adrian Bunk <bunk@kernel.org> | 2007-10-19 14:30:18 +0200 |
commit | ec2cb473e3bb0fe1538874cf7773638c235e5b45 (patch) | |
tree | 11c4be6cc3cae9c32c4932388d0945815262ccb6 /security | |
parent | 79d2ce4bb1adf75b471824a13d2443748cb48db3 (diff) |
hugetlb: fix prio_tree unit (CVE-2007-4133)
hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in
units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas
its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be
absurdly sparse).
At first I thought the error benign, just calling __unmap_hugepage_range on
more vmas than necessary; but on 32-bit machines, when the prio_tree is
searched correctly, it happens to ensure the v_offset calculation won't
overflow. As it stood, when truncating at or beyond 4GB, it was liable to
discard pages COWed from lower offsets; or even to clear pmd entries of
preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes).
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions