aboutsummaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorHugh Dickins <hugh@veritas.com>2007-10-19 14:30:18 +0200
committerAdrian Bunk <bunk@kernel.org>2007-10-19 14:30:18 +0200
commitec2cb473e3bb0fe1538874cf7773638c235e5b45 (patch)
tree11c4be6cc3cae9c32c4932388d0945815262ccb6 /security
parent79d2ce4bb1adf75b471824a13d2443748cb48db3 (diff)
hugetlb: fix prio_tree unit (CVE-2007-4133)
hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be absurdly sparse). At first I thought the error benign, just calling __unmap_hugepage_range on more vmas than necessary; but on 32-bit machines, when the prio_tree is searched correctly, it happens to ensure the v_offset calculation won't overflow. As it stood, when truncating at or beyond 4GB, it was liable to discard pages COWed from lower offsets; or even to clear pmd entries of preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes). Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions