mm: fix possible off-by-one in walk_pte_range()
After the loop in walk_pte_range() pte might point to the first address after the pmd it walks. The pte_unmap() is then applied to something bad. Spotted by Roel Kluin and Andreas Schwab. Signed-off-by: Johannes Weiner <hannes@saeurebad.de> Cc: Roel Kluin <12o3l@tiscali.nl> Cc: Andreas Schwab <schwab@suse.de> Acked-by: Matt Mackall <mpm@selenic.com> Acked-by: Mikael Pettersson <mikpe@it.uu.se> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Родитель
f022bfd582
Коммит
556637cdab
|
@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
|
|||
int err = 0;
|
||||
|
||||
pte = pte_offset_map(pmd, addr);
|
||||
do {
|
||||
for (;;) {
|
||||
err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
|
||||
if (err)
|
||||
break;
|
||||
} while (pte++, addr += PAGE_SIZE, addr != end);
|
||||
addr += PAGE_SIZE;
|
||||
if (addr == end)
|
||||
break;
|
||||
pte++;
|
||||
}
|
||||
|
||||
pte_unmap(pte);
|
||||
return err;
|
||||
|
|
Загрузка…
Ссылка в новой задаче