mm: fix possible off-by-one in walk_pte_range()

After the loop in walk_pte_range() pte might point to the first address after the pmd it walks. The pte_unmap() is then applied to something bad. Spotted by Roel Kluin and Andreas Schwab. Signed-off-by: Johannes Weiner <[email protected]> Cc: Roel Kluin <[email protected]> Cc: Andreas Schwab <[email protected]> Acked-by: Matt Mackall <[email protected]> Acked-by: Mikael Pettersson <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
ambv · Apr 28, 2008 · 556637c · 556637c
1 parent f022bfd
commit 556637c
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/mm/pagewalk.c b/mm/pagewalk.c
@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
 	int err = 0;
 
 	pte = pte_offset_map(pmd, addr);
-	do {
+	for (;;) {
 		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
 		if (err)
 		       break;
-	} while (pte++, addr += PAGE_SIZE, addr != end);
+		addr += PAGE_SIZE;
+		if (addr == end)
+			break;
+		pte++;
+	}
 
 	pte_unmap(pte);
 	return err;