Hi,

Mikael Pettersson <mikpe@it.uu.se> writes:

quoted text
> Johannes Weiner writes:
>  > After the loop in walk_pte_range() pte might point to the first address
>  > after the pmd it walks.  The pte_unmap() is then applied to something
>  > bad.
>  > 
>  > Spotted by Roel Kluin and Andreas Schwab.
>  > 
>  > Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
>  > CC: Roel Kluin <12o3l@tiscali.nl>
>  > CC: Andreas Schwab <schwab@suse.de>
>  > CC: Matt Mackall <mpm@selenic.com>
>  > CC: Andrew Morton <akpm@linux-foundation.org>
>  > ---
>  > 
>  > A bug is unlikely, though.  kunmap_atomic() looks up the kmap entry by
>  > map-type instead of the address the pte points.  So the worst thing I
>  > could find with a quick grep was that a wrong TLB entry is being
>  > flushed.  Still, the code is wrong :)
>  > 
>  > diff --git a/mm/pagewalk.c b/mm/pagewalk.c
>  > index 1cf1417..cf3c004 100644
>  > --- a/mm/pagewalk.c
>  > +++ b/mm/pagewalk.c
>  > @@ -13,7 +13,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
>  >  		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
>  >  		if (err)
>  >  		       break;
>  > -	} while (pte++, addr += PAGE_SIZE, addr != end);
>  > +	} while (addr += PAGE_SIZE, addr != end && pte++);
>
> Instead of obfuscating the code by putting "&& pte++" in the
> condition (it will always be true in valid C), you should IMO
> rewrite the do-while as a for loop + break, like this:
>
> 	for (;;) {
> 	    // same body as before
> 	    addr += PAGE_SIZE;
> 	    if (addr == end)
> 	        break;
> 	    pte++;
> 	}

Sorry, I think too lispy :)

	Hannes
---

From: Johannes Weiner <hannes@saeurebad.de>
Subject: [PATCH] mm: Fix possible off-by-one in walk_pte_range()

After the loop in walk_pte_range() pte might point to the first address
after the pmd it walks.  The pte_unmap() is then applied to something
bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
CC: Roel Kluin <12o3l@tiscali.nl>
CC: Andreas Schwab <schwab@suse.de>
CC: Matt Mackall <mpm@selenic.com>
CC: Andrew Morton <akpm@linux-foundation.org>
---

A bug is unlikely, though.  kunmap_atomic() looks up the kmap entry by
map-type instead of the address the pte points.  So the worst thing I
could find with a quick grep was that a wrong TLB entry is being
flushed.  Still, the code is wrong :)

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417..0afd238 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
 	int err = 0;
 
 	pte = pte_offset_map(pmd, addr);
-	do {
+	for (;;) {
 		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
 		if (err)
 		       break;
-	} while (pte++, addr += PAGE_SIZE, addr != end);
+		addr += PAGE_SIZE;
+		if (addr == end)
+			break;
+		pte++;
+	}
 
 	pte_unmap(pte);
 	return err;
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/