[PATCH v2] mm: Fix possible off-by-one in walk_pte_range()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johannes Weiner <hannes@saeurebad.de>
To: Mikael Pettersson <mikpe@it.uu.se>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Roel Kluin <12o3l@tiscali.nl>, Andreas Schwab <schwab@suse.de>,
	Matt Mackall <mpm@selenic.com>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH v2] mm: Fix possible off-by-one in walk_pte_range()
Date: Tue, 15 Apr 2008 18:16:53 +0200	[thread overview]
Message-ID: <8763ujhz4a.fsf_-_@saeurebad.de> (raw)
In-Reply-To: <18436.52094.242415.163660@harpo.it.uu.se> (Mikael Pettersson's message of "Tue, 15 Apr 2008 17:36:30 +0200")

Hi,

Mikael Pettersson <mikpe@it.uu.se> writes:

> Johannes Weiner writes:
>  > After the loop in walk_pte_range() pte might point to the first address
>  > after the pmd it walks.  The pte_unmap() is then applied to something
>  > bad.
>  > 
>  > Spotted by Roel Kluin and Andreas Schwab.
>  > 
>  > Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
>  > CC: Roel Kluin <12o3l@tiscali.nl>
>  > CC: Andreas Schwab <schwab@suse.de>
>  > CC: Matt Mackall <mpm@selenic.com>
>  > CC: Andrew Morton <akpm@linux-foundation.org>
>  > ---
>  > 
>  > A bug is unlikely, though.  kunmap_atomic() looks up the kmap entry by
>  > map-type instead of the address the pte points.  So the worst thing I
>  > could find with a quick grep was that a wrong TLB entry is being
>  > flushed.  Still, the code is wrong :)
>  > 
>  > diff --git a/mm/pagewalk.c b/mm/pagewalk.c
>  > index 1cf1417..cf3c004 100644
>  > --- a/mm/pagewalk.c
>  > +++ b/mm/pagewalk.c
>  > @@ -13,7 +13,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
>  >  		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
>  >  		if (err)
>  >  		       break;
>  > -	} while (pte++, addr += PAGE_SIZE, addr != end);
>  > +	} while (addr += PAGE_SIZE, addr != end && pte++);
>
> Instead of obfuscating the code by putting "&& pte++" in the
> condition (it will always be true in valid C), you should IMO
> rewrite the do-while as a for loop + break, like this:
>
> 	for (;;) {
> 	    // same body as before
> 	    addr += PAGE_SIZE;
> 	    if (addr == end)
> 	        break;
> 	    pte++;
> 	}

Sorry, I think too lispy :)

	Hannes
---

From: Johannes Weiner <hannes@saeurebad.de>
Subject: [PATCH] mm: Fix possible off-by-one in walk_pte_range()

After the loop in walk_pte_range() pte might point to the first address
after the pmd it walks.  The pte_unmap() is then applied to something
bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
CC: Roel Kluin <12o3l@tiscali.nl>
CC: Andreas Schwab <schwab@suse.de>
CC: Matt Mackall <mpm@selenic.com>
CC: Andrew Morton <akpm@linux-foundation.org>
---

A bug is unlikely, though.  kunmap_atomic() looks up the kmap entry by
map-type instead of the address the pte points.  So the worst thing I
could find with a quick grep was that a wrong TLB entry is being
flushed.  Still, the code is wrong :)

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417..0afd238 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
 	int err = 0;
 
 	pte = pte_offset_map(pmd, addr);
-	do {
+	for (;;) {
 		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
 		if (err)
 		       break;
-	} while (pte++, addr += PAGE_SIZE, addr != end);
+		addr += PAGE_SIZE;
+		if (addr == end)
+			break;
+		pte++;
+	}
 
 	pte_unmap(pte);
 	return err;

next prev parent reply	other threads:[~2008-04-15 16:17 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-15 14:00 [PATCH] mm: Fix possible off-by-one in walk_pte_range() Johannes Weiner
2008-04-15 15:36 ` Mikael Pettersson
2008-04-15 16:16   ` Johannes Weiner [this message]
2008-04-15 21:34     ` [PATCH v2] " Matt Mackall
2008-04-16  7:48     ` Mikael Pettersson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1cf1417 dfblob:0afd238 )
 OR (
bs:"mm: Fix possible off-by-one in walk_pte_range()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8763ujhz4a.fsf_-_@saeurebad.de \
    --to=hannes@saeurebad.de \
    --cc=12o3l@tiscali.nl \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mikpe@it.uu.se \
    --cc=mpm@selenic.com \
    --cc=schwab@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.