[PATCH] Stay below upper pmd boundary on pte range walk

From: Johannes Weiner
Date: Thu Apr 10 2008 - 10:02:54 EST

Next message: Paul Jackson: "Re: [PATCH 1/3] x86: modify show_shared_cpu_map in intel_cacheinfov3"
Previous message: Jiri Kosina: "Re: file offset corruption on 32-bit machines?"
In reply to: Andreas Schwab: "Re: [PATCH] pagewalk: don't pte_unmap(NULL) in walk_pte_range()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Andreas Schwab <schwab@xxxxxxx> writes:

> Johannes Weiner <hannes@xxxxxxxxxxxx> writes:
>
>>> Signed-off-by: Roel Kluin <12o3l@xxxxxxxxxx>
>>> ---
>>> diff --git a/mm/pagewalk.c b/mm/pagewalk.c
>>> index 1cf1417..6615f0b 100644
>>> --- a/mm/pagewalk.c
>>> +++ b/mm/pagewalk.c
>>> @@ -15,7 +15,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
>>> break;
>>> } while (pte++, addr += PAGE_SIZE, addr != end);
>>>
>>> - pte_unmap(pte);
>>> + pte_unmap(pte - 1);
>>> return err;
>>> }
>>
>> This does not make any sense to me.
>
> There is something fishy here. If the loop ends because addr == end
> then pte has been incremented past the pmd page for addr, no?

Whoops, yes. But Roel's fix breaks if the break is taken in the first
iteration of the loop, because the pte is then out of the lower bounds
of the pmd page. Please see attached fix.

Hannes

---

After the loop in walk_pte_range() pte might point to the first address
after the pmd it walks. The pte_unmap() is then applied to something
bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@xxxxxxxxxxxx>
---

A bug is unlikely, though. kunmap_atomic() looks up the kmap entry by
map-type instead of the address the pte points. So the worst thing I
could find with a quick grep was that a wrong TLB entry is being
flushed. Still, the code is wrong :)

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417..cf3c004 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -13,7 +13,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
if (err)
break;
- } while (pte++, addr += PAGE_SIZE, addr != end);
+ } while (addr += PAGE_SIZE, addr != end && pte++);

pte_unmap(pte);
return err;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Jackson: "Re: [PATCH 1/3] x86: modify show_shared_cpu_map in intel_cacheinfov3"
Previous message: Jiri Kosina: "Re: file offset corruption on 32-bit machines?"
In reply to: Andreas Schwab: "Re: [PATCH] pagewalk: don't pte_unmap(NULL) in walk_pte_range()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]