mm: fix possible off-by-one in walk_pte_range()

commit 556637cdabcd5918c7d4a1a2679b8f86fc81e891 upstream

After the loop in walk_pte_range() pte might point to the first address after
the pmd it walks.  The pte_unmap() is then applied to something bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
Cc: Roel Kluin <12o3l@tiscali.nl>
Cc: Andreas Schwab <schwab@suse.de>
Acked-by: Matt Mackall <mpm@selenic.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417ef8b77bc111f2fc5b4f4c24c3fbee1f88..0afd2387e507d8f8deed9697f1971fc953f4b4b6 100644 (file)
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
        int err = 0;
 
        pte = pte_offset_map(pmd, addr);
-       do {
+       for (;;) {
                err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
                if (err)
                       break;
-       } while (pte++, addr += PAGE_SIZE, addr != end);
+               addr += PAGE_SIZE;
+               if (addr == end)
+                       break;
+               pte++;
+       }
 
        pte_unmap(pte);
        return err;