Date: Mon, 23 May 2005 17:14:06 -0700
From: Andrew Morton <akpm@osdl.org>
To: William Lee Irwin III <wli@holomorphy.com>
Cc: linux-kernel@vger.kernel.org, gregkh@suse.de,
       Hugh Dickins <hugh@veritas.com>
Subject: Re: [bugfix] try_to_unmap_cluster() passes out-of-bounds pte to
 pte_unmap()
Message-Id: <20050523171406.483cdf69.akpm@osdl.org>
In-Reply-To: <20050522212734.GF2057@holomorphy.com>
References: <20050516021302.13bd285a.akpm@osdl.org>
	<20050522212734.GF2057@holomorphy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1132
Lines: 30

William Lee Irwin III <wli@holomorphy.com> wrote:
>
> --- ./mm/rmap.c.orig	2005-05-20 01:29:14.066467151 -0700
> +++ ./mm/rmap.c	2005-05-20 01:30:06.620649901 -0700
> @@ -694,7 +694,7 @@
>  		(*mapcount)--;
>  	}
>  
> -	pte_unmap(pte);
> +	pte_unmap(pte-1);
>  out_unlock:
>  	spin_unlock(&mm->page_table_lock);
>  }

I must say that I continue to find this approach a bit queazifying.

After some reading of the code I'd agree that yes, it's not possible for us
to get here with `pte' pointing at the first slot of the pte page, but it's
not 100% obvious and it's possible that someone will come along later and
will change things in try_to_unmap_cluster() which cause this unmap to
suddenly do the wrong thing in rare circumstances.

IOW: I'd sleep better at night if we took a temporary and actually unmapped
the thing which we we got back from pte_offset_map()..  Am I being silly?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/