Re: [REGRESSION] mm: filemap_map_pages NULL pointer dereference

Sat, 06 Feb 2016 10:19:42 -0800 

Andrew,

On Fri, Feb 05, 2016 at 02:19:40PM -0800, Andrew Morton wrote:
> On Fri, 5 Feb 2016 10:05:02 -0800 Jeremiah Mahler <jmmah...@gmail.com> wrote:
> 
[...]
> >   unable to handle kernel NULL pointer dereference
> 
> This should fix it up.
> 
[...]
> 
>  include/linux/radix-tree.h |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff -puN 
> include/linux/radix-tree.h~radix-tree-fix-oops-after-radix_tree_iter_retry 
> include/linux/radix-tree.h
> --- 
> a/include/linux/radix-tree.h~radix-tree-fix-oops-after-radix_tree_iter_retry
> +++ a/include/linux/radix-tree.h
> @@ -400,7 +400,7 @@ void **radix_tree_iter_retry(struct radi
>   * @iter:    pointer to radix tree iterator
>   * Returns:  current chunk size
>   */
> -static __always_inline unsigned
> +static __always_inline long
>  radix_tree_chunk_size(struct radix_tree_iter *iter)
>  {
>       return iter->next_index - iter->index;
> @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct
>                       return slot + offset + 1;
>               }
>       } else {
> -             unsigned size = radix_tree_chunk_size(iter) - 1;
> +             long size = radix_tree_chunk_size(iter);
>  
> -             while (size--) {
> +             while (--size > 0) {
>                       slot++;
>                       iter->index++;
>                       if (likely(*slot))
> _
> 

I have applied this patch to my kernel and so far the bug has not
come back.  Thanks for the quick fix.

Although I don't quite understand how this fixes the slot==NULL problem.
Unless I am missing something, it looks like the while loop will be
executed the same number of times but the size variable will no
longer go negative as it did before.

-- 
- Jeremiah Mahler

Reply via email to