diff options
author | Badari Pulavarty <pbadari@us.ibm.com> | 2005-06-25 17:55:42 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-06-25 19:24:39 -0400 |
commit | b0cfbd995d091b10841eeb948976f5d1fbf13cdd (patch) | |
tree | a693416656084c99581c8ef6d2ca830b0cfe13a9 | |
parent | 8ae0b77811d97552b3b3c745e97de18849583bf7 (diff) |
[PATCH] fix for generic_file_write iov problem
Here is the fix for the problem described in
http://bugzilla.kernel.org/show_bug.cgi?id=4721
Basically, problem is generic_file_buffered_write() is accessing beyond end
of the iov[] vector after handling the last vector. If we happen to cross
page boundary, we get a fault.
I think this simple patch is good enough. If we really don't want to
depend on the "count", then we need pass nr_segs to
filemap_set_next_iovec() and decrement it and check it.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | mm/filemap.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/mm/filemap.c b/mm/filemap.c index b573607b7112..c11418dd94e8 100644 --- a/mm/filemap.c +++ b/mm/filemap.c | |||
@@ -1954,7 +1954,9 @@ generic_file_buffered_write(struct kiocb *iocb, const struct iovec *iov, | |||
1954 | if (unlikely(nr_segs > 1)) { | 1954 | if (unlikely(nr_segs > 1)) { |
1955 | filemap_set_next_iovec(&cur_iov, | 1955 | filemap_set_next_iovec(&cur_iov, |
1956 | &iov_base, status); | 1956 | &iov_base, status); |
1957 | buf = cur_iov->iov_base + iov_base; | 1957 | if (count) |
1958 | buf = cur_iov->iov_base + | ||
1959 | iov_base; | ||
1958 | } else { | 1960 | } else { |
1959 | iov_base += status; | 1961 | iov_base += status; |
1960 | } | 1962 | } |