SUNRPC: Fix memory corruption issue on 32-bit highmem systems

Some architectures, such as ARM-32 do not return the same base address
when you call kmap_atomic() twice on the same page.
This causes problems for the memmove() call in the XDR helper routine
"_shift_data_right_pages()", since it defeats the detection of
overlapping memory ranges, and has been seen to corrupt memory.

The fix is to distinguish between the case where we're doing an
inter-page copy or not. In the former case of we know that the memory
ranges cannot possibly overlap, so we can additionally micro-optimise
by replacing memmove() with memcpy().

Reported-by: Mark Young <MYoung@nvidia.com>
Reported-by: Matt Craighead <mcraighead@nvidia.com>
Cc: Bruce Fields <bfields@fieldses.org>
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Matt Craighead <mcraighead@nvidia.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 75edcfad6e26..1504bb11e4f3 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -207,10 +207,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
                 pgfrom_base -= copy;
 
                 vto = kmap_atomic(*pgto);
-                vfrom = kmap_atomic(*pgfrom);
-                memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+                if (*pgto != *pgfrom) {
+                        vfrom = kmap_atomic(*pgfrom);
+                        memcpy(vto + pgto_base, vfrom + pgfrom_base, copy);
+                        kunmap_atomic(vfrom);
+                } else
+                        memmove(vto + pgto_base, vto + pgfrom_base, copy);
                 flush_dcache_page(*pgto);
-                kunmap_atomic(vfrom);
                 kunmap_atomic(vto);
 
         } while ((len -= copy) != 0);