aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2008-03-31 17:02:02 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2008-04-08 21:06:50 -0400
commitdaeba89d43af0fa469d38a4ccdc32fff8ca17c2e (patch)
tree1c228b639571866d492e7ab8d5b843e41a955970
parent7180c4c9e09888db0a188f729c96c6d7bd61fa83 (diff)
SUNRPC: don't call flush_dcache_page() with an invalid pointer
Fix a problem in _copy_to_pages(), whereby it may call flush_dcache_page() with an invalid pointer due to the fact that 'pgto' gets incremented beyond the end of the page array. Fix is to exit the loop without this unnecessary increment of pgto. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--net/sunrpc/xdr.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 995c3fdc16c2..79a55d56cc98 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -244,7 +244,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
244 pgto = pages + (pgbase >> PAGE_CACHE_SHIFT); 244 pgto = pages + (pgbase >> PAGE_CACHE_SHIFT);
245 pgbase &= ~PAGE_CACHE_MASK; 245 pgbase &= ~PAGE_CACHE_MASK;
246 246
247 do { 247 for (;;) {
248 copy = PAGE_CACHE_SIZE - pgbase; 248 copy = PAGE_CACHE_SIZE - pgbase;
249 if (copy > len) 249 if (copy > len)
250 copy = len; 250 copy = len;
@@ -253,6 +253,10 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
253 memcpy(vto + pgbase, p, copy); 253 memcpy(vto + pgbase, p, copy);
254 kunmap_atomic(vto, KM_USER0); 254 kunmap_atomic(vto, KM_USER0);
255 255
256 len -= copy;
257 if (len == 0)
258 break;
259
256 pgbase += copy; 260 pgbase += copy;
257 if (pgbase == PAGE_CACHE_SIZE) { 261 if (pgbase == PAGE_CACHE_SIZE) {
258 flush_dcache_page(*pgto); 262 flush_dcache_page(*pgto);
@@ -260,8 +264,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
260 pgto++; 264 pgto++;
261 } 265 }
262 p += copy; 266 p += copy;
263 267 }
264 } while ((len -= copy) != 0);
265 flush_dcache_page(*pgto); 268 flush_dcache_page(*pgto);
266} 269}
267 270