diff options
author | Trond Myklebust <Trond.Myklebust@netapp.com> | 2013-08-28 13:35:13 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2013-08-28 15:43:43 -0400 |
commit | 347e2233b7667e336d9f671f1a52dfa3f0416e2c (patch) | |
tree | ed2ee6d0122e3bd3ce3c24ab66bb64fab6ae9de8 /net/sunrpc | |
parent | fa8218def1b1a16f0a410e2c1c767b4738cc81fa (diff) |
SUNRPC: Fix memory corruption issue on 32-bit highmem systems
Some architectures, such as ARM-32 do not return the same base address
when you call kmap_atomic() twice on the same page.
This causes problems for the memmove() call in the XDR helper routine
"_shift_data_right_pages()", since it defeats the detection of
overlapping memory ranges, and has been seen to corrupt memory.
The fix is to distinguish between the case where we're doing an
inter-page copy or not. In the former case of we know that the memory
ranges cannot possibly overlap, so we can additionally micro-optimise
by replacing memmove() with memcpy().
Reported-by: Mark Young <MYoung@nvidia.com>
Reported-by: Matt Craighead <mcraighead@nvidia.com>
Cc: Bruce Fields <bfields@fieldses.org>
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Matt Craighead <mcraighead@nvidia.com>
Diffstat (limited to 'net/sunrpc')
-rw-r--r-- | net/sunrpc/xdr.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index 75edcfad6e26..1504bb11e4f3 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c | |||
@@ -207,10 +207,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base, | |||
207 | pgfrom_base -= copy; | 207 | pgfrom_base -= copy; |
208 | 208 | ||
209 | vto = kmap_atomic(*pgto); | 209 | vto = kmap_atomic(*pgto); |
210 | vfrom = kmap_atomic(*pgfrom); | 210 | if (*pgto != *pgfrom) { |
211 | memmove(vto + pgto_base, vfrom + pgfrom_base, copy); | 211 | vfrom = kmap_atomic(*pgfrom); |
212 | memcpy(vto + pgto_base, vfrom + pgfrom_base, copy); | ||
213 | kunmap_atomic(vfrom); | ||
214 | } else | ||
215 | memmove(vto + pgto_base, vto + pgfrom_base, copy); | ||
212 | flush_dcache_page(*pgto); | 216 | flush_dcache_page(*pgto); |
213 | kunmap_atomic(vfrom); | ||
214 | kunmap_atomic(vto); | 217 | kunmap_atomic(vto); |
215 | 218 | ||
216 | } while ((len -= copy) != 0); | 219 | } while ((len -= copy) != 0); |