SUNRPC: don't call flush_dcache_page() with an invalid pointer
authorTrond Myklebust <Trond.Myklebust@netapp.com>
Mon, 31 Mar 2008 21:02:02 +0000 (17:02 -0400)
committerTrond Myklebust <Trond.Myklebust@netapp.com>
Wed, 9 Apr 2008 01:06:50 +0000 (21:06 -0400)
Fix a problem in _copy_to_pages(), whereby it may call flush_dcache_page()
with an invalid pointer due to the fact that 'pgto' gets incremented
beyond the end of the page array. Fix is to exit the loop without this
unnecessary increment of pgto.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
net/sunrpc/xdr.c

index 995c3fdc16c27821d2e97887a6bdba002a086321..79a55d56cc980dbe63d1caa913046414e870e926 100644 (file)
@@ -244,7 +244,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
        pgto = pages + (pgbase >> PAGE_CACHE_SHIFT);
        pgbase &= ~PAGE_CACHE_MASK;
 
-       do {
+       for (;;) {
                copy = PAGE_CACHE_SIZE - pgbase;
                if (copy > len)
                        copy = len;
@@ -253,6 +253,10 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
                memcpy(vto + pgbase, p, copy);
                kunmap_atomic(vto, KM_USER0);
 
+               len -= copy;
+               if (len == 0)
+                       break;
+
                pgbase += copy;
                if (pgbase == PAGE_CACHE_SIZE) {
                        flush_dcache_page(*pgto);
@@ -260,8 +264,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len)
                        pgto++;
                }
                p += copy;
-
-       } while ((len -= copy) != 0);
+       }
        flush_dcache_page(*pgto);
 }