From: Seth Jennings Date: Tue, 28 Feb 2012 22:02:23 +0000 (-0600) Subject: staging: zcache: fix memory corruption bug X-Git-Tag: firefly_0821_release~3680^2~3347^2~100^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=041aba19b916ddfd5254c80ef413ef8a7e76c8ad;p=firefly-linux-kernel-4.4.55.git staging: zcache: fix memory corruption bug This patch fixes a bug where the zv code writes before the allocated buffer, resulting in system memory corruption. This was introduced during the switch from xvmalloc to zsmalloc. Signed-off-by: Seth Jennings Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/zcache/zcache-main.c b/drivers/staging/zcache/zcache-main.c index 46c7c04c2451..70734652f724 100644 --- a/drivers/staging/zcache/zcache-main.c +++ b/drivers/staging/zcache/zcache-main.c @@ -701,7 +701,6 @@ static struct zv_hdr *zv_create(struct zs_pool *pool, uint32_t pool_id, u32 size = clen + sizeof(struct zv_hdr); int chunks = (size + (CHUNK_SIZE - 1)) >> CHUNK_SHIFT; void *handle = NULL; - char *buf; BUG_ON(!irqs_disabled()); BUG_ON(chunks >= NCHUNKS); @@ -710,14 +709,13 @@ static struct zv_hdr *zv_create(struct zs_pool *pool, uint32_t pool_id, goto out; atomic_inc(&zv_curr_dist_counts[chunks]); atomic_inc(&zv_cumul_dist_counts[chunks]); - zv = (struct zv_hdr *)((char *)cdata - sizeof(*zv)); + zv = zs_map_object(pool, handle); zv->index = index; zv->oid = *oid; zv->pool_id = pool_id; zv->size = clen; SET_SENTINEL(zv, ZVH); - buf = zs_map_object(pool, handle); - memcpy(buf, zv, clen + sizeof(*zv)); + memcpy((char *)zv + sizeof(struct zv_hdr), cdata, clen); zs_unmap_object(pool, handle); out: return handle;