From: Trond Myklebust Date: Mon, 31 Mar 2008 21:02:02 +0000 (-0400) Subject: SUNRPC: don't call flush_dcache_page() with an invalid pointer X-Git-Tag: firefly_0821_release~21708^2~3 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=daeba89d43af0fa469d38a4ccdc32fff8ca17c2e;p=firefly-linux-kernel-4.4.55.git SUNRPC: don't call flush_dcache_page() with an invalid pointer Fix a problem in _copy_to_pages(), whereby it may call flush_dcache_page() with an invalid pointer due to the fact that 'pgto' gets incremented beyond the end of the page array. Fix is to exit the loop without this unnecessary increment of pgto. Signed-off-by: Trond Myklebust --- diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index 995c3fdc16c2..79a55d56cc98 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -244,7 +244,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len) pgto = pages + (pgbase >> PAGE_CACHE_SHIFT); pgbase &= ~PAGE_CACHE_MASK; - do { + for (;;) { copy = PAGE_CACHE_SIZE - pgbase; if (copy > len) copy = len; @@ -253,6 +253,10 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len) memcpy(vto + pgbase, p, copy); kunmap_atomic(vto, KM_USER0); + len -= copy; + if (len == 0) + break; + pgbase += copy; if (pgbase == PAGE_CACHE_SIZE) { flush_dcache_page(*pgto); @@ -260,8 +264,7 @@ _copy_to_pages(struct page **pages, size_t pgbase, const char *p, size_t len) pgto++; } p += copy; - - } while ((len -= copy) != 0); + } flush_dcache_page(*pgto); }