[ 3.5.y.z extended stable ] Patch "SUNRPC: Fix memory corruption issue on 32-bit highmem systems" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Thu Sep 5 10:51:11 UTC 2013

This is a note to let you know that I have just added a patch titled

    SUNRPC: Fix memory corruption issue on 32-bit highmem systems

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



>From 45908d31142a24853102ecf9f009a76280a8e5a5 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <Trond.Myklebust at netapp.com>
Date: Wed, 28 Aug 2013 13:35:13 -0400
Subject: [PATCH] SUNRPC: Fix memory corruption issue on 32-bit highmem systems

commit 347e2233b7667e336d9f671f1a52dfa3f0416e2c upstream.

Some architectures, such as ARM-32 do not return the same base address
when you call kmap_atomic() twice on the same page.
This causes problems for the memmove() call in the XDR helper routine
"_shift_data_right_pages()", since it defeats the detection of
overlapping memory ranges, and has been seen to corrupt memory.

The fix is to distinguish between the case where we're doing an
inter-page copy or not. In the former case of we know that the memory
ranges cannot possibly overlap, so we can additionally micro-optimise
by replacing memmove() with memcpy().

Reported-by: Mark Young <MYoung at nvidia.com>
Reported-by: Matt Craighead <mcraighead at nvidia.com>
Cc: Bruce Fields <bfields at fieldses.org>
Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
Tested-by: Matt Craighead <mcraighead at nvidia.com>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 net/sunrpc/xdr.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index fddcccf..78ad0f6 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -233,10 +233,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
 		pgfrom_base -= copy;

 		vto = kmap_atomic(*pgto);
-		vfrom = kmap_atomic(*pgfrom);
-		memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+		if (*pgto != *pgfrom) {
+			vfrom = kmap_atomic(*pgfrom);
+			memcpy(vto + pgto_base, vfrom + pgfrom_base, copy);
+			kunmap_atomic(vfrom);
+		} else
+			memmove(vto + pgto_base, vto + pgfrom_base, copy);
-		kunmap_atomic(vfrom);

 	} while ((len -= copy) != 0);

More information about the kernel-team mailing list