[PATCH 004/104] SUNRPC: Fix memory corruption issue on 32-bit highmem systems

Luis Henriques luis.henriques at canonical.com
Mon Sep 30 10:09:41 UTC 2013 -stable review patch.  If anyone has any objections, please let me know.


From: Trond Myklebust <Trond.Myklebust at netapp.com>

commit 347e2233b7667e336d9f671f1a52dfa3f0416e2c upstream.

Some architectures, such as ARM-32 do not return the same base address
when you call kmap_atomic() twice on the same page.
This causes problems for the memmove() call in the XDR helper routine
"_shift_data_right_pages()", since it defeats the detection of
overlapping memory ranges, and has been seen to corrupt memory.

The fix is to distinguish between the case where we're doing an
inter-page copy or not. In the former case of we know that the memory
ranges cannot possibly overlap, so we can additionally micro-optimise
by replacing memmove() with memcpy().

Reported-by: Mark Young <MYoung at nvidia.com>
Reported-by: Matt Craighead <mcraighead at nvidia.com>
Cc: Bruce Fields <bfields at fieldses.org>
Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
Tested-by: Matt Craighead <mcraighead at nvidia.com>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 net/sunrpc/xdr.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index fddcccf..78ad0f6 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -233,10 +233,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
 		pgfrom_base -= copy;
 		vto = kmap_atomic(*pgto);
-		vfrom = kmap_atomic(*pgfrom);
-		memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+		if (*pgto != *pgfrom) {
+			vfrom = kmap_atomic(*pgfrom);
+			memcpy(vto + pgto_base, vfrom + pgfrom_base, copy);
+			kunmap_atomic(vfrom);
+		} else
+			memmove(vto + pgto_base, vto + pgfrom_base, copy);
-		kunmap_atomic(vfrom);
 	} while ((len -= copy) != 0);

More information about the kernel-team mailing list