diff options
author | Seth Jennings <sjenning@linux.vnet.ibm.com> | 2012-02-28 16:02:23 -0600 |
---|---|---|
committer | Simon Shields <keepcalm444@gmail.com> | 2016-06-12 21:19:35 +1000 |
commit | 9adc7eaacb36f7d89051e604bd2f7ea6d38bf288 (patch) | |
tree | 2cc78445ed45bf01a0abd2963051c56e0c54014d /drivers/staging | |
parent | 454f258d0665aa882dd7eae0f33b5c9fff625d1c (diff) | |
download | kernel_samsung_smdk4412-9adc7eaacb36f7d89051e604bd2f7ea6d38bf288.zip kernel_samsung_smdk4412-9adc7eaacb36f7d89051e604bd2f7ea6d38bf288.tar.gz kernel_samsung_smdk4412-9adc7eaacb36f7d89051e604bd2f7ea6d38bf288.tar.bz2 |
staging: zcache: fix memory corruption bug
This patch fixes a bug where the zv code writes before the allocated
buffer, resulting in system memory corruption. This was introduced
during the switch from xvmalloc to zsmalloc.
Signed-off-by: Seth Jennings <sjenning@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging')
-rw-r--r-- | drivers/staging/zcache/zcache-main.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/drivers/staging/zcache/zcache-main.c b/drivers/staging/zcache/zcache-main.c index 7915ecb..b698464 100644 --- a/drivers/staging/zcache/zcache-main.c +++ b/drivers/staging/zcache/zcache-main.c @@ -701,7 +701,6 @@ static struct zv_hdr *zv_create(struct zs_pool *pool, uint32_t pool_id, u32 size = clen + sizeof(struct zv_hdr); int chunks = (size + (CHUNK_SIZE - 1)) >> CHUNK_SHIFT; void *handle = NULL; - char *buf; BUG_ON(!irqs_disabled()); BUG_ON(chunks >= NCHUNKS); @@ -710,14 +709,13 @@ static struct zv_hdr *zv_create(struct zs_pool *pool, uint32_t pool_id, goto out; atomic_inc(&zv_curr_dist_counts[chunks]); atomic_inc(&zv_cumul_dist_counts[chunks]); - zv = (struct zv_hdr *)((char *)cdata - sizeof(*zv)); + zv = zs_map_object(pool, handle); zv->index = index; zv->oid = *oid; zv->pool_id = pool_id; zv->size = clen; SET_SENTINEL(zv, ZVH); - buf = zs_map_object(pool, handle); - memcpy(buf, zv, clen + sizeof(*zv)); + memcpy((char *)zv + sizeof(struct zv_hdr), cdata, clen); zs_unmap_object(pool, handle); out: return handle; |