From 041aba19b916ddfd5254c80ef413ef8a7e76c8ad Mon Sep 17 00:00:00 2001 From: Seth Jennings Date: Tue, 28 Feb 2012 16:02:23 -0600 Subject: [PATCH] staging: zcache: fix memory corruption bug This patch fixes a bug where the zv code writes before the allocated buffer, resulting in system memory corruption. This was introduced during the switch from xvmalloc to zsmalloc. Signed-off-by: Seth Jennings Signed-off-by: Greg Kroah-Hartman --- drivers/staging/zcache/zcache-main.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/staging/zcache/zcache-main.c b/drivers/staging/zcache/zcache-main.c index 46c7c04..7073465 100644 --- a/drivers/staging/zcache/zcache-main.c +++ b/drivers/staging/zcache/zcache-main.c @@ -701,7 +701,6 @@ static struct zv_hdr *zv_create(struct zs_pool *pool, uint32_t pool_id, u32 size = clen + sizeof(struct zv_hdr); int chunks = (size + (CHUNK_SIZE - 1)) >> CHUNK_SHIFT; void *handle = NULL; - char *buf; BUG_ON(!irqs_disabled()); BUG_ON(chunks >= NCHUNKS); @@ -710,14 +709,13 @@ static struct zv_hdr *zv_create(struct zs_pool *pool, uint32_t pool_id, goto out; atomic_inc(&zv_curr_dist_counts[chunks]); atomic_inc(&zv_cumul_dist_counts[chunks]); - zv = (struct zv_hdr *)((char *)cdata - sizeof(*zv)); + zv = zs_map_object(pool, handle); zv->index = index; zv->oid = *oid; zv->pool_id = pool_id; zv->size = clen; SET_SENTINEL(zv, ZVH); - buf = zs_map_object(pool, handle); - memcpy(buf, zv, clen + sizeof(*zv)); + memcpy((char *)zv + sizeof(struct zv_hdr), cdata, clen); zs_unmap_object(pool, handle); out: return handle; -- 2.7.4