The iov_iter_advance() function would look at the iov->iov_len entry
even though it might have iterated over the whole array, and iov was
pointing past the end. This would cause DEBUG_PAGEALLOC to trigger a
kernel page fault if the allocation was at the end of a page, and the
next page was unallocated.
The quick fix is to just change the order of the tests: check that there
is any iovec data left before we check the iov entry itself.
Thanks to Alexey Dobriyan for finding this case, and testing the fix.
It also does need this patch:
http:// www.gossamer- threads. com/lists/ linux/kernel/ 954043# 954043 kernel. org/pub/ linux/kernel/ v2.6/ChangeLog- 2.6.26. 1
http://
commit a6b79bb88e6682d 2739aa5b4db7184 038bbb32ce
Author: Linus Torvalds <email address hidden>
Date: Wed Jul 30 22:20:18 2008 +0000
Fix off-by-one error in iov_iter_advance()
commit 94ad374a0751f40 d25e22e036c37f7 263569d24c upstream
The iov_iter_advance() function would look at the iov->iov_len entry
even though it might have iterated over the whole array, and iov was
pointing past the end. This would cause DEBUG_PAGEALLOC to trigger a
kernel page fault if the allocation was at the end of a page, and the
next page was unallocated.
The quick fix is to just change the order of the tests: check that there
is any iovec data left before we check the iov entry itself.
Thanks to Alexey Dobriyan for finding this case, and testing the fix.
Reported- and-tested- by: Alexey Dobriyan <email address hidden>
Cc: Nick Piggin <email address hidden>
Cc: Andrew Morton <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>