--- /dev/null
+From jejb@kernel.org Wed Jul 30 15:30:55 2008
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 30 Jul 2008 22:20:18 GMT
+Subject: Fix off-by-one error in iov_iter_advance()
+To: jejb@kernel.org, stable@kernel.org
+Message-ID: <200807302220.m6UMKINE029912@hera.kernel.org>
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 94ad374a0751f40d25e22e036c37f7263569d24c upstream
+
+The iov_iter_advance() function would look at the iov->iov_len entry
+even though it might have iterated over the whole array, and iov was
+pointing past the end. This would cause DEBUG_PAGEALLOC to trigger a
+kernel page fault if the allocation was at the end of a page, and the
+next page was unallocated.
+
+The quick fix is to just change the order of the tests: check that there
+is any iovec data left before we check the iov entry itself.
+
+Thanks to Alexey Dobriyan for finding this case, and testing the fix.
+
+Reported-and-tested-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Nick Piggin <npiggin@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/filemap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -1771,7 +1771,7 @@ void iov_iter_advance(struct iov_iter *i
+ * The !iov->iov_len check ensures we skip over unlikely
+ * zero-length segments (without overruning the iovec).
+ */
+- while (bytes || unlikely(!iov->iov_len && i->count)) {
++ while (bytes || unlikely(i->count && !iov->iov_len)) {
+ int copy;
+
+ copy = min(bytes, iov->iov_len - base);
projects / thirdparty / kernel / stable-queue.git / commitdiff
