SUNRPC: Fix pointer arithmetic bug recently introduced in rpc_malloc/free

Wed, 09 May 2007 16:03:29 -0700 

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=aa3d1faebe6e214cd96be0e587571477ff6fd9fc
Commit:     aa3d1faebe6e214cd96be0e587571477ff6fd9fc
Parent:     e70c490810dc683fad39e57cf00e69d5f120c542
Author:     Chuck Lever <[EMAIL PROTECTED]>
AuthorDate: Tue May 8 18:23:28 2007 -0400
Committer:  Trond Myklebust <[EMAIL PROTECTED]>
CommitDate: Wed May 9 17:57:59 2007 -0400

    SUNRPC: Fix pointer arithmetic bug recently introduced in rpc_malloc/free
    
    Use a cleaner method to find the size of an rpc_buffer.  This actually
    works on x86-64!
    
    Signed-off-by: Chuck Lever <[EMAIL PROTECTED]>
    Signed-off-by: Trond Myklebust <[EMAIL PROTECTED]>
---
 net/sunrpc/sched.c |   22 +++++++++++++++-------
 1 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 9901451..b28a0b0 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -736,6 +736,11 @@ static void rpc_async_schedule(struct work_struct *work)
        __rpc_execute(container_of(work, struct rpc_task, u.tk_work));
 }
 
+struct rpc_buffer {
+       size_t  len;
+       char    data[];
+};
+
 /**
  * rpc_malloc - allocate an RPC buffer
  * @task: RPC task that will use this buffer
@@ -754,18 +759,18 @@ static void rpc_async_schedule(struct work_struct *work)
  */
 void *rpc_malloc(struct rpc_task *task, size_t size)
 {
-       size_t *buf;
+       struct rpc_buffer *buf;
        gfp_t gfp = RPC_IS_SWAPPER(task) ? GFP_ATOMIC : GFP_NOWAIT;
 
-       size += sizeof(size_t);
+       size += sizeof(struct rpc_buffer);
        if (size <= RPC_BUFFER_MAXSIZE)
                buf = mempool_alloc(rpc_buffer_mempool, gfp);
        else
                buf = kmalloc(size, gfp);
-       *buf = size;
+       buf->len = size;
        dprintk("RPC: %5u allocated buffer of size %zu at %p\n",
                        task->tk_pid, size, buf);
-       return ++buf;
+       return &buf->data;
 }
 
 /**
@@ -775,15 +780,18 @@ void *rpc_malloc(struct rpc_task *task, size_t size)
  */
 void rpc_free(void *buffer)
 {
-       size_t size, *buf = buffer;
+       size_t size;
+       struct rpc_buffer *buf;
 
        if (!buffer)
                return;
-       size = *buf;
-       buf--;
+
+       buf = container_of(buffer, struct rpc_buffer, data);
+       size = buf->len;
 
        dprintk("RPC:       freeing buffer of size %zu at %p\n",
                        size, buf);
+
        if (size <= RPC_BUFFER_MAXSIZE)
                mempool_free(buf, rpc_buffer_mempool);
        else
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to