[PATCH] fix empty_zero_page misusage

From: Heiko Carstens
Date: Fri Nov 15 2013 - 06:14:55 EST

Next message: Martin Schwidefsky: "Re: [PATCH 2/2] s390/mm,tlb: race of lazy TLB flush vs. recreationof TLB entries"
Previous message: Geert Uytterhoeven: "Re: [RFC][PATCH 11/13] dump_skip(): dump_seek() replacement taking coredump_params"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The definition of empty_zero_page is architecture specific.
It is (currently) either a character array, an unsigned long containing
the address of the empty_zero_page, or even worse only the address
of the struct page belonging to the empty_zero_page.

So using empty_zero_page as source address to e.g. clear something may
give random results.
ZERO_PAGE() however returns across all architectures the pointer to
the struct page belonging to the empty_zero_page.

Signed-off-by: Heiko Carstens <heiko.carstens@xxxxxxxxxx>
---
drivers/spi/spi-fsl-cpm.c | 3 ++-
fs/btrfs/ioctl.c | 4 +++-
virt/kvm/kvm_main.c | 5 +++--
3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-fsl-cpm.c b/drivers/spi/spi-fsl-cpm.c
index 54b06376f03c..3807bbf8a48f 100644
--- a/drivers/spi/spi-fsl-cpm.c
+++ b/drivers/spi/spi-fsl-cpm.c
@@ -280,6 +280,7 @@ static unsigned long fsl_spi_cpm_get_pram(struct mpc8xxx_spi *mspi)

int fsl_spi_cpm_init(struct mpc8xxx_spi *mspi)
{
+ const void *zero_page = (const void *) page_to_phys(ZERO_PAGE(0));
struct device *dev = mspi->dev;
struct device_node *np = dev->of_node;
const u32 *iprop;
@@ -324,7 +325,7 @@ int fsl_spi_cpm_init(struct mpc8xxx_spi *mspi)
goto err_bds;
}

- mspi->dma_dummy_tx = dma_map_single(dev, empty_zero_page, PAGE_SIZE,
+ mspi->dma_dummy_tx = dma_map_single(dev, zero_page, PAGE_SIZE,
DMA_TO_DEVICE);
if (dma_mapping_error(dev, mspi->dma_dummy_tx)) {
dev_err(dev, "unable to map dummy tx buffer\n");
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 1d04b5559e61..83f2b3e4fbf0 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -368,8 +368,10 @@ static noinline int btrfs_ioctl_fitrim(struct file *file, void __user *arg)

int btrfs_is_empty_uuid(u8 *uuid)
{
+ const void *zero_page = (const void *) page_to_phys(ZERO_PAGE(0));
+
BUILD_BUG_ON(BTRFS_UUID_SIZE > PAGE_SIZE);
- return !memcmp(uuid, empty_zero_page, BTRFS_UUID_SIZE);
+ return !memcmp(uuid, zero_page, BTRFS_UUID_SIZE);
}

static noinline int create_subvol(struct inode *dir,
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 662f34c3287e..01edf1c19332 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1615,8 +1615,9 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);

int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len)
{
- return kvm_write_guest_page(kvm, gfn, (const void *) empty_zero_page,
- offset, len);
+ const void *zero_page = (const void *) page_to_phys(ZERO_PAGE(0));
+
+ return kvm_write_guest_page(kvm, gfn, zero_page, offset, len);
}
EXPORT_SYMBOL_GPL(kvm_clear_guest_page);

--
1.8.3.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin Schwidefsky: "Re: [PATCH 2/2] s390/mm,tlb: race of lazy TLB flush vs. recreationof TLB entries"
Previous message: Geert Uytterhoeven: "Re: [RFC][PATCH 11/13] dump_skip(): dump_seek() replacement taking coredump_params"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]