From: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date: Fri, 3 Apr 2009 04:35:12 +0000 (+0000)
Subject: mm: do_xip_mapping_read: fix length calculation
X-Git-Tag: v2.6.27.22~39
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e655a1eaa988bc55739f47d62ab0658c1364458a;p=pandora-kernel.git

mm: do_xip_mapping_read: fix length calculation

upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8

The calculation of the value nr in do_xip_mapping_read is incorrect.  If
the copy required more than one iteration in the do while loop the copies
variable will be non-zero.  The maximum length that may be passed to the
call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the
check only compares against (nr > len).

This bug is the cause for the heap corruption Carsten has been chasing
for so long:
---

Reading git-diff-tree failed