From: Bob Peterson <rpeterso@redhat.com>
Date: Tue, 24 Jun 2008 17:03:44 -0500
Subject: [gfs2] bad subtraction in while-loop can cause panic
Message-id: 1214345024.24741.13.camel@technetium.msp.redhat.com
O-Subject: [RHEL5.3 PATCH] GFS2: BUG: unable to handle kernel paging request at ffff81002690e000
Bugzilla: 452004
RH-Acked-by: Mikulas Patocka <mpatocka@redhat.com>
RH-Acked-by: Steven Whitehouse <swhiteho@redhat.com>

Hi,

This patch fixes bug 452004.  The code is now upstream and tested.

The intent was to stop the while loop one "unsigned long" less than
the end, but the cast to (unsigned char *) made it one byte rather
than one unsigned long.  That meant it did not exit when it should
have and that caused the kernel to BUG out under some page
boundary conditions.

Regards,

Bob Peterson
Red Hat GFS

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
--

diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 0100533..5c8678a 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -186,7 +186,7 @@ ulong_aligned:
 	   depending on architecture.  I've experimented with several ways
 	   of writing this section such as using an else before the goto
 	   but this one seems to be the fastest. */
-	while ((unsigned char *)plong < end - 1) {
+	while ((unsigned char *)plong < end - sizeof(unsigned long)) {
 		prefetch(plong + 1);
 		if (((*plong) & LBITMASK) != lskipval)
 			break;