Convert to use vm_insert_range() to map range of kernel memory to user vma. map->count is passed to vm_insert_range and internal API verify map->count against count ( count = vma_pages(vma)) for page array boundary overrun. With this count is not needed inside gntdev_mmap() and it could be replaced with vma_pages(vma). Signed-off-by: Souptick Joarder <jrdr.linux@xxxxxxxxx> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> --- drivers/xen/gntdev.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 5efc5ee..a930309 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -1082,18 +1082,17 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) { struct gntdev_priv *priv = flip->private_data; int index = vma->vm_pgoff; - int count = vma_pages(vma); struct gntdev_grant_map *map; - int i, err = -EINVAL; + int err = -EINVAL; if ((vma->vm_flags & VM_WRITE) && !(vma->vm_flags & VM_SHARED)) return -EINVAL; pr_debug("map %d+%d at %lx (pgoff %lx)\n", - index, count, vma->vm_start, vma->vm_pgoff); + index, vma_pages(vma), vma->vm_start, vma->vm_pgoff); mutex_lock(&priv->lock); - map = gntdev_find_map_index(priv, index, count); + map = gntdev_find_map_index(priv, index, vma_pages(vma)); if (!map) goto unlock_out; if (use_ptemod && map->vma) @@ -1145,12 +1144,9 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) goto out_put_map; if (!use_ptemod) { - for (i = 0; i < count; i++) { - err = vm_insert_page(vma, vma->vm_start + i*PAGE_SIZE, - map->pages[i]); - if (err) - goto out_put_map; - } + err = vm_insert_range(vma, map->pages, map->count); + if (err) + goto out_put_map; } else { #ifdef CONFIG_X86 /* -- 1.9.1