aboutsummaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorBjoern A. Zeeb <bz@FreeBSD.org>2021-06-07 15:00:19 +0000
committerBjoern A. Zeeb <bz@FreeBSD.org>2021-06-18 21:20:10 +0000
commitedfcdffefc1671b7688c8806ae1f59484954dcc7 (patch)
treeef41b24f28a5893bf51a07e593e2b9376b590df9 /sys
parentd4a4960c6559caa890af0901a21296e75b961210 (diff)
downloadsrc-edfcdffefc1671b7688c8806ae1f59484954dcc7.tar.gz
src-edfcdffefc1671b7688c8806ae1f59484954dcc7.zip
LinuxKPI: fix sg_pcopy_from_buffer()
In sg_pcopy_from_buffer() is an error in that skip can underflow and lead to bogus page arithmetics which may lead to memory corruption or more likely panics. Once we found a s/g page to copy into there is nothing to skip anymore so simply set skip to 0. Sponsored by: The FreeBSD Foundation MFC after: 5 days Reviewed by: hselasky Differential Revision: https://reviews.freebsd.org/D30676
Diffstat (limited to 'sys')
-rw-r--r--sys/compat/linuxkpi/common/include/linux/scatterlist.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/compat/linuxkpi/common/include/linux/scatterlist.h b/sys/compat/linuxkpi/common/include/linux/scatterlist.h
index ebf0632f6f58..5e42876facd0 100644
--- a/sys/compat/linuxkpi/common/include/linux/scatterlist.h
+++ b/sys/compat/linuxkpi/common/include/linux/scatterlist.h
@@ -520,12 +520,13 @@ sg_pcopy_from_buffer(struct scatterlist *sgl, unsigned int nents,
memcpy(p, b, len);
sf_buf_free(sf);
+ /* We copied so nothing more to skip. */
+ skip = 0;
copied += len;
/* Either we exactly filled the page, or we are done. */
buflen -= len;
if (buflen == 0)
break;
- skip -= len;
b += len;
}
sched_unpin();