9p/virtio: fix off-by-one error in sg list bounds check
authorjiangyiwen <jiangyiwen@huawei.com>
Fri, 3 Aug 2018 04:11:34 +0000 (12:11 +0800)
committerDominique Martinet <dominique.martinet@cea.fr>
Mon, 13 Aug 2018 00:35:28 +0000 (09:35 +0900)
Because the value of limit is VIRTQUEUE_NUM, if index is equal to
limit, it will cause sg array out of bounds, so correct the judgement
of BUG_ON.

Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com
Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Reported-By: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jun Piao <piaojun@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
net/9p/trans_virtio.c

index 6265d1d62749322c43214c42fceffab3537362b0..08264bae3f5da92780677923bf7fc36deb0cabf1 100644 (file)
@@ -191,7 +191,7 @@ static int pack_sg_list(struct scatterlist *sg, int start,
                s = rest_of_page(data);
                if (s > count)
                        s = count;
                s = rest_of_page(data);
                if (s > count)
                        s = count;
-               BUG_ON(index > limit);
+               BUG_ON(index >= limit);
                /* Make sure we don't terminate early. */
                sg_unmark_end(&sg[index]);
                sg_set_buf(&sg[index++], data, s);
                /* Make sure we don't terminate early. */
                sg_unmark_end(&sg[index]);
                sg_set_buf(&sg[index++], data, s);
@@ -236,6 +236,7 @@ pack_sg_list_p(struct scatterlist *sg, int start, int limit,
                s = PAGE_SIZE - data_off;
                if (s > count)
                        s = count;
                s = PAGE_SIZE - data_off;
                if (s > count)
                        s = count;
+               BUG_ON(index >= limit);
                /* Make sure we don't terminate early. */
                sg_unmark_end(&sg[index]);
                sg_set_page(&sg[index++], pdata[i++], s, data_off);
                /* Make sure we don't terminate early. */
                sg_unmark_end(&sg[index]);
                sg_set_page(&sg[index++], pdata[i++], s, data_off);