diff options
author | Sasha Levin <levinsasha928@gmail.com> | 2012-06-11 10:18:13 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-06-22 11:37:15 -0700 |
commit | eef458cb6f020f165de00a5e284048be49e9ee27 (patch) | |
tree | 215f347c4810812b00b5a3ce903584cdf0c1ef6e /net/9p | |
parent | 9f138fc8bc57beedc154729260f909ff60490296 (diff) |
9p: BUG before corrupting memory
commit 5fcb08befaf57faa1b00e514915c1660252b8c26 upstream.
The BUG_ON() in pack_sg_list() would get triggered only one time after we've
corrupted some memory by sg_set_buf() into an invalid sg buffer.
I'm still working on figuring out why I manage to trigger that bug...
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/9p')
-rw-r--r-- | net/9p/trans_virtio.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 3d432068f62..052d343d43f 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -192,10 +192,10 @@ static int pack_sg_list(struct scatterlist *sg, int start, s = rest_of_page(data); if (s > count) s = count; + BUG_ON(index > limit); sg_set_buf(&sg[index++], data, s); count -= s; data += s; - BUG_ON(index > limit); } return index-start; |