diff options
| author | Sasha Levin <levinsasha928@gmail.com> | 2012-06-11 11:18:13 -0400 |
|---|---|---|
| committer | Eric Van Hensbergen <ericvh@gmail.com> | 2012-06-11 11:29:07 -0400 |
| commit | 5fcb08befaf57faa1b00e514915c1660252b8c26 (patch) | |
| tree | 54abef34e956941690032cb34fdc75ecd463c830 | |
| parent | 4e3c8a1b1c63482403e9d5e3148dee1a711e4b91 (diff) | |
9p: BUG before corrupting memory
The BUG_ON() in pack_sg_list() would get triggered only one time after we've
corrupted some memory by sg_set_buf() into an invalid sg buffer.
I'm still working on figuring out why I manage to trigger that bug...
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
| -rw-r--r-- | net/9p/trans_virtio.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 5af18d11b518..2a167658bb95 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c | |||
| @@ -192,10 +192,10 @@ static int pack_sg_list(struct scatterlist *sg, int start, | |||
| 192 | s = rest_of_page(data); | 192 | s = rest_of_page(data); |
| 193 | if (s > count) | 193 | if (s > count) |
| 194 | s = count; | 194 | s = count; |
| 195 | BUG_ON(index > limit); | ||
| 195 | sg_set_buf(&sg[index++], data, s); | 196 | sg_set_buf(&sg[index++], data, s); |
| 196 | count -= s; | 197 | count -= s; |
| 197 | data += s; | 198 | data += s; |
| 198 | BUG_ON(index > limit); | ||
| 199 | } | 199 | } |
| 200 | 200 | ||
| 201 | return index-start; | 201 | return index-start; |