diff options
author | Sasha Levin <levinsasha928@gmail.com> | 2012-06-11 11:18:13 -0400 |
---|---|---|
committer | Eric Van Hensbergen <ericvh@gmail.com> | 2012-06-11 11:29:07 -0400 |
commit | 5fcb08befaf57faa1b00e514915c1660252b8c26 (patch) | |
tree | 54abef34e956941690032cb34fdc75ecd463c830 /net/9p | |
parent | 4e3c8a1b1c63482403e9d5e3148dee1a711e4b91 (diff) |
9p: BUG before corrupting memory
The BUG_ON() in pack_sg_list() would get triggered only one time after we've
corrupted some memory by sg_set_buf() into an invalid sg buffer.
I'm still working on figuring out why I manage to trigger that bug...
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Diffstat (limited to 'net/9p')
-rw-r--r-- | net/9p/trans_virtio.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 5af18d11b518..2a167658bb95 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c | |||
@@ -192,10 +192,10 @@ static int pack_sg_list(struct scatterlist *sg, int start, | |||
192 | s = rest_of_page(data); | 192 | s = rest_of_page(data); |
193 | if (s > count) | 193 | if (s > count) |
194 | s = count; | 194 | s = count; |
195 | BUG_ON(index > limit); | ||
195 | sg_set_buf(&sg[index++], data, s); | 196 | sg_set_buf(&sg[index++], data, s); |
196 | count -= s; | 197 | count -= s; |
197 | data += s; | 198 | data += s; |
198 | BUG_ON(index > limit); | ||
199 | } | 199 | } |
200 | 200 | ||
201 | return index-start; | 201 | return index-start; |