diff options
author | Sasha Levin <levinsasha928@gmail.com> | 2012-06-11 10:18:13 -0500 |
---|---|---|
committer | Eric Van Hensbergen <ericvh@gmail.com> | 2012-06-11 10:29:07 -0500 |
commit | 5fcb08befaf57faa1b00e514915c1660252b8c26 (patch) | |
tree | 54abef34e956941690032cb34fdc75ecd463c830 | |
parent | 4e3c8a1b1c63482403e9d5e3148dee1a711e4b91 (diff) | |
download | op-kernel-dev-5fcb08befaf57faa1b00e514915c1660252b8c26.zip op-kernel-dev-5fcb08befaf57faa1b00e514915c1660252b8c26.tar.gz |
9p: BUG before corrupting memory
The BUG_ON() in pack_sg_list() would get triggered only one time after we've
corrupted some memory by sg_set_buf() into an invalid sg buffer.
I'm still working on figuring out why I manage to trigger that bug...
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
-rw-r--r-- | net/9p/trans_virtio.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 5af18d1..2a16765 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -192,10 +192,10 @@ static int pack_sg_list(struct scatterlist *sg, int start, s = rest_of_page(data); if (s > count) s = count; + BUG_ON(index > limit); sg_set_buf(&sg[index++], data, s); count -= s; data += s; - BUG_ON(index > limit); } return index-start; |