d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

linuxkpi: Fix __sg_alloc_table_from_pages loop

Browse Source 
Commit 3e0856b63f updated
__sg_alloc_table_from_pages to use the same API as linux, but modified
the loop condition when going over the pages in a sg list. Part of the
change included moving the sg_next call out of the for loop and into the
body, which causes an off by one error when traversing the list. Since
sg_next is called before the loop body it will skip the first element
and read one past the last element.

This caused panics when running PRIME with nvidia-drm as the off-by-one
issue causes a NULL dereference.

Reviewed by:	bz, hselasky
Differential Revision:	https://reviews.freebsd.org/D39628
Fixes:	3e0856b63f ("linuxkpi: Fix `sg_alloc_table_from_pages()` to have the same API as Linux")
This commit is contained in:
Austin Shafer 2023-04-21 09:56:50 +02:00 committed by Emmanuel Vadot
parent 9abba78acc
commit 3f686532c9
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/compat/linuxkpi/common/include/linux/scatterlist.h
View File

@ -383,8 +383,6 @@ __sg_alloc_table_from_pages(struct sg_table *sgt,
unsigned long seg_size;
unsigned int j;
s = sg_next(s);
len = 0;
for (j = cur + 1; j < count; ++j) {
len += PAGE_SIZE;
@ -398,6 +396,8 @@ __sg_alloc_table_from_pages(struct sg_table *sgt,
size -= seg_size;
off = 0;
cur = j;
s = sg_next(s);
}
KASSERT(s != NULL, ("s is NULL after loop in __sg_alloc_table_from_pages()"));