From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Return-Path: Subject: Patch "9p: BUG before corrupting memory" has been added to the 3.4-stable tree To: levinsasha928@gmail.com,ericvh@gmail.com,gregkh@linuxfoundation.org Cc: , From: Date: Wed, 20 Jun 2012 10:00:13 -0700 Message-ID: <1340211613617@kroah.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ASCII Content-Transfer-Encoding: 8bit List-ID: This is a note to let you know that I've just added the patch titled 9p: BUG before corrupting memory to the 3.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: 9p-bug-before-corrupting-memory.patch and it can be found in the queue-3.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 5fcb08befaf57faa1b00e514915c1660252b8c26 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 11 Jun 2012 10:18:13 -0500 Subject: 9p: BUG before corrupting memory From: Sasha Levin commit 5fcb08befaf57faa1b00e514915c1660252b8c26 upstream. The BUG_ON() in pack_sg_list() would get triggered only one time after we've corrupted some memory by sg_set_buf() into an invalid sg buffer. I'm still working on figuring out why I manage to trigger that bug... Signed-off-by: Sasha Levin Signed-off-by: Eric Van Hensbergen Signed-off-by: Greg Kroah-Hartman --- net/9p/trans_virtio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -192,10 +192,10 @@ static int pack_sg_list(struct scatterli s = rest_of_page(data); if (s > count) s = count; + BUG_ON(index > limit); sg_set_buf(&sg[index++], data, s); count -= s; data += s; - BUG_ON(index > limit); } return index-start; Patches currently in stable-queue which might be from levinsasha928@gmail.com are queue-3.4/9p-bug-before-corrupting-memory.patch