Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10434651ybi;
        Wed, 24 Jul 2019 23:09:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyD6Vj/aiAm7lmc0OgSGLyA9Og3Rr4J6eJ8YG5ebDYUfJeTn1F97LWeEuM9SLCZsn+aWSLh
X-Received: by 2002:a17:90a:d998:: with SMTP id d24mr63882705pjv.89.1564034947563;
        Wed, 24 Jul 2019 23:09:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564034947; cv=none;
        d=google.com; s=arc-20160816;
        b=icQ9q7d49ClxWjaw6tRpIUCwbSNRC/ueVXDTH7epb5WLW2QxC0+I9MBVRcGPwUAtns
         8W2ABlT2cjQad8T1rLlzzomQsCmUhY2zTEHd8sz+ad9kWxSDXp1+Oz878XV8EFWoxDhf
         /ncfI0e6ZcEwk3Zpllh6bmaXkNBzMP3WGC1nvdQoczfHmZf+9uM97XLua/CIVORk5VAk
         JiVoAbAqlwLEEOzHZ5R7kddx54ZBh644nuxK0snOCaDqyHyXOdgUccVHZAnnozo5rG+e
         M8de1+t02sEXu6sj5srxZhGJLhOArKO0oYdSi9fQvgrQQ43YMtH4NHWR2i6Gyy5DzHp8
         ei1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=R6MsbzID+TUC6+JDMhsBpRN7+uCUg2JMAyYUU+TOw+Y=;
        b=PFrQv0eG34BbYXpapyDudF6ZlX5y/uOmcWyGRj2mX8bnZZmo0Rmt+fXKO4UrNTfVmh
         VlAviQXEko/baTjizJBjgIWgsryKVpNrttsWmKNI6l237TD9F+qlxxoB81HnzYzmPinn
         YJfZqd50wS8GsQN0lx8DTZwLmynDXQ1HjJdUaIqZEa/2vyNVhPVKg1iAf+xl9aei7Iv4
         ktHtZn7R6Ko7iSPT/GnnDTAdm/fYQ7jpS6vgmDgXHdrrU7gnFtGwFFKRGEK9isVYi1KX
         lyG3RS+JX9dijPeI/EiVRe0/yiWdzfaFrJnEZVsD3suB2/eWcdAzR8X28zkoDxMNyzlq
         mx4A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=iPJ0Jx66;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id az7si14748510pjb.51.2019.07.24.23.08.51;
        Wed, 24 Jul 2019 23:09:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=iPJ0Jx66;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2391099AbfGYFnv (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Thu, 25 Jul 2019 01:43:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:58786 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2404911AbfGYFnr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jul 2019 01:43:47 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4EB8B22BEB;
        Thu, 25 Jul 2019 05:43:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1564033426;
        bh=jypAF4uQaC6Sd1j4/pSMrS7h23T2MDkg6/ee8SLWGWY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=iPJ0Jx66ZIW8kFGpqUfduCI2+EgvbszKPr1t8EDvasF/XpX3SFoR+5l91j39vSoyu
         PMY4fvlYfKu9hj8coeULKgfwadprdrc9/NurkWJx+qDmQLkMWdM56Kq54cwaiJWxBt
         iWomDSTCRq39ciZrZ8k3PDtmyxl/wS0SaR5jOBR0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Christophe Leroy <christophe.leroy@c-s.fr>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.19 203/271] lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
Date:   Wed, 24 Jul 2019 21:21:12 +0200
Message-Id: <20190724191712.488750749@linuxfoundation.org>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190724191655.268628197@linuxfoundation.org>
References: <20190724191655.268628197@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit aeb87246537a83c2aff482f3f34a2e0991e02cbc upstream.

All mapping iterator logic is based on the assumption that sg->offset
is always lower than PAGE_SIZE.

But there are situations where sg->offset is such that the SG item
is on the second page. In that case sg_copy_to_buffer() fails
properly copying the data into the buffer. One of the reason is
that the data will be outside the kmapped area used to access that
data.

This patch fixes the issue by adjusting the mapping iterator
offset and pgoffset fields such that offset is always lower than
PAGE_SIZE.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Fixes: 4225fc8555a9 ("lib/scatterlist: use page iterator in the mapping iterator")
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/scatterlist.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -652,17 +652,18 @@ static bool sg_miter_get_next_page(struc
 {
 	if (!miter->__remaining) {
 		struct scatterlist *sg;
-		unsigned long pgoffset;
 
 		if (!__sg_page_iter_next(&miter->piter))
 			return false;
 
 		sg = miter->piter.sg;
-		pgoffset = miter->piter.sg_pgoffset;
 
-		miter->__offset = pgoffset ? 0 : sg->offset;
+		miter->__offset = miter->piter.sg_pgoffset ? 0 : sg->offset;
+		miter->piter.sg_pgoffset += miter->__offset >> PAGE_SHIFT;
+		miter->__offset &= PAGE_SIZE - 1;
 		miter->__remaining = sg->offset + sg->length -
-				(pgoffset << PAGE_SHIFT) - miter->__offset;
+				     (miter->piter.sg_pgoffset << PAGE_SHIFT) -
+				     miter->__offset;
 		miter->__remaining = min_t(unsigned long, miter->__remaining,
 					   PAGE_SIZE - miter->__offset);
 	}