9p/virtio: fix off-by-one error in sg list bounds check

commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream.

Because the value of limit is VIRTQUEUE_NUM, if index is equal to
limit, it will cause sg array out of bounds, so correct the judgement
of BUG_ON.

Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com
Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
Reported-By: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jun Piao <piaojun@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index a03336e..da0d3b2 100644 (file)
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -189,7 +189,7 @@ static int pack_sg_list(struct scatterlist *sg, int start,
                s = rest_of_page(data);
                if (s > count)
                        s = count;
-               BUG_ON(index > limit);
+               BUG_ON(index >= limit);
                /* Make sure we don't terminate early. */
                sg_unmark_end(&sg[index]);
                sg_set_buf(&sg[index++], data, s);
@@ -234,6 +234,7 @@ pack_sg_list_p(struct scatterlist *sg, int start, int limit,
                s = PAGE_SIZE - data_off;
                if (s > count)
                        s = count;
+               BUG_ON(index >= limit);
                /* Make sure we don't terminate early. */
                sg_unmark_end(&sg[index]);
                sg_set_page(&sg[index++], pdata[i++], s, data_off);