From nobody Thu Apr 2 20:26:38 2026 Received: from cae.in-ulm.de (cae.in-ulm.de [217.10.14.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8F50311975 for ; Thu, 26 Mar 2026 21:50:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.10.14.231 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774561806; cv=none; b=enWnwm93oLRTbqoX8RexviDfA6dpbm4ZgBkV95x/0IenYTRnJi9TRy3vOuZaFisAv/VtQCMDdZ1ZxE7g+kfyBqGmfHGpnCG0QvCZO2ho/hrFqP3sJIjugIjEHlM7rt3Ocvakq0aYwWfTjuUC3MgaLcG7K224Z+FILwU3NblaNHI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774561806; c=relaxed/simple; bh=7nMEYL8GMl79aYoftSqkErZnLzdcdCYk9bmWpRZ+OBY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ppsurH4WHi72jyl13pUWHbfALzKM7q4FQj8VsafIRld8Vx+ex51EAcf/lZkE46uCf3JJYnbNUD2kNMjNH8Czj0eSpPfp8h1omSkO0LrxDMxQUnFuCOD8aVc0Zu24yfLHwhZZbAa6MzCazCHL/ib1QDIx8nVp0WMVMPi+ipLgeN0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=c--e.de; spf=pass smtp.mailfrom=c--e.de; arc=none smtp.client-ip=217.10.14.231 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=c--e.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=c--e.de Received: by cae.in-ulm.de (Postfix, from userid 1000) id 8CE7E140060; Thu, 26 Mar 2026 22:50:01 +0100 (CET) From: "Christian A. Ehrhardt" To: David Howells , Andrew Morton , linux-kernel@vger.kernel.org Cc: "Christian A. Ehrhardt" , Kees Cook , Petr Mladek , David Gow Subject: [PATCH v3 2/5] lib/scatterlist: Fix temp buffer in extract_user_to_sg() Date: Thu, 26 Mar 2026 22:49:02 +0100 Message-Id: <20260326214905.818170-3-lk@c--e.de> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20260326214905.818170-1-lk@c--e.de> References: <20260326214905.818170-1-lk@c--e.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of allocating a temporary buffer for extracted user pages extract_user_to_sg() uses the end of the to be filled scatterlist as a temporary buffer. Fix the calculation of the start address if the scatterlist already contains elements. The unused space starts at sgtable->sgl + sgtable->nents not directly at sgtable->nents and the temporary buffer is placed at the end of this unused space. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary. Pointed out by sashiko.dev on a previous iteration of this series. Cc: David Howells Cc: Andrew Morton Cc: stable@vger.kernel.org # v6.5+ Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a s= catterlist") Signed-off-by: Christian A. Ehrhardt --- lib/scatterlist.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/scatterlist.c b/lib/scatterlist.c index befdc4b9c11d..b7fe91ef35b8 100644 --- a/lib/scatterlist.c +++ b/lib/scatterlist.c @@ -1123,8 +1123,7 @@ static ssize_t extract_user_to_sg(struct iov_iter *it= er, size_t len, off; =20 /* We decant the page list into the tail of the scatterlist */ - pages =3D (void *)sgtable->sgl + - array_size(sg_max, sizeof(struct scatterlist)); + pages =3D (void *)sg + array_size(sg_max, sizeof(struct scatterlist)); pages -=3D sg_max; =20 do { --=20 2.43.0