[PATCH v3 2/5] lib/scatterlist: Fix temp buffer in extract_user_to_sg()

Next message: Christian A. Ehrhardt: "[PATCH v3 3/5] lib: kunit_iov_iter: Fix memory leaks"
Previous message: Christian A. Ehrhardt: "[PATCH v3 0/5] Fix bugs in extract_iter_to_sg()"
In reply to: Christian A. Ehrhardt: "[PATCH v3 1/5] lib/scatterlist: Fix length calculations in extract_kvec_to_sg"
Next in thread: Christian A. Ehrhardt: "[PATCH v3 3/5] lib: kunit_iov_iter: Fix memory leaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian A. Ehrhardt

Date: Thu Mar 26 2026 - 17:51:02 EST

Instead of allocating a temporary buffer for extracted
user pages extract_user_to_sg() uses the end of the
to be filled scatterlist as a temporary buffer.

Fix the calculation of the start address if the scatterlist
already contains elements. The unused space starts at
sgtable->sgl + sgtable->nents not directly at sgtable->nents
and the temporary buffer is placed at the end of this unused
space.

A subsequent commit will add kunit test cases that
demonstrate that the patch is necessary.

Pointed out by sashiko.dev on a previous iteration of this series.

Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # v6.5+
Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist")
Signed-off-by: Christian A. Ehrhardt <lk@xxxxxxx>
---
lib/scatterlist.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index befdc4b9c11d..b7fe91ef35b8 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1123,8 +1123,7 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
size_t len, off;

/* We decant the page list into the tail of the scatterlist */
- pages = (void *)sgtable->sgl +
- array_size(sg_max, sizeof(struct scatterlist));
+ pages = (void *)sg + array_size(sg_max, sizeof(struct scatterlist));
pages -= sg_max;

do {
--
2.43.0