git: d2c8c4d15a6e - stable/13 - LinuxKPI: fix sg_pcopy_from_buffer()

[Bjoern A. Zeeb]

The branch stable/13 has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=d2c8c4d15a6e65657b52b058b38d609e65202ad4

commit d2c8c4d15a6e65657b52b058b38d609e65202ad4
Author:     Bjoern A. Zeeb <bz at FreeBSD.org>
AuthorDate: 2021-06-07 15:00:19 +0000
Commit:     Bjoern A. Zeeb <bz at FreeBSD.org>
CommitDate: 2021-07-18 00:35:04 +0000

    LinuxKPI: fix sg_pcopy_from_buffer()
    
    In sg_pcopy_from_buffer() is an error in that skip can underflow
    and lead to bogus page arithmetics which may lead to memory corruption
    or more likely panics.  Once we found a s/g page to copy into there
    is nothing to skip anymore so simply set skip to 0.
    
    Sponsored by:   The FreeBSD Foundation
    Reviewed by:    hselasky
    Differential Revision: https://reviews.freebsd.org/D30676
    
    (cherry picked from commit edfcdffefc1671b7688c8806ae1f59484954dcc7)
---
 sys/compat/linuxkpi/common/include/linux/scatterlist.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/compat/linuxkpi/common/include/linux/scatterlist.h b/sys/compat/linuxkpi/common/include/linux/scatterlist.h
index ebf0632f6f58..5e42876facd0 100644
--- a/sys/compat/linuxkpi/common/include/linux/scatterlist.h
+++ b/sys/compat/linuxkpi/common/include/linux/scatterlist.h
@@ -520,12 +520,13 @@ sg_pcopy_from_buffer(struct scatterlist *sgl, unsigned int nents,
 		memcpy(p, b, len);
 		sf_buf_free(sf);
 
+		/* We copied so nothing more to skip. */
+		skip = 0;
 		copied += len;
 		/* Either we exactly filled the page, or we are done. */
 		buflen -= len;
 		if (buflen == 0)
 			break;
-		skip -= len;
 		b += len;
 	}
 	sched_unpin();