Fix a bug in copy_from_bounce_buffer(). Signed-off-by: K. Y. Srinivasan <kys@xxxxxxxxxxxxx> Signed-off-by: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx> --- drivers/staging/hv/storvsc_drv.c | 24 ++++++++++++++++++++++-- 1 files changed, 22 insertions(+), 2 deletions(-) diff --git a/drivers/staging/hv/storvsc_drv.c b/drivers/staging/hv/storvsc_drv.c index 8dafe52..c22de06 100644 --- a/drivers/staging/hv/storvsc_drv.c +++ b/drivers/staging/hv/storvsc_drv.c @@ -880,7 +880,8 @@ cleanup: /* Assume the original sgl has enough room */ static unsigned int copy_from_bounce_buffer(struct scatterlist *orig_sgl, struct scatterlist *bounce_sgl, - unsigned int orig_sgl_count) + unsigned int orig_sgl_count, + unsigned int bounce_sgl_count) { int i; int j = 0; @@ -921,6 +922,24 @@ static unsigned int copy_from_bounce_buffer(struct scatterlist *orig_sgl, kunmap_atomic((void *)bounce_addr, KM_IRQ0); j++; + /* + * It is possible that the number of elements + * in the bounce buffer may not be equal to + * the number of elements in the original + * scatter list. Handle this correctly. + */ + + if (j == bounce_sgl_count) { + /* + * We are done; cleanup and return. + */ + kunmap_atomic((void *)(dest_addr - + orig_sgl[i].offset), + KM_IRQ0); + local_irq_restore(flags); + return total_copied; + } + /* if we need to use another bounce buffer */ if (destlen || i != orig_sgl_count - 1) bounce_addr = @@ -1126,7 +1145,8 @@ static void storvsc_command_completion(struct hv_storvsc_request *request) if (vm_srb->data_in == READ_TYPE) copy_from_bounce_buffer(scsi_sglist(scmnd), cmd_request->bounce_sgl, - scsi_sg_count(scmnd)); + scsi_sg_count(scmnd), + cmd_request->bounce_sgl_count); destroy_bounce_buffer(cmd_request->bounce_sgl, cmd_request->bounce_sgl_count); } -- 1.7.4.1 -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html