On Sun, Aug 09, 2020 at 10:34:06PM +0200, Christophe JAILLET wrote:
When '*sgt' is allocated, we must allocated 'sizeof(**sgt)' bytes instead of 'sizeof(*sg)'. 'sg' (i.e. struct scatterlist) is smaller than 'sgt' (i.e struct sg_table), so this could lead to memory corruption.
The sizeof(*sg) is bigger than sizeof(**sgt) so this wastes memory but it won't lead to corruption.
11 struct scatterlist { 12 unsigned long page_link; 13 unsigned int offset; 14 unsigned int length; 15 dma_addr_t dma_address; 16 #ifdef CONFIG_NEED_SG_DMA_LENGTH 17 unsigned int dma_length; 18 #endif 19 };
42 struct sg_table { 43 struct scatterlist *sgl; /* the list */ 44 unsigned int nents; /* number of mapped entries */ 45 unsigned int orig_nents; /* original size of list */ 46 };
regards, dan carpenter