From owner-svn-src-all@FreeBSD.ORG Thu Jan 5 20:49:49 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FEB0106566B; Thu, 5 Jan 2012 20:49:48 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 537698FC12; Thu, 5 Jan 2012 20:49:48 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q05KnmrG055063; Thu, 5 Jan 2012 20:49:48 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q05KnmFo055061; Thu, 5 Jan 2012 20:49:48 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <201201052049.q05KnmFo055061@svn.freebsd.org> From: Pyun YongHyeon Date: Thu, 5 Jan 2012 20:49:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r229648 - stable/9/sys/dev/ed X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2012 20:49:49 -0000 Author: yongari Date: Thu Jan 5 20:49:48 2012 New Revision: 229648 URL: http://svn.freebsd.org/changeset/base/229648 Log: MFC r228286: Fix off by one error in mbuf access. Previously it caused panic. While I'm here use NULL to compare mbuf pointer and add additional check for zero length mbuf before accessing the mbuf. PR: kern/162932 Modified: stable/9/sys/dev/ed/if_ed.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/amd64/include/xen/ (props changed) stable/9/sys/boot/ (props changed) stable/9/sys/boot/i386/efi/ (props changed) stable/9/sys/boot/ia64/efi/ (props changed) stable/9/sys/boot/ia64/ski/ (props changed) stable/9/sys/boot/powerpc/boot1.chrp/ (props changed) stable/9/sys/boot/powerpc/ofw/ (props changed) stable/9/sys/cddl/contrib/opensolaris/ (props changed) stable/9/sys/conf/ (props changed) stable/9/sys/contrib/dev/acpica/ (props changed) stable/9/sys/contrib/octeon-sdk/ (props changed) stable/9/sys/contrib/pf/ (props changed) stable/9/sys/contrib/x86emu/ (props changed) Modified: stable/9/sys/dev/ed/if_ed.c ============================================================================== --- stable/9/sys/dev/ed/if_ed.c Thu Jan 5 20:41:40 2012 (r229647) +++ stable/9/sys/dev/ed/if_ed.c Thu Jan 5 20:49:48 2012 (r229648) @@ -1709,12 +1709,19 @@ ed_shmem_write_mbufs(struct ed_softc *sc break; } } - for (len = 0; m != 0; m = m->m_next) { - if (sc->isa16bit) - bus_space_write_region_2(sc->mem_bst, - sc->mem_bsh, dst, - mtod(m, uint16_t *), (m->m_len + 1)/ 2); - else + for (len = 0; m != NULL; m = m->m_next) { + if (m->m_len == 0) + continue; + if (sc->isa16bit) { + if (m->m_len > 1) + bus_space_write_region_2(sc->mem_bst, + sc->mem_bsh, dst, + mtod(m, uint16_t *), m->m_len / 2); + if ((m->m_len & 1) != 0) + bus_space_write_1(sc->mem_bst, sc->mem_bsh, + dst + m->m_len - 1, + *(mtod(m, uint8_t *) + m->m_len - 1)); + } else bus_space_write_region_1(sc->mem_bst, sc->mem_bsh, dst, mtod(m, uint8_t *), m->m_len);