lib/scatterlist: fix temp buffer in extract_user_to_sg()

Instead of allocating a temporary buffer for extracted user pages
extract_user_to_sg() uses the end of the to be filled scatterlist as a
temporary buffer.

Fix the calculation of the start address if the scatterlist already
contains elements.  The unused space starts at sgtable->sgl +
sgtable->nents not directly at sgtable->nents and the temporary buffer is
placed at the end of this unused space.

A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.

Pointed out by sashiko.dev on a previous iteration of this series.

Link: https://lkml.kernel.org/r/20260326214905.818170-3-lk@c--e.de
Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Cc: David Howells <dhowells@redhat.com>
Cc: David Gow <davidgow@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: <stable@vger.kernel.org>	[v6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index befdc4b9c11d39b69f876babd73011cac61deece..b7fe91ef35b8c6ab758bf9e9aff20e885d02ab21 100644 (file)
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1123,8 +1123,7 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
        size_t len, off;
 
        /* We decant the page list into the tail of the scatterlist */
-       pages = (void *)sgtable->sgl +
-               array_size(sg_max, sizeof(struct scatterlist));
+       pages = (void *)sg + array_size(sg_max, sizeof(struct scatterlist));
        pages -= sg_max;
 
        do {