io_u_qiter: Fix buffer overrun

In io_u_queue.h the io_u_qiter macro is loops around io_u_queue
structures. The problem comes with the end of loop initialisation:
i++, io_u = (q)->io_us[i]
For example, if io_us consists of one element and i is 0 then after the
first iteration is completed i++, io_u = (q)->io_us[i] will access
beyond the end of io_us.

Fix this by moving io_u initialisation to the expression part of the for
loop (yuck).

Found by Dr Memory.

Signed-off-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Jens Axboe <axboe@fb.com>

diff --git a/io_u_queue.h b/io_u_queue.h
index 4f6e8e6a703b573e8f5c0d3e24fa397e090008e2..5b6cad0ef173926f1ff0e259bac560f2a69d1d83 100644 (file)
--- a/io_u_queue.h
+++ b/io_u_queue.h
@@ -29,7 +29,7 @@ static inline int io_u_qempty(struct io_u_queue *q)
 }
 
 #define io_u_qiter(q, io_u, i) \
-       for (i = 0, io_u = (q)->io_us[0]; i < (q)->nr; i++, io_u = (q)->io_us[i])
+       for (i = 0; i < (q)->nr && (io_u = (q)->io_us[i]); i++)
 
 int io_u_qinit(struct io_u_queue *q, unsigned int nr);
 void io_u_qexit(struct io_u_queue *q);