From c70bade50e275f901e63d7564e99a7bdabe83509 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 8 Feb 2022 10:46:04 +0100
Subject: Don't add byte offset to kmapped pointer

While the kunmap functions always round down to the current page,
and currently, we never map a region larger than a page, it should
be safer to do the pointer arithmetic after we acquired the mapped
pointer, to avoid the risk of ever passing an invalid pointer
to kunmap.
---
 src/kernel/xloop_file_fmt_qcow_main.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/kernel/xloop_file_fmt_qcow_main.c b/src/kernel/xloop_file_fmt_qcow_main.c
index 4fc2fe3..767698b 100644
--- a/src/kernel/xloop_file_fmt_qcow_main.c
+++ b/src/kernel/xloop_file_fmt_qcow_main.c
@@ -975,16 +975,16 @@ static int __qcow_file_fmt_read_compressed(struct xloop_file_fmt *xlo_fmt, struc
 
 	ASSERT(bytes <= bvec->bv_len);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
-			data = bvec_kmap_local(bvec) + bytes_done;
+	data = bvec_kmap_local(bvec);
 #else
-			data = bvec_kmap_irq(bvec, &irq_flags) + bytes_done;
+	data = bvec_kmap_irq(bvec, &irq_flags);
 #endif
-	memcpy(data, qcow_data->cmp_out_buf + offset_in_cluster, bytes);
+	memcpy(data + bytes_done, qcow_data->cmp_out_buf + offset_in_cluster, bytes);
 	flush_dcache_page(bvec->bv_page);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
-			kunmap_local(data);
+	kunmap_local(data);
 #else
-			bvec_kunmap_irq(data, &irq_flags);
+	bvec_kunmap_irq(data, &irq_flags);
 #endif
 
 out_free_in_buf:
@@ -1029,11 +1029,11 @@ static int __qcow_file_fmt_read_bvec(struct xloop_file_fmt *xlo_fmt, struct bio_
 		case QCOW_SUBCLUSTER_UNALLOCATED_PLAIN:
 		case QCOW_SUBCLUSTER_UNALLOCATED_ALLOC:
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
-			data = bvec_kmap_local(bvec) + bytes_done;
+			data = bvec_kmap_local(bvec);
 #else
-			data = bvec_kmap_irq(bvec, &irq_flags) + bytes_done;
+			data = bvec_kmap_irq(bvec, &irq_flags);
 #endif
-			memset(data, 0, cur_bytes);
+			memset(data + bytes_done, 0, cur_bytes);
 			flush_dcache_page(bvec->bv_page);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
 			kunmap_local(data);
@@ -1053,11 +1053,11 @@ static int __qcow_file_fmt_read_bvec(struct xloop_file_fmt *xlo_fmt, struct bio_
 			pos_read = host_offset;
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
-			data = bvec_kmap_local(bvec) + bytes_done;
+			data = bvec_kmap_local(bvec);
 #else
-			data = bvec_kmap_irq(bvec, &irq_flags) + bytes_done;
+			data = bvec_kmap_irq(bvec, &irq_flags);
 #endif
-			len = kernel_read(xlo->xlo_backing_file, data, cur_bytes, &pos_read);
+			len = kernel_read(xlo->xlo_backing_file, data + bytes_done, cur_bytes, &pos_read);
 			flush_dcache_page(bvec->bv_page);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 15, 0)
 			kunmap_local(data);
-- 
cgit v1.2.3-55-g7522