From 45838e3a414a7a1a5fb49dc528dee1d22449599b Mon Sep 17 00:00:00 2001
From: Chunwei Chen <tuxoko@gmail.com>
Date: Tue, 29 Sep 2015 00:02:31 -0700
Subject: [PATCH] Fix uioskip crash when skip to end

When doing uioskip to skip an iovec to the very end, the current loop
condition will falsely check pass the end of iovec. We fix this checking
uio_iovcnt first.

Signed-off-by: Chunwei Chen <tuxoko@gmail.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3806
Closes #3850
---
 module/zcommon/zfs_uio.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/module/zcommon/zfs_uio.c b/module/zcommon/zfs_uio.c
index 6037fed80..f78db68e4 100644
--- a/module/zcommon/zfs_uio.c
+++ b/module/zcommon/zfs_uio.c
@@ -236,13 +236,15 @@ uioskip(uio_t *uiop, size_t n)
 
 	uiop->uio_skip += n;
 	if (uiop->uio_segflg != UIO_BVEC) {
-		while (uiop->uio_skip >= uiop->uio_iov->iov_len) {
+		while (uiop->uio_iovcnt &&
+		    uiop->uio_skip >= uiop->uio_iov->iov_len) {
 			uiop->uio_skip -= uiop->uio_iov->iov_len;
 			uiop->uio_iov++;
 			uiop->uio_iovcnt--;
 		}
 	} else {
-		while (uiop->uio_skip >= uiop->uio_bvec->bv_len) {
+		while (uiop->uio_iovcnt &&
+		    uiop->uio_skip >= uiop->uio_bvec->bv_len) {
 			uiop->uio_skip -= uiop->uio_bvec->bv_len;
 			uiop->uio_bvec++;
 			uiop->uio_iovcnt--;