Alexander Sabourenkov wrote:
Alan Cox wrote:
I can't think of a way to avoid second pass over scatterlist without
duplicating code (ata_qc_prep() and ata_fill_sg() from libata-core.c).
This appears to be incomplete:
[...]
What guarantees you have enough PRD entries to do this without changing
the limit in the structures ?
Otherwise looks good
PRD entries count is 256
include/linux/ata.h:
ATA_MAX_PRD = 256,
ATA_PRD_TBL_SZ = (ATA_MAX_PRD * ATA_PRD_SZ),
drivers/ata/libata-core.c:
ap->prd = dmam_alloc_coherent(dev, ATA_PRD_TBL_SZ, &ap->prd_dma,
sata_promise Scsi_Host declares support for half of that:
include/linux/libata.h:
LIBATA_MAX_PRD = ATA_MAX_PRD / 2,
drivers/ata/sata_promise.c
.sg_tablesize = LIBATA_MAX_PRD,
Alan's point was that the existing code will give you up to
LIBATA_MAX_PRD entries. After the post-virtual-merge splitting code in
ata_fill_sg() executes, the worst case result is ATA_MAX_PRD entries.
Thus, since your code has the potential to increase the number of s/g
entries above that, it can potentially corrupt memory, lock up the
machine, all the wonderful things that can happen when you run off the
end of the s/g list.
The fix is to decrease .sg_tablesize (LIBATA_MAX_PRD - 2 perhaps?) so
that you guarantee this worst case never occurs, by guaranteeing that
the system never sends you enough s/g entries to cause your code to go
out of bounds.
Jeff
-
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html