I don't see how that's possible. count / n_block will always be smaller than 65535 * ATA_MAX_TRIM_RNUM(64) = 4194240. Not to mention that isn't even a "buffer limit" anyway. By SG_IO do you mean like SCSI Write Same commands that issued with sg_write_same or so? If that's the case, that's what exactly commit 5c79097a28c2 ("libata-scsi: reject WRITE SAME (16) with n_block that exceeds limit") is for. On 23 August 2016 at 03:58, Shaun Tancheff <shaun@xxxxxxxxxxxx> wrote: > On Mon, Aug 22, 2016 at 1:55 PM, <tom.ty89@xxxxxxxxx> wrote: >> From: Tom Yan <tom.ty89@xxxxxxxxx> >> >> In commit 5c79097a28c2 ("libata-scsi: reject WRITE SAME (16) with >> n_block that exceeds limit"), it is made sure that >> ata_set_lba_range_entries() will never be called with a request >> size (n_block) that is larger than the number of blocks that a >> 512-byte block TRIM payload can describe (65535 * 64 = 4194240), >> in addition to acknowlegding the SCSI/block layer with the same >> limit by advertising it as the Maximum Write Same Length. >> >> Therefore, it is unnecessary to hard code the same limit in >> ata_set_lba_range_entries() itself, which would only cost extra >> maintenance effort. Such effort can be noticed in, for example, >> commit 2983860c7668 ("libata-scsi: avoid repeated calculation of >> number of TRIM ranges"). >> >> Signed-off-by: Tom Yan <tom.ty89@xxxxxxxxx> >> >> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c >> index be9c76c..9b74ecb 100644 >> --- a/drivers/ata/libata-scsi.c >> +++ b/drivers/ata/libata-scsi.c >> @@ -3322,7 +3322,7 @@ static unsigned int ata_scsi_write_same_xlat(struct ata_queued_cmd *qc) >> buf = page_address(sg_page(scsi_sglist(scmd))); >> >> if (n_block <= 65535 * ATA_MAX_TRIM_RNUM) { >> - size = ata_set_lba_range_entries(buf, ATA_MAX_TRIM_RNUM, block, n_block); >> + size = ata_set_lba_range_entries(buf, block, n_block); >> } else { >> fp = 2; >> goto invalid_fld; >> diff --git a/include/linux/ata.h b/include/linux/ata.h >> index adbc812..5e2e9ad 100644 >> --- a/include/linux/ata.h >> +++ b/include/linux/ata.h >> @@ -1077,19 +1077,19 @@ static inline void ata_id_to_hd_driveid(u16 *id) >> * TO NV CACHE PINNED SET. >> */ >> static inline unsigned ata_set_lba_range_entries(void *_buffer, >> - unsigned num, u64 sector, unsigned long count) >> + u64 sector, unsigned long count) >> { >> __le64 *buffer = _buffer; >> unsigned i = 0, used_bytes; >> >> - while (i < num) { >> - u64 entry = sector | >> - ((u64)(count > 0xffff ? 0xffff : count) << 48); >> + while (count > 0) { >> + u64 range, entry; >> + >> + range = count > 0xffff ? 0xffff : count; >> + entry = sector | (range << 48); >> buffer[i++] = __cpu_to_le64(entry); >> - if (count <= 0xffff) >> - break; >> - count -= 0xffff; >> - sector += 0xffff; >> + count -= range; >> + sector += range; >> } > > I think the problem here is that I can now inject a buffer overflow > via SG_IO. > >> used_bytes = ALIGN(i * 8, 512); >> -- >> 2.9.3 >> -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html