On Sun, 17 Jun 2012 12:32:13 +1000
ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> From 4ec964eb7683125e0d652a02d2839f0a044fee60 Mon Sep 17 00:00:00 2001
> From: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
> Date: Sun, 17 Jun 2012 12:28:12 +1000
> Subject: [PATCH] SBC: LBA range check, fix some bugs in the LBA out of range check
>
> We can not shift the LBA << 9 and compare to the file size since this mean
> that for a HUGE LBA, like LBA==2^63 this will cause the 64 bit integer
> to overflow and we suddenly pass all the tests and LBA sudddenly becomes LBA
> Several targets have this bug as far as I can tell in testing.
>
> Instead, use LBA as is and instead shift the filesize >> 9 before the check
> to avoid this overflow.
>
> Also, if both LBA and tranfser length are huge, LBA + TL can wrap too
> so we need to check for that too and return check condition if
> lba+tl < lba
>
> Signed-off-by: Ronnie Sahlberg <ronniesahlberg@xxxxxxxxx>
> ---
> usr/sbc.c | 13 +++++++------
> 1 files changed, 7 insertions(+), 6 deletions(-)
I changed the style a bit in the following way and applied. Thanks.
> diff --git a/usr/sbc.c b/usr/sbc.c
> index 248a547..52c0fad 100644
> --- a/usr/sbc.c
> +++ b/usr/sbc.c
> @@ -297,27 +297,28 @@ static int sbc_rw(int host_no, struct scsi_cmd *cmd)
> }
> }
>
> - lba = scsi_rw_offset(cmd->scb) << cmd->dev->blk_shift;
> - tl = scsi_rw_count(cmd->scb) << cmd->dev->blk_shift;
> + lba = scsi_rw_offset(cmd->scb);
> + tl = scsi_rw_count(cmd->scb);
>
> /* Verify that we are not doing i/o beyond
> the end-of-lun */
> if (tl) {
> - if (lba + tl > lu->size) {
> + if (lba + tl < lba
> + || lba + tl > lu->size >> cmd->dev->blk_shift) {
if (lba + tl < lba ||
lba + tl > lu->size >> cmd->dev->blk_shift) {
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
