On Wed, 2011-10-19 at 13:39 -0700, Roland Dreier wrote: > On Wed, Oct 19, 2011 at 10:31 AM, Nicholas A. Bellinger > <nab@xxxxxxxxxxxxxxx> wrote: > >> With mainline code this bug would only hit if the response data > >> overflowed the first sg list page, right? > > > No, transport_generic_cmd_sequencer() performs the following check and > > will reject control CDBs beyond the first sg list page: > > > > /* Let's limit control cdbs to a page, for simplicity's sake. */ > > if ((cmd->se_cmd_flags & SCF_SCSI_CONTROL_SG_IO_CDB) && > > size > PAGE_SIZE) > > goto out_invalid_cdb_field; > > I think you misunderstand my question. The bug here that was fixed here is > if the code that generates the response data overruns this PAGE_SIZE buffer. > And this would only happen if the report target port groups response ends up > being more than 4K, which is pretty unlikely. > This patch for mainline ensures that the response length is truncated properly according to the original allocation length, and rejects anything less than 4 bytes for the main REPORT TARGET PORT GROUPS header. It's still a bug if the response length fills beyond the allocation length, regardless of if we have a whole page or not for backing memory in v3.1 code. --nab -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
