Hi Hannes,
On Wed, 2013-02-06 at 14:42 +0100, Hannes Reinecke wrote:
> The loop in rd_execute_rw() will never terminate if the
> sg element has a zero size. Or it'll spill over into
> outer space if the sg element is larger than the available
> space.
> So we need to add some safety catches here.
>
> Cc: Nic Bellinger <nab@xxxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Hannes Reinecke <hare@xxxxxxx>
>
Apologies for the delay. Applied to target-pending/for-next.
Thank you,
--nab
> diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
> index 0457de3..ed10a9f 100644
> --- a/drivers/target/target_core_rd.c
> +++ b/drivers/target/target_core_rd.c
> @@ -314,7 +314,19 @@ rd_execute_rw(struct se_cmd *cmd)
> void *rd_addr;
>
> sg_miter_next(&m);
> + if (!(u32)m.length) {
> + pr_debug("RD[%u]: invalid sgl %p len %zu\n",
> + dev->rd_dev_id, m.addr, m.length);
> + sg_miter_stop(&m);
> + return TCM_INCORRECT_AMOUNT_OF_DATA;
> + }
> len = min((u32)m.length, src_len);
> + if (len > rd_size) {
> + pr_debug("RD[%u]: size underrun page %d offset %d "
> + "size %d\n", dev->rd_dev_id,
> + rd_page, rd_offset, rd_size);
> + len = rd_size;
> + }
> m.consumed = len;
>
> rd_addr = sg_virt(rd_sg) + rd_offset;
> --
> To unsubscribe from this list: send the line "unsubscribe target-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
