Decreasing copied from copy length is wrong, as sg->length
varies between scatter entries and copied only increases in
each iteration which might result in an infinite loop.
Instead we decrease psg_len in each round.
This issue can be easily reproduced with message size > 256k.
Signed-off-by: Sagi Grimberg <sagig@xxxxxxxxxxxx>
---
drivers/target/target_core_sbc.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index bd018be..b64a62c 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1141,8 +1141,8 @@ sbc_dif_copy_prot(struct se_cmd *cmd, unsigned int sectors, bool read,
paddr = kmap_atomic(sg_page(psg)) + psg->offset;
psg_len = min(left, psg->length);
- while (copied < psg_len) {
- len = min(psg_len, sg->length - offset) - copied;
+ while (psg_len) {
+ len = min(psg_len, sg->length - offset);
addr = kmap_atomic(sg_page(sg)) + sg->offset + offset;
if (read)
@@ -1153,6 +1153,7 @@ sbc_dif_copy_prot(struct se_cmd *cmd, unsigned int sectors, bool read,
left -= len;
offset += len;
copied += len;
+ psg_len -= len;
if (offset >= sg->length) {
sg = sg_next(sg);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
