On Thu, 2014-03-06 at 12:42 +0200, Sagi Grimberg wrote:
> Decreasing copied from copy length is wrong, as sg->length
> varies between scatter entries and copied only increases in
> each iteration which might result in an infinite loop.
> Instead we decrease psg_len in each round.
> This issue can be easily reproduced with message size > 256k.
>
> Signed-off-by: Sagi Grimberg <sagig@xxxxxxxxxxxx>
> ---
> drivers/target/target_core_sbc.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
> index bd018be..b64a62c 100644
> --- a/drivers/target/target_core_sbc.c
> +++ b/drivers/target/target_core_sbc.c
> @@ -1141,8 +1141,8 @@ sbc_dif_copy_prot(struct se_cmd *cmd, unsigned int sectors, bool read,
>
> paddr = kmap_atomic(sg_page(psg)) + psg->offset;
> psg_len = min(left, psg->length);
> - while (copied < psg_len) {
> - len = min(psg_len, sg->length - offset) - copied;
> + while (psg_len) {
> + len = min(psg_len, sg->length - offset);
> addr = kmap_atomic(sg_page(sg)) + sg->offset + offset;
>
> if (read)
> @@ -1153,6 +1153,7 @@ sbc_dif_copy_prot(struct se_cmd *cmd, unsigned int sectors, bool read,
> left -= len;
> offset += len;
> copied += len;
> + psg_len -= len;
>
> if (offset >= sg->length) {
> sg = sg_next(sg);
This looks correct AFAICT..
Applied + squashed into the original commit.
Thanks Sagi!
--nab
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
