From: Mike Christie <mchristi@redhat.com>
To: lixiubo@cmss.chinamobile.com, nab@linux-iscsi.org
Cc: bryantly@linux.vnet.ibm.com, linux-scsi@vger.kernel.org,
target-devel@vger.kernel.org
Subject: Re: [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy
Date: Wed, 12 Jul 2017 12:36:30 -0500 [thread overview]
Message-ID: <59665E1E.5040900@redhat.com> (raw)
In-Reply-To: <1499845877-18931-1-git-send-email-lixiubo@cmss.chinamobile.com>
On 07/12/2017 02:51 AM, lixiubo@cmss.chinamobile.com wrote:
> From: Xiubo Li <lixiubo@cmss.chinamobile.com>
>
> For most case the sg->length equals to PAGE_SIZE, so this bug won't
> be triggered. Otherwise this will crash the kernel, for example when
> all segments' sg->length equal to 1K.
>
> Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
> ---
> drivers/target/target_core_user.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 8bf0823..9030c2a 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -590,8 +590,6 @@ static int scatter_data_area(struct tcmu_dev *udev,
> block_remaining);
> to_offset = get_block_offset_user(udev, dbi,
> block_remaining);
> - offset = DATA_BLOCK_SIZE - block_remaining;
> - to += offset;
>
> if (*iov_cnt != 0 &&
> to_offset == iov_tail(*iov)) {
> @@ -602,8 +600,10 @@ static int scatter_data_area(struct tcmu_dev *udev,
> (*iov)->iov_len = copy_bytes;
> }
> if (copy_data) {
> - memcpy(to, from + sg->length - sg_remaining,
> - copy_bytes);
> + offset = DATA_BLOCK_SIZE - block_remaining;
> + memcpy(to + offset,
> + from + sg->length - sg_remaining,
> + copy_bytes);
> tcmu_flush_dcache_range(to, copy_bytes);
> }
> sg_remaining -= copy_bytes;
> @@ -664,9 +664,8 @@ static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd,
> copy_bytes = min_t(size_t, sg_remaining,
> block_remaining);
> offset = DATA_BLOCK_SIZE - block_remaining;
> - from += offset;
> tcmu_flush_dcache_range(from, copy_bytes);
> - memcpy(to + sg->length - sg_remaining, from,
> + memcpy(to + sg->length - sg_remaining, from + offset,
> copy_bytes);
>
> sg_remaining -= copy_bytes;
>
Nice.
Reviewed-by: Mike Christie <mchristi@redhat.com>
next prev parent reply other threads:[~2017-07-12 17:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 7:51 [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy lixiubo
2017-07-12 17:36 ` Mike Christie [this message]
2017-07-30 22:13 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59665E1E.5040900@redhat.com \
--to=mchristi@redhat.com \
--cc=bryantly@linux.vnet.ibm.com \
--cc=linux-scsi@vger.kernel.org \
--cc=lixiubo@cmss.chinamobile.com \
--cc=nab@linux-iscsi.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.