[PATCH] IB/iser: Fix some error handling in iser_fast_reg

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr()
@ 2019-02-20  5:40 Dan Carpenter
  2019-02-23  2:38 ` Sagi Grimberg
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Dan Carpenter @ 2019-02-20  5:40 UTC (permalink / raw)
  To: kernel-janitors

The ib_sg_to_pages() function can return negative error codes.  The
problem with the error handling is that mem->dma_nents is a u32 so
the comparison is type promoted to unsigned int.  A negative error code
thus becomes a large positive value and is treated as valid.

Fixes: 57b26497fabe ("IB/iser: Pass the correct number of entries for dma mapped SGL ")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/infiniband/ulp/iser/iser_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/ulp/iser/iser_memory.c b/drivers/infiniband/ulp/iser/iser_memory.c
index 2ba70729d7b0..04a9b8f118df 100644
--- a/drivers/infiniband/ulp/iser/iser_memory.c
+++ b/drivers/infiniband/ulp/iser/iser_memory.c
@@ -240,7 +240,7 @@ int iser_fast_reg_fmr(struct iscsi_iser_task *iser_task,
 	page_vec->fake_mr.page_size = SIZE_4K;
 	plen = ib_sg_to_pages(&page_vec->fake_mr, mem->sg,
 			      mem->dma_nents, NULL, iser_set_page);
-	if (unlikely(plen < mem->dma_nents)) {
+	if (plen < 0 || plen < mem->dma_nents) {
 		iser_err("page vec too short to hold this SG\n");
 		iser_data_buf_dump(mem, device->ib_device);
 		iser_dump_page_vec(page_vec);
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr()
  2019-02-20  5:40 [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr() Dan Carpenter
@ 2019-02-23  2:38 ` Sagi Grimberg
  2019-02-24 14:08 ` Max Gurtovoy
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Sagi Grimberg @ 2019-02-23  2:38 UTC (permalink / raw)
  To: kernel-janitors

Thanks Dan

Acked-by: Sagi Grimberg <sagi@grimberg.me>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr()
  2019-02-20  5:40 [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr() Dan Carpenter
  2019-02-23  2:38 ` Sagi Grimberg
@ 2019-02-24 14:08 ` Max Gurtovoy
  2019-02-25 21:27 ` Sagi Grimberg
  2019-02-26 10:24 ` Max Gurtovoy
  3 siblings, 0 replies; 5+ messages in thread
From: Max Gurtovoy @ 2019-02-24 14:08 UTC (permalink / raw)
  To: kernel-janitors


On 2/20/2019 7:40 AM, Dan Carpenter wrote:
> The ib_sg_to_pages() function can return negative error codes.  The
> problem with the error handling is that mem->dma_nents is a u32 so
> the comparison is type promoted to unsigned int.  A negative error code
> thus becomes a large positive value and is treated as valid.
>
> Fixes: 57b26497fabe ("IB/iser: Pass the correct number of entries for dma mapped SGL ")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>   drivers/infiniband/ulp/iser/iser_memory.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/ulp/iser/iser_memory.c b/drivers/infiniband/ulp/iser/iser_memory.c
> index 2ba70729d7b0..04a9b8f118df 100644
> --- a/drivers/infiniband/ulp/iser/iser_memory.c
> +++ b/drivers/infiniband/ulp/iser/iser_memory.c
> @@ -240,7 +240,7 @@ int iser_fast_reg_fmr(struct iscsi_iser_task *iser_task,
>   	page_vec->fake_mr.page_size = SIZE_4K;
>   	plen = ib_sg_to_pages(&page_vec->fake_mr, mem->sg,
>   			      mem->dma_nents, NULL, iser_set_page);
> -	if (unlikely(plen < mem->dma_nents)) {
> +	if (plen < 0 || plen < mem->dma_nents) {
>   		iser_err("page vec too short to hold this SG\n");
>   		iser_data_buf_dump(mem, device->ib_device);
>   		iser_dump_page_vec(page_vec);

Was the "unlikely" removed in purpose ?

I'm ok with that since Sagi has patches that will remove FMR usage in iSER.

but the below fix is the correct one for future code as well 
(ib_dma_map_sg returns int and not unsigned int):

diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.h 
b/drivers/infiniband/ulp/iser/iscsi_iser.h
index 0bf8512..def8cfe 100644
--- a/drivers/infiniband/ulp/iser/iscsi_iser.h
+++ b/drivers/infiniband/ulp/iser/iscsi_iser.h
@@ -205,7 +205,7 @@ struct iser_data_buf {
     struct scatterlist *sg;
     int                size;
     unsigned long      data_len;
-   unsigned int       dma_nents;
+   int                dma_nents;
  };


thoughts ?

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr()
  2019-02-20  5:40 [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr() Dan Carpenter
  2019-02-23  2:38 ` Sagi Grimberg
  2019-02-24 14:08 ` Max Gurtovoy
@ 2019-02-25 21:27 ` Sagi Grimberg
  2019-02-26 10:24 ` Max Gurtovoy
  3 siblings, 0 replies; 5+ messages in thread
From: Sagi Grimberg @ 2019-02-25 21:27 UTC (permalink / raw)
  To: kernel-janitors


> but the below fix is the correct one for future code as well 
> (ib_dma_map_sg returns int and not unsigned int):
> 
> diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.h 
> b/drivers/infiniband/ulp/iser/iscsi_iser.h
> index 0bf8512..def8cfe 100644
> --- a/drivers/infiniband/ulp/iser/iscsi_iser.h
> +++ b/drivers/infiniband/ulp/iser/iscsi_iser.h
> @@ -205,7 +205,7 @@ struct iser_data_buf {
>      struct scatterlist *sg;
>      int                size;
>      unsigned long      data_len;
> -   unsigned int       dma_nents;
> +   int                dma_nents;
>   };
> 
> 
> thoughts ?

That's fine as well, care to send a patch?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr()
  2019-02-20  5:40 [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr() Dan Carpenter
                   ` (2 preceding siblings ...)
  2019-02-25 21:27 ` Sagi Grimberg
@ 2019-02-26 10:24 ` Max Gurtovoy
  3 siblings, 0 replies; 5+ messages in thread
From: Max Gurtovoy @ 2019-02-26 10:24 UTC (permalink / raw)
  To: kernel-janitors


On 2/25/2019 11:27 PM, Sagi Grimberg wrote:
>
>> but the below fix is the correct one for future code as well 
>> (ib_dma_map_sg returns int and not unsigned int):
>>
>> diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.h 
>> b/drivers/infiniband/ulp/iser/iscsi_iser.h
>> index 0bf8512..def8cfe 100644
>> --- a/drivers/infiniband/ulp/iser/iscsi_iser.h
>> +++ b/drivers/infiniband/ulp/iser/iscsi_iser.h
>> @@ -205,7 +205,7 @@ struct iser_data_buf {
>>      struct scatterlist *sg;
>>      int                size;
>>      unsigned long      data_len;
>> -   unsigned int       dma_nents;
>> +   int                dma_nents;
>>   };
>>
>>
>> thoughts ?
>
> That's fine as well, care to send a patch?


Done, please see it in the mailing list.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-02-26 10:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-20  5:40 [PATCH] IB/iser: Fix some error handling in iser_fast_reg_fmr() Dan Carpenter
2019-02-23  2:38 ` Sagi Grimberg
2019-02-24 14:08 ` Max Gurtovoy
2019-02-25 21:27 ` Sagi Grimberg
2019-02-26 10:24 ` Max Gurtovoy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox