From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
To: target-devel <target-devel@vger.kernel.org>,
linux-rdma <linux-rdma@vger.kernel.org>
Cc: linux-scsi <linux-scsi@vger.kernel.org>,
Roland Dreier <roland@purestorage.com>,
Bart Van Assche <bvanassche@acm.org>,
"Nicholas A. Bellinger" <nab@linux-iscsi.org>
Subject: [PATCH 1/9] ib_srpt: Fix potential out-of-bounds array access
Date: Mon, 24 Oct 2011 05:33:34 +0000 [thread overview]
Message-ID: <1319434422-15354-2-git-send-email-nab@linux-iscsi.org> (raw)
In-Reply-To: <1319434422-15354-1-git-send-email-nab@linux-iscsi.org>
From: Bart Van Assche <bvanassche@acm.org>
This patch fixes a potential out-of-bounds array access in
srpt_map_sg_to_ib_sge(). This is bugfix port from SCST svn r3262
as recommended by Bart Van Assche for the initial ib_srpt merge.
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index e412a35..383994d 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1142,7 +1142,8 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
if (ioctx->rdma_ius && ioctx->n_rdma_ius)
nrdma = ioctx->n_rdma_ius;
else {
- nrdma = count / SRPT_DEF_SG_PER_WQE + ioctx->n_rbuf;
+ nrdma = (count + SRPT_DEF_SG_PER_WQE - 1) / SRPT_DEF_SG_PER_WQE
+ + ioctx->n_rbuf;
ioctx->rdma_ius = kzalloc(nrdma * sizeof *riu, GFP_KERNEL);
if (!ioctx->rdma_ius)
@@ -1258,11 +1259,11 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
}
++k;
- if (k == riu->sge_cnt && rsize > 0) {
+ if (k == riu->sge_cnt && rsize > 0 && tsize > 0) {
++riu;
sge = riu->sge;
k = 0;
- } else if (rsize > 0)
+ } else if (rsize > 0 && tsize > 0)
++sge;
}
}
--
1.7.2.5
next prev parent reply other threads:[~2011-10-24 5:33 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-24 5:33 [PATCH 0/9] ib_srpt: Changes from RFC for v3.2-rc1 mainline merge Nicholas A. Bellinger
2011-10-24 5:33 ` Nicholas A. Bellinger [this message]
2011-10-24 5:33 ` [PATCH 2/9] ib_srpt: Avoid failed multipart RDMA transfers Nicholas A. Bellinger
2011-10-24 5:33 ` [PATCH 3/9] ib_srpt: Fix srpt_alloc_fabric_acl failure case return value Nicholas A. Bellinger
2011-10-24 5:33 ` [PATCH 4/9] ib_srpt: Update comments to reference $driver/$port layout Nicholas A. Bellinger
2011-10-24 5:33 ` [PATCH 5/9] ib_srpt: Fix sport->port_guid formatting code Nicholas A. Bellinger
[not found] ` <1319434422-15354-6-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 19:57 ` Bart Van Assche
2011-10-24 20:25 ` Nicholas A. Bellinger
[not found] ` <1319487952.17450.72.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-26 18:23 ` Bart Van Assche
[not found] ` <CAO+b5-qjOT2rqeLn=DJi5ogk+KTV8_Fi0tYwj4gECtcSNNhHRQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-27 0:37 ` Nicholas A. Bellinger
2011-10-24 5:33 ` [PATCH 6/9] ib_srpt: Remove legacy use_port_guid_in_session_name module parameter Nicholas A. Bellinger
[not found] ` <1319434422-15354-7-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 18:24 ` Bart Van Assche
2011-10-24 5:33 ` [PATCH 7/9] ib_srpt: Convert srp_max_rdma_size into per port configfs attribute Nicholas A. Bellinger
[not found] ` <1319434422-15354-8-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 16:34 ` Bart Van Assche
2011-10-24 18:27 ` Nicholas A. Bellinger
2011-10-24 20:29 ` Nicholas A. Bellinger
[not found] ` <1319488195.17450.73.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-25 6:22 ` Nicholas A. Bellinger
2011-10-25 10:32 ` Bart Van Assche
[not found] ` <CAO+b5-p9xXB_sWes=uet6skkFn=xWD+vKuoOeuGwjbxYhE-ctg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-25 10:35 ` Nicholas A. Bellinger
2011-10-24 5:33 ` [PATCH 8/9] ib_srpt: Convert srp_max_rsp_size " Nicholas A. Bellinger
[not found] ` <1319434422-15354-9-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 19:44 ` Bart Van Assche
[not found] ` <CAO+b5-p24uYKbwqCRWVik63gL-ZABgcJrqAi7ULJZEP+CK1WEg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-24 19:49 ` Nicholas A. Bellinger
[not found] ` <1319485752.17450.57.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-24 19:58 ` Bart Van Assche
2011-10-24 20:05 ` Nicholas A. Bellinger
[not found] ` <1319486723.17450.59.camel-Y1+j5t8j3WgjMeEPmliV8E/sVC8ogwMJ@public.gmane.org>
2011-10-24 20:11 ` Bart Van Assche
2011-10-24 20:19 ` Nicholas A. Bellinger
2011-10-24 20:16 ` Bart Van Assche
[not found] ` <CAO+b5-rzo478a07CuaYS2itAdV9dK65+GHj2Si4PZFM6qkmL3A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-10-24 20:22 ` Nicholas A. Bellinger
2011-10-24 5:33 ` [PATCH 9/9] ib_srpt: Convert srpt_sq_size " Nicholas A. Bellinger
[not found] ` <1319434422-15354-10-git-send-email-nab-IzHhD5pYlfBP7FQvKIMDCQ@public.gmane.org>
2011-10-24 18:32 ` Bart Van Assche
2011-10-24 18:39 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1319434422-15354-2-git-send-email-nab@linux-iscsi.org \
--to=nab@linux-iscsi.org \
--cc=bvanassche@acm.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=roland@purestorage.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox