* [PATCH] lpfc: Read buffer overflow
@ 2009-08-02 8:08 Roel Kluin
2009-08-03 15:02 ` James Smart
0 siblings, 1 reply; 7+ messages in thread
From: Roel Kluin @ 2009-08-02 8:08 UTC (permalink / raw)
To: james.smart, linux-scsi, Andrew Morton
Check whether index is within bounds before testing the element.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c
index e0b4992..ade2df6 100644
--- a/drivers/scsi/lpfc/lpfc_vport.c
+++ b/drivers/scsi/lpfc/lpfc_vport.c
@@ -762,7 +762,7 @@ lpfc_destroy_vport_work_array(struct lpfc_hba *phba, struct lpfc_vport **vports)
int i;
if (vports == NULL)
return;
- for (i = 0; vports[i] != NULL && i <= phba->max_vports; i++)
+ for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++)
scsi_host_put(lpfc_shost_from_vport(vports[i]));
kfree(vports);
}
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] lpfc: Read buffer overflow
2009-08-02 8:08 [PATCH] lpfc: Read buffer overflow Roel Kluin
@ 2009-08-03 15:02 ` James Smart
2009-08-03 17:15 ` Joe Eykholt
2009-08-03 23:42 ` Andrew Morton
0 siblings, 2 replies; 7+ messages in thread
From: James Smart @ 2009-08-03 15:02 UTC (permalink / raw)
To: Roel Kluin; +Cc: linux-scsi@vger.kernel.org, Andrew Morton
NACK - the vports array is created such that it is sized for
phba->max_vports + 1.
-- james s
Roel Kluin wrote:
> Check whether index is within bounds before testing the element.
>
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c
> index e0b4992..ade2df6 100644
> --- a/drivers/scsi/lpfc/lpfc_vport.c
> +++ b/drivers/scsi/lpfc/lpfc_vport.c
> @@ -762,7 +762,7 @@ lpfc_destroy_vport_work_array(struct lpfc_hba *phba, struct lpfc_vport **vports)
> int i;
> if (vports == NULL)
> return;
> - for (i = 0; vports[i] != NULL && i <= phba->max_vports; i++)
> + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++)
> scsi_host_put(lpfc_shost_from_vport(vports[i]));
> kfree(vports);
> }
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lpfc: Read buffer overflow
2009-08-03 15:02 ` James Smart
@ 2009-08-03 17:15 ` Joe Eykholt
2009-08-04 13:29 ` James Smart
2009-08-03 23:42 ` Andrew Morton
1 sibling, 1 reply; 7+ messages in thread
From: Joe Eykholt @ 2009-08-03 17:15 UTC (permalink / raw)
To: James Smart; +Cc: Roel Kluin, linux-scsi@vger.kernel.org, Andrew Morton
James Smart wrote:
> NACK - the vports array is created such that it is sized for
> phba->max_vports + 1.
It's not an off-by-one problem, it's a look-before-leaping problem.
Regards,
Joe
>
> -- james s
>
> Roel Kluin wrote:
>> Check whether index is within bounds before testing the element.
>>
>> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
>> ---
>> diff --git a/drivers/scsi/lpfc/lpfc_vport.c
>> b/drivers/scsi/lpfc/lpfc_vport.c
>> index e0b4992..ade2df6 100644
>> --- a/drivers/scsi/lpfc/lpfc_vport.c
>> +++ b/drivers/scsi/lpfc/lpfc_vport.c
>> @@ -762,7 +762,7 @@ lpfc_destroy_vport_work_array(struct lpfc_hba
>> *phba, struct lpfc_vport **vports)
>> int i;
>> if (vports == NULL)
>> return;
>> - for (i = 0; vports[i] != NULL && i <= phba->max_vports; i++)
>> + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++)
>> scsi_host_put(lpfc_shost_from_vport(vports[i]));
>> kfree(vports);
>> }
>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lpfc: Read buffer overflow
2009-08-03 15:02 ` James Smart
2009-08-03 17:15 ` Joe Eykholt
@ 2009-08-03 23:42 ` Andrew Morton
2009-08-04 0:31 ` James Bottomley
1 sibling, 1 reply; 7+ messages in thread
From: Andrew Morton @ 2009-08-03 23:42 UTC (permalink / raw)
To: James Smart; +Cc: roel.kluin, linux-scsi
On Mon, 3 Aug 2009 11:02:37 -0400
James Smart <James.Smart@Emulex.Com> wrote:
> Roel Kluin wrote:
> > Check whether index is within bounds before testing the element.
> >
> > Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> > ---
> > diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c
> > index e0b4992..ade2df6 100644
> > --- a/drivers/scsi/lpfc/lpfc_vport.c
> > +++ b/drivers/scsi/lpfc/lpfc_vport.c
> > @@ -762,7 +762,7 @@ lpfc_destroy_vport_work_array(struct lpfc_hba *phba, struct lpfc_vport **vports)
> > int i;
> > if (vports == NULL)
> > return;
> > - for (i = 0; vports[i] != NULL && i <= phba->max_vports; i++)
> > + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++)
> > scsi_host_put(lpfc_shost_from_vport(vports[i]));
> > kfree(vports);
> > }
>
> NACK - the vports array is created such that it is sized for
> phba->max_vports + 1.
(top-posting repaired so that I can feasibly reply to the email, dammit)
There's no need to allocate the extra slot in the vports array if we're
also retaining its size. I'd suggest that we merge Roel's patch and
then reduce the size of vports[].
What prevents the loop in lpfc_create_vport_work_array() from wandering
off the end of vports[], btw?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lpfc: Read buffer overflow
2009-08-03 23:42 ` Andrew Morton
@ 2009-08-04 0:31 ` James Bottomley
2009-08-04 13:39 ` James Smart
0 siblings, 1 reply; 7+ messages in thread
From: James Bottomley @ 2009-08-04 0:31 UTC (permalink / raw)
To: Andrew Morton; +Cc: James Smart, roel.kluin, linux-scsi
On Mon, 2009-08-03 at 16:42 -0700, Andrew Morton wrote:
> On Mon, 3 Aug 2009 11:02:37 -0400
> James Smart <James.Smart@Emulex.Com> wrote:
>
> > Roel Kluin wrote:
> > > Check whether index is within bounds before testing the element.
> > >
> > > Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> > > ---
> > > diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c
> > > index e0b4992..ade2df6 100644
> > > --- a/drivers/scsi/lpfc/lpfc_vport.c
> > > +++ b/drivers/scsi/lpfc/lpfc_vport.c
> > > @@ -762,7 +762,7 @@ lpfc_destroy_vport_work_array(struct lpfc_hba *phba, struct lpfc_vport **vports)
> > > int i;
> > > if (vports == NULL)
> > > return;
> > > - for (i = 0; vports[i] != NULL && i <= phba->max_vports; i++)
> > > + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++)
> > > scsi_host_put(lpfc_shost_from_vport(vports[i]));
> > > kfree(vports);
> > > }
> >
> > NACK - the vports array is created such that it is sized for
> > phba->max_vports + 1.
>
> (top-posting repaired so that I can feasibly reply to the email, dammit)
>
> There's no need to allocate the extra slot in the vports array if we're
> also retaining its size. I'd suggest that we merge Roel's patch and
> then reduce the size of vports[].
I'd suggest not:
jejb@mulgrave:~/git/linux-2.6/drivers/scsi/lpfc> git grep 'max_vports && vports'|wc -l
17
Assuming this secures agreement as a patch, I don't really want to wade
through another 16 patches for the remaining ones. You definitely can't
reduce the vport array length until they're all fixed.
What I hear is that it's not a problem, but it's a possible
micro-optimisation. Assuming the maintainer agrees, it's far better
just to fix everything at once. However, I'm equally happy to leave it
as is since there's no actual problem given the allocation definition.
> What prevents the loop in lpfc_create_vport_work_array() from wandering
> off the end of vports[], btw?
We refuse to create any vports beyond this number ... the iterator
counts the number of created vports (it's actually a firmware limited
number, I believe).
James
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lpfc: Read buffer overflow
2009-08-03 17:15 ` Joe Eykholt
@ 2009-08-04 13:29 ` James Smart
0 siblings, 0 replies; 7+ messages in thread
From: James Smart @ 2009-08-04 13:29 UTC (permalink / raw)
To: Joe Eykholt; +Cc: Roel Kluin, linux-scsi@vger.kernel.org, Andrew Morton
Ok - it's good practice. But really, it's change for change sake, rather than
fixing any problem.
-- james s
Joe Eykholt wrote:
> James Smart wrote:
>> NACK - the vports array is created such that it is sized for
>> phba->max_vports + 1.
>
> It's not an off-by-one problem, it's a look-before-leaping problem.
>
> Regards,
> Joe
>
>> -- james s
>>
>> Roel Kluin wrote:
>>> Check whether index is within bounds before testing the element.
>>>
>>> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
>>> ---
>>> diff --git a/drivers/scsi/lpfc/lpfc_vport.c
>>> b/drivers/scsi/lpfc/lpfc_vport.c
>>> index e0b4992..ade2df6 100644
>>> --- a/drivers/scsi/lpfc/lpfc_vport.c
>>> +++ b/drivers/scsi/lpfc/lpfc_vport.c
>>> @@ -762,7 +762,7 @@ lpfc_destroy_vport_work_array(struct lpfc_hba
>>> *phba, struct lpfc_vport **vports)
>>> int i;
>>> if (vports == NULL)
>>> return;
>>> - for (i = 0; vports[i] != NULL && i <= phba->max_vports; i++)
>>> + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++)
>>> scsi_host_put(lpfc_shost_from_vport(vports[i]));
>>> kfree(vports);
>>> }
>>>
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lpfc: Read buffer overflow
2009-08-04 0:31 ` James Bottomley
@ 2009-08-04 13:39 ` James Smart
0 siblings, 0 replies; 7+ messages in thread
From: James Smart @ 2009-08-04 13:39 UTC (permalink / raw)
To: James Bottomley
Cc: Andrew Morton, roel.kluin@gmail.com, linux-scsi@vger.kernel.org
James Bottomley wrote:
> I'd suggest not:
>
> jejb@mulgrave:~/git/linux-2.6/drivers/scsi/lpfc> git grep 'max_vports && vports'|wc -l
> 17
>
> Assuming this secures agreement as a patch, I don't really want to wade
> through another 16 patches for the remaining ones. You definitely can't
> reduce the vport array length until they're all fixed.
>
> What I hear is that it's not a problem, but it's a possible
> micro-optimisation. Assuming the maintainer agrees, it's far better
> just to fix everything at once. However, I'm equally happy to leave it
> as is since there's no actual problem given the allocation definition.
>
>> What prevents the loop in lpfc_create_vport_work_array() from wandering
>> off the end of vports[], btw?
>
> We refuse to create any vports beyond this number ... the iterator
> counts the number of created vports (it's actually a firmware limited
> number, I believe).
>
> James
Agree. It's a style thing from one of the contributors to the driver. There
is no issue, I don't believe that optimizing 1 less pointer's worth of
allocation is a big deal (good, yes, but...). However, I do recognize it is a
much better coding style.
I'll roll the changes for it into the next driver patch set. (Yes, it is a
firmware limited number).
-- james s
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-08-04 14:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-02 8:08 [PATCH] lpfc: Read buffer overflow Roel Kluin
2009-08-03 15:02 ` James Smart
2009-08-03 17:15 ` Joe Eykholt
2009-08-04 13:29 ` James Smart
2009-08-03 23:42 ` Andrew Morton
2009-08-04 0:31 ` James Bottomley
2009-08-04 13:39 ` James Smart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox