* [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy
@ 2017-07-12 7:51 lixiubo
2017-07-12 17:36 ` Mike Christie
2017-07-30 22:13 ` Nicholas A. Bellinger
0 siblings, 2 replies; 3+ messages in thread
From: lixiubo @ 2017-07-12 7:51 UTC (permalink / raw)
To: nab, mchristi; +Cc: bryantly, linux-scsi, target-devel, Xiubo Li
From: Xiubo Li <lixiubo@cmss.chinamobile.com>
For most case the sg->length equals to PAGE_SIZE, so this bug won't
be triggered. Otherwise this will crash the kernel, for example when
all segments' sg->length equal to 1K.
Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
---
drivers/target/target_core_user.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index 8bf0823..9030c2a 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -590,8 +590,6 @@ static int scatter_data_area(struct tcmu_dev *udev,
block_remaining);
to_offset = get_block_offset_user(udev, dbi,
block_remaining);
- offset = DATA_BLOCK_SIZE - block_remaining;
- to += offset;
if (*iov_cnt != 0 &&
to_offset == iov_tail(*iov)) {
@@ -602,8 +600,10 @@ static int scatter_data_area(struct tcmu_dev *udev,
(*iov)->iov_len = copy_bytes;
}
if (copy_data) {
- memcpy(to, from + sg->length - sg_remaining,
- copy_bytes);
+ offset = DATA_BLOCK_SIZE - block_remaining;
+ memcpy(to + offset,
+ from + sg->length - sg_remaining,
+ copy_bytes);
tcmu_flush_dcache_range(to, copy_bytes);
}
sg_remaining -= copy_bytes;
@@ -664,9 +664,8 @@ static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd,
copy_bytes = min_t(size_t, sg_remaining,
block_remaining);
offset = DATA_BLOCK_SIZE - block_remaining;
- from += offset;
tcmu_flush_dcache_range(from, copy_bytes);
- memcpy(to + sg->length - sg_remaining, from,
+ memcpy(to + sg->length - sg_remaining, from + offset,
copy_bytes);
sg_remaining -= copy_bytes;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy
2017-07-12 7:51 [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy lixiubo
@ 2017-07-12 17:36 ` Mike Christie
2017-07-30 22:13 ` Nicholas A. Bellinger
1 sibling, 0 replies; 3+ messages in thread
From: Mike Christie @ 2017-07-12 17:36 UTC (permalink / raw)
To: lixiubo, nab; +Cc: bryantly, linux-scsi, target-devel
On 07/12/2017 02:51 AM, lixiubo@cmss.chinamobile.com wrote:
> From: Xiubo Li <lixiubo@cmss.chinamobile.com>
>
> For most case the sg->length equals to PAGE_SIZE, so this bug won't
> be triggered. Otherwise this will crash the kernel, for example when
> all segments' sg->length equal to 1K.
>
> Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
> ---
> drivers/target/target_core_user.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 8bf0823..9030c2a 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -590,8 +590,6 @@ static int scatter_data_area(struct tcmu_dev *udev,
> block_remaining);
> to_offset = get_block_offset_user(udev, dbi,
> block_remaining);
> - offset = DATA_BLOCK_SIZE - block_remaining;
> - to += offset;
>
> if (*iov_cnt != 0 &&
> to_offset == iov_tail(*iov)) {
> @@ -602,8 +600,10 @@ static int scatter_data_area(struct tcmu_dev *udev,
> (*iov)->iov_len = copy_bytes;
> }
> if (copy_data) {
> - memcpy(to, from + sg->length - sg_remaining,
> - copy_bytes);
> + offset = DATA_BLOCK_SIZE - block_remaining;
> + memcpy(to + offset,
> + from + sg->length - sg_remaining,
> + copy_bytes);
> tcmu_flush_dcache_range(to, copy_bytes);
> }
> sg_remaining -= copy_bytes;
> @@ -664,9 +664,8 @@ static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd,
> copy_bytes = min_t(size_t, sg_remaining,
> block_remaining);
> offset = DATA_BLOCK_SIZE - block_remaining;
> - from += offset;
> tcmu_flush_dcache_range(from, copy_bytes);
> - memcpy(to + sg->length - sg_remaining, from,
> + memcpy(to + sg->length - sg_remaining, from + offset,
> copy_bytes);
>
> sg_remaining -= copy_bytes;
>
Nice.
Reviewed-by: Mike Christie <mchristi@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy
2017-07-12 7:51 [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy lixiubo
2017-07-12 17:36 ` Mike Christie
@ 2017-07-30 22:13 ` Nicholas A. Bellinger
1 sibling, 0 replies; 3+ messages in thread
From: Nicholas A. Bellinger @ 2017-07-30 22:13 UTC (permalink / raw)
To: lixiubo; +Cc: mchristi, bryantly, linux-scsi, target-devel
On Wed, 2017-07-12 at 15:51 +0800, lixiubo@cmss.chinamobile.com wrote:
> From: Xiubo Li <lixiubo@cmss.chinamobile.com>
>
> For most case the sg->length equals to PAGE_SIZE, so this bug won't
> be triggered. Otherwise this will crash the kernel, for example when
> all segments' sg->length equal to 1K.
>
> Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
> ---
> drivers/target/target_core_user.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
Applied to target-pending/master.
Thankx Xiubo + MNC.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-30 22:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-12 7:51 [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy lixiubo
2017-07-12 17:36 ` Mike Christie
2017-07-30 22:13 ` Nicholas A. Bellinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).