Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit bbf344e54ed9a76e344d08feedc70ab2c5a8a64c

Authored by Hannes Reinecke
Committed by Nicholas Bellinger
1 parent 1b7f390eb3
Exists in smarc-l5.0.0_1.0.0-ga and in 5 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga

target_core_rd: break out unterminated loop during copy 

The loop in rd_execute_rw() will never terminate if the
sg element has a zero size. Or it'll spill over into
outer space if the sg element is larger than the available
space.
So we need to add some safety catches here.

Cc: Nic Bellinger <nab@risingtidesystems.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

Showing 1 changed file with 12 additions and 0 deletions Side-by-side Diff

drivers/target/target_core_rd.c
Diff comments   View file @ bbf344e
... ... @@ -316,7 +316,19 @@
316 316 void *rd_addr;
317 317  
318 318 sg_miter_next(&m);
  319 + if (!(u32)m.length) {
  320 + pr_debug("RD[%u]: invalid sgl %p len %zu\n",
  321 + dev->rd_dev_id, m.addr, m.length);
  322 + sg_miter_stop(&m);
  323 + return TCM_INCORRECT_AMOUNT_OF_DATA;
  324 + }
319 325 len = min((u32)m.length, src_len);
  326 + if (len > rd_size) {
  327 + pr_debug("RD[%u]: size underrun page %d offset %d "
  328 + "size %d\n", dev->rd_dev_id,
  329 + rd_page, rd_offset, rd_size);
  330 + len = rd_size;
  331 + }
320 332 m.consumed = len;
321 333  
322 334 rd_addr = sg_virt(rd_sg) + rd_offset;