lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1363649447.3937.348.camel@deadeye.wl.decadent.org.uk>
Date:	Mon, 18 Mar 2013 23:30:47 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	"Nicholas A. Bellinger" <nab@...ux-iscsi.org>
Cc:	Asias He <asias@...hat.com>, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	target-devel <target-devel@...r.kernel.org>
Subject: Re: [ 04/21] target/pscsi: Fix page increment

On Mon, 2013-03-18 at 14:00 -0700, Nicholas A. Bellinger wrote:
> On Mon, 2013-03-18 at 13:35 +0800, Asias He wrote:
> > On Sat, Mar 16, 2013 at 02:10:22AM +0000, Ben Hutchings wrote:
> > > On Tue, 2013-03-12 at 15:44 -0700, Greg Kroah-Hartman wrote:
> > > > 3.0-stable review patch.  If anyone has any objections, please let me know.
> > > > 
> > > > ------------------
> > > > 
> > > > From: Asias He <asias@...hat.com>
> > > > 
> > > > commit 472b72f2db7831d7dbe22ffdff4adee3bd49b05d upstream.
> > > > 
> > > > The page++ is wrong. It makes bio_add_pc_page() pointing to a wrong page
> > > > address if the 'while (len > 0 && data_len > 0) { ... }' loop is
> > > > executed more than one once.
> > > > 
> > > > Signed-off-by: Asias He <asias@...hat.com>
> > > > Signed-off-by: Nicholas Bellinger <nab@...ux-iscsi.org>
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > > > 
> > > > ---
> > > >  drivers/target/target_core_pscsi.c |    1 -
> > > >  1 file changed, 1 deletion(-)
> > > > 
> > > > --- a/drivers/target/target_core_pscsi.c
> > > > +++ b/drivers/target/target_core_pscsi.c
> > > > @@ -1210,7 +1210,6 @@ static int __pscsi_map_task_SG(
> > > >  				bio = NULL;
> > > >  			}
> > > >  
> > > > -			page++;
> > > >  			len -= bytes;
> > > >  			data_len -= bytes;
> > > >  			off = 0;
> > > 
> > > So in case a fragment crosses a page boundary, we wrap around to the
> > > beginning of the same page?  That doesn't look right.
> > 
> > If the fragment crosses a page boundary, what is the correct page
> > for it?
> > 
> > Nicholas, can we assume sg->length + sg->offset should be less than PAGE_SIZE here?
> > 
> 
> sg->length + sg->offset can be less than or equal to PAGE_SIZE here.
>
> For everything other than tcm_loop + tcm_vhost using externally
> allocated SGLs, we can expect fragments to never cross the page
> boundary.
> 
> For tcm_loop + tcm_vhost, there are a few special cases with control CDB
> paylaods (usually going through scsi-generic) where we can have a non
> zero sg->offset, but at least in the cases I've seen this is still not
> using SGL elements that exceed PAGE_SIZE.
>
> So, I think this logic is OK for SGLs that cross page boundries, given
> that it's done outside of the inner loop where *page is set during each
> for_each_sg().

The page is set using sg_page() in the outer loop and was then
incremented in the inner loop.

	for_each_sg(sgl, sg, sgl_nents, i) {
		page = sg_page(sg);
		off = sg->offset;
		len = sg->length;

		while (len > 0 && data_len > 0) {
			bytes = min_t(unsigned int, len, PAGE_SIZE - off);
			bytes = min(bytes, data_len);
			...
			/* page++; */
			len -= bytes;
			data_len -= bytes;
			off = 0;
		}
	}

The inner loop is apparently meant to iterate over pages of a segment,
but is now just wrapping around a single page.

> The case where this logic is broken, and that the 'page
> ++' was addressing is when sg->length > PAGE_SIZE.

That is a sufficient but not a necessary condition for the increment.

Ben.

-- 
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by stupidity.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ