Commit 332ef331 authored by Stefan Richter's avatar Stefan Richter

firewire: fw-sbp2: add a boundary check

Add rudimentary check for the case that the page table overflows due to
merging of s/g elements by the IOMMU.  This would have lead to
overwriting of arbitrary memory.

After this change I expect that an offending command will be
unsuccessfully retried until the scsi_device is taken offline by SCSI
core.  It's a border case and not worth to implement a recovery
strategy.
Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: default avatarKristian Høgsberg <krh@redhat.com>
parent 9fb2dd12
...@@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb) ...@@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb)
sg_len = sg_dma_len(sg + i); sg_len = sg_dma_len(sg + i);
sg_addr = sg_dma_address(sg + i); sg_addr = sg_dma_address(sg + i);
while (sg_len) { while (sg_len) {
/* FIXME: This won't get us out of the pinch. */
if (unlikely(j >= ARRAY_SIZE(orb->page_table))) {
fw_error("page table overflow\n");
goto fail_page_table;
}
l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH); l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH);
orb->page_table[j].low = sg_addr; orb->page_table[j].low = sg_addr;
orb->page_table[j].high = (l << 16); orb->page_table[j].high = (l << 16);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment