| Message ID | 5B63D5F6.6080109@huawei.com |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [V9fs-developer] net/9p: Modify the problem of BUG_ON judgment | expand |
jiangyiwen wrote on Fri, Aug 03, 2018: > Because the value of limit is VIRTQUEUE_NUM, if index is equal to > limit, it will cause sg array out of bounds, so correct the judgement > of BUG_ON. > > Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com> I'm not sure you've acted on his mail or if you found this independantly, but this was reported by Dan Carpenter on the list in June. Would you mind if I add a tag for him? Reported-by: Dan Carpenter <dan.carpenter@oracle.com> That aside this looks good, I'll take it. > --- > net/9p/trans_virtio.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c > index 6265d1d..08264ba 100644 > --- a/net/9p/trans_virtio.c > +++ b/net/9p/trans_virtio.c > @@ -191,7 +191,7 @@ static int pack_sg_list(struct scatterlist *sg, int start, > s = rest_of_page(data); > if (s > count) > s = count; > - BUG_ON(index > limit); > + BUG_ON(index >= limit); > /* Make sure we don't terminate early. */ > sg_unmark_end(&sg[index]); > sg_set_buf(&sg[index++], data, s); > @@ -236,6 +236,7 @@ static int p9_virtio_cancel(struct p9_client *client, struct p9_req_t *req) > s = PAGE_SIZE - data_off; > if (s > count) > s = count; > + BUG_ON(index >= limit); > /* Make sure we don't terminate early. */ > sg_unmark_end(&sg[index]); > sg_set_page(&sg[index++], pdata[i++], s, data_off);
On 2018/8/3 12:23, Dominique Martinet wrote: > jiangyiwen wrote on Fri, Aug 03, 2018: >> Because the value of limit is VIRTQUEUE_NUM, if index is equal to >> limit, it will cause sg array out of bounds, so correct the judgement >> of BUG_ON. >> >> Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com> > > I'm not sure you've acted on his mail or if you found this > independantly, but this was reported by Dan Carpenter on the list in > June. > Would you mind if I add a tag for him? > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > > That aside this looks good, I'll take it. > Sorry, I didn't see it before, I tested this problem a few days ago. It is true that this problem was discovered first by him. Thank you for adding him. >> --- >> net/9p/trans_virtio.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c >> index 6265d1d..08264ba 100644 >> --- a/net/9p/trans_virtio.c >> +++ b/net/9p/trans_virtio.c >> @@ -191,7 +191,7 @@ static int pack_sg_list(struct scatterlist *sg, int start, >> s = rest_of_page(data); >> if (s > count) >> s = count; >> - BUG_ON(index > limit); >> + BUG_ON(index >= limit); >> /* Make sure we don't terminate early. */ >> sg_unmark_end(&sg[index]); >> sg_set_buf(&sg[index++], data, s); >> @@ -236,6 +236,7 @@ static int p9_virtio_cancel(struct p9_client *client, struct p9_req_t *req) >> s = PAGE_SIZE - data_off; >> if (s > count) >> s = count; >> + BUG_ON(index >= limit); >> /* Make sure we don't terminate early. */ >> sg_unmark_end(&sg[index]); >> sg_set_page(&sg[index++], pdata[i++], s, data_off); >
LGTM On 2018/8/3 12:11, jiangyiwen wrote: > Because the value of limit is VIRTQUEUE_NUM, if index is equal to > limit, it will cause sg array out of bounds, so correct the judgement > of BUG_ON. > > Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com> Acked-by: Jun Piao <piaojun@huawei.com> > --- > net/9p/trans_virtio.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c > index 6265d1d..08264ba 100644 > --- a/net/9p/trans_virtio.c > +++ b/net/9p/trans_virtio.c > @@ -191,7 +191,7 @@ static int pack_sg_list(struct scatterlist *sg, int start, > s = rest_of_page(data); > if (s > count) > s = count; > - BUG_ON(index > limit); > + BUG_ON(index >= limit); > /* Make sure we don't terminate early. */ > sg_unmark_end(&sg[index]); > sg_set_buf(&sg[index++], data, s); > @@ -236,6 +236,7 @@ static int p9_virtio_cancel(struct p9_client *client, struct p9_req_t *req) > s = PAGE_SIZE - data_off; > if (s > count) > s = count; > + BUG_ON(index >= limit); > /* Make sure we don't terminate early. */ > sg_unmark_end(&sg[index]); > sg_set_page(&sg[index++], pdata[i++], s, data_off); >
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 6265d1d..08264ba 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -191,7 +191,7 @@ static int pack_sg_list(struct scatterlist *sg, int start, s = rest_of_page(data); if (s > count) s = count; - BUG_ON(index > limit); + BUG_ON(index >= limit); /* Make sure we don't terminate early. */ sg_unmark_end(&sg[index]); sg_set_buf(&sg[index++], data, s); @@ -236,6 +236,7 @@ static int p9_virtio_cancel(struct p9_client *client, struct p9_req_t *req) s = PAGE_SIZE - data_off; if (s > count) s = count; + BUG_ON(index >= limit); /* Make sure we don't terminate early. */ sg_unmark_end(&sg[index]); sg_set_page(&sg[index++], pdata[i++], s, data_off);
Because the value of limit is VIRTQUEUE_NUM, if index is equal to limit, it will cause sg array out of bounds, so correct the judgement of BUG_ON. Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com> --- net/9p/trans_virtio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)