From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Akinobu Mita" <akinobu.mita@gmail.com>,
"Christoph Hellwig" <hch@lst.de>
Subject: [PATCH 3.16 24/61] sg: prevent integer overflow when converting from sectors to bytes
Date: Tue, 09 Jun 2020 19:04:15 +0100 [thread overview]
Message-ID: <lsq.1591725832.224367208@decadent.org.uk> (raw)
In-Reply-To: <lsq.1591725831.850867383@decadent.org.uk>
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Akinobu Mita <akinobu.mita@gmail.com>
commit 46f69e6a6bbbf3858617c8729e31895846c15a79 upstream.
This prevents integer overflow when converting the request queue's
max_sectors from sectors to bytes. However, this is a preparation for
extending the data type of max_sectors in struct Scsi_Host and
scsi_host_template. So, it is impossible to happen this integer
overflow for now, because SCSI low-level drivers can not specify
max_sectors greater than 0xffff due to the data type limitation.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Acked by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/sg.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -865,6 +865,15 @@ static int srp_done(Sg_fd *sfp, Sg_reque
return ret;
}
+static int max_sectors_bytes(struct request_queue *q)
+{
+ unsigned int max_sectors = queue_max_sectors(q);
+
+ max_sectors = min_t(unsigned int, max_sectors, INT_MAX >> 9);
+
+ return max_sectors << 9;
+}
+
static long
sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
{
@@ -1004,7 +1013,7 @@ sg_ioctl(struct file *filp, unsigned int
if (val < 0)
return -EINVAL;
val = min_t(int, val,
- queue_max_sectors(sdp->device->request_queue) * 512);
+ max_sectors_bytes(sdp->device->request_queue));
if (val != sfp->reserve.bufflen) {
if (sg_res_in_use(sfp) || sfp->mmap_called)
return -EBUSY;
@@ -1014,7 +1023,7 @@ sg_ioctl(struct file *filp, unsigned int
return 0;
case SG_GET_RESERVED_SIZE:
val = min_t(int, sfp->reserve.bufflen,
- queue_max_sectors(sdp->device->request_queue) * 512);
+ max_sectors_bytes(sdp->device->request_queue));
return put_user(val, ip);
case SG_SET_COMMAND_Q:
result = get_user(val, ip);
@@ -1154,7 +1163,7 @@ sg_ioctl(struct file *filp, unsigned int
return -ENODEV;
return scsi_ioctl(sdp->device, cmd_in, p);
case BLKSECTGET:
- return put_user(queue_max_sectors(sdp->device->request_queue) * 512,
+ return put_user(max_sectors_bytes(sdp->device->request_queue),
ip);
case BLKTRACESETUP:
return blk_trace_setup(sdp->device->request_queue,
@@ -2170,7 +2179,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
sg_big_buff = def_reserved_size;
bufflen = min_t(int, sg_big_buff,
- queue_max_sectors(sdp->device->request_queue) * 512);
+ max_sectors_bytes(sdp->device->request_queue));
sg_build_reserve(sfp, bufflen);
SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n",
sfp->reserve.bufflen, sfp->reserve.k_use_sg));
next prev parent reply other threads:[~2020-06-09 18:10 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 18:03 [PATCH 3.16 00/61] 3.16.85-rc1 review Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 01/61] slcan: Fix memory leak in error path Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 02/61] can: slcan: Fix use-after-free Read in slcan_open Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 03/61] slcan: not call free_netdev before rtnl_unlock " Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 04/61] slip: Fix memory leak in slip_open error path Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 05/61] slip: Fix use-after-free Read in slip_open Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 06/61] slip: not call free_netdev before rtnl_unlock " Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 07/61] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 08/61] net-sysfs: fix netdev_queue_add_kobject() breakage Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 09/61] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 10/61] net-sysfs: Call dev_hold always in rx_queue_add_kobject Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 11/61] selinux: cleanup error reporting in selinux_nlmsg_perm() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 12/61] selinux: convert WARN_ONCE() to printk() " Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 13/61] selinux: Print 'sclass' as string when unrecognized netlink message occurs Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 14/61] selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 15/61] selinux: properly handle multiple messages in selinux_netlink_send() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 16/61] drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 17/61] drivers: usb: core: Minimize irq disabling in usb_sg_cancel() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 18/61] USB: core: Fix free-while-in-use bug in the USB S-Glibrary Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 19/61] scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 20/61] scsi: mptfusion: Fix double fetch bug in ioctl Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 21/61] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 22/61] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 23/61] sg: O_EXCL and other lock handling Ben Hutchings
2020-06-09 18:04 ` Ben Hutchings [this message]
2020-06-09 18:04 ` [PATCH 3.16 25/61] scsi: sg: Change next_cmd_len handling to mirror upstream Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 26/61] scsi: sg: protect accesses to 'reserved' page array Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 27/61] scsi: sg: reset 'res_in_use' after unlinking reserved array Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 28/61] scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 29/61] scsi: sg: recheck MMAP_IO request length with lock held Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 30/61] scsi: sg: remove 'save_scat_len' Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 31/61] scsi: sg: use standard lists for sg_requests Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 32/61] scsi: sg: off by one in sg_ioctl() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 33/61] scsi: sg: factor out sg_fill_request_table() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 34/61] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 35/61] scsi: sg: Re-fix off by one in sg_fill_request_table() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 36/61] scsi: sg: disable SET_FORCE_LOW_DMA Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 37/61] scsi: sg: check for valid direction before starting the request Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 38/61] scsi: sg: close race condition in sg_remove_sfp_usercontext() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 39/61] scsi: sg: fix SG_DXFER_FROM_DEV transfers Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 40/61] scsi: sg: fix static checker warning in sg_is_valid_dxfer Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 41/61] scsi: sg: only check for dxfer_len greater than 256M Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 42/61] scsi: sg: don't return bogus Sg_requests Ben Hutchings
2020-06-09 18:28 ` Tony Battersby
2020-06-09 19:03 ` Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 43/61] scsi: sg: fix minor memory leak in error path Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 44/61] scsi: sg: add sg_remove_request in sg_common_write Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 45/61] scsi: sg: add sg_remove_request in sg_write Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 46/61] signal: Extend exec_id to 64bits Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 47/61] USB: gadget: fix illegal array access in binding with UDC Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 48/61] ext4: Make checks for metadata_csum feature safer Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 49/61] ext4: protect journal inode's blocks using block_validity Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 50/61] ext4: unsigned int compared against zero Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 51/61] ext4: fix block validity checks for journal inodes using indirect blocks Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 52/61] ext4: don't perform block validity checks on the journal inode Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 53/61] ext4: add cond_resched() to ext4_protect_reserved_inode Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 54/61] x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 55/61] x86/cpu: Add a steppings field to struct x86_cpu_id Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 56/61] x86/cpu: Add 'table' argument to cpu_matches() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 57/61] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 58/61] x86/speculation: Add SRBDS vulnerability and mitigation documentation Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 59/61] x86/speculation: Add Ivy Bridge to affected list Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 60/61] random: always use batched entropy for get_random_u{32,64} Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 61/61] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Ben Hutchings
2020-06-10 19:08 ` [PATCH 3.16 00/61] 3.16.85-rc1 review Guenter Roeck
2020-06-10 21:25 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1591725832.224367208@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akinobu.mita@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=hch@lst.de \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).