staging: lustre: ko2iblnd: fix memory corruption with fragments

In my test of the upstream client this change exposed a long
standing issues where we have a offset that is not page algined
would causes us to access memory beyond the scatter gather list
which was causing memory corruption when all 256 fragments were
in use.

Signed-off-by: James Simmons <jsimmons@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c
index 6c59f2ff222040df485ce7c33de5fd5c97d451c3..4bb32f1b953876fa09befa5abb41b31a1fb05d93 100644 (file)
--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c
+++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c
@@ -2011,8 +2011,8 @@ static void kiblnd_destroy_tx_pool(kib_pool_t *pool)
                                    sizeof(*tx->tx_pages));
                if (tx->tx_frags)
                        LIBCFS_FREE(tx->tx_frags,
-                                   IBLND_MAX_RDMA_FRAGS *
-                                           sizeof(*tx->tx_frags));
+                                   (1 + IBLND_MAX_RDMA_FRAGS) *
+                                    sizeof(*tx->tx_frags));
                if (tx->tx_wrq)
                        LIBCFS_FREE(tx->tx_wrq,
                                    (1 + IBLND_MAX_RDMA_FRAGS) *
@@ -2090,11 +2090,12 @@ static int kiblnd_create_tx_pool(kib_poolset_t *ps, int size,
                }
 
                LIBCFS_CPT_ALLOC(tx->tx_frags, lnet_cpt_table(), ps->ps_cpt,
-                                IBLND_MAX_RDMA_FRAGS * sizeof(*tx->tx_frags));
+                                (1 + IBLND_MAX_RDMA_FRAGS) *
+                                sizeof(*tx->tx_frags));
                if (!tx->tx_frags)
                        break;
 
-               sg_init_table(tx->tx_frags, IBLND_MAX_RDMA_FRAGS);
+               sg_init_table(tx->tx_frags, IBLND_MAX_RDMA_FRAGS + 1);
 
                LIBCFS_CPT_ALLOC(tx->tx_wrq, lnet_cpt_table(), ps->ps_cpt,
                                 (1 + IBLND_MAX_RDMA_FRAGS) *

diff --git a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
index bbfee53cfcf50296e52a7849b4f0964145db1b13..0f7e3a12b72b18d5d7bae7cd18ecf41a51dfe8ab 100644 (file)
--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
+++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c
@@ -689,6 +689,10 @@ kiblnd_setup_rd_iov(lnet_ni_t *ni, kib_tx_t *tx, kib_rdma_desc_t *rd,
 
                sg_set_page(sg, page, fragnob, page_offset);
                sg = sg_next(sg);
+               if (!sg) {
+                       CERROR("lacking enough sg entries to map tx\n");
+                       return -EFAULT;
+               }
 
                if (offset + fragnob < iov->iov_len) {
                        offset += fragnob;
@@ -733,6 +737,10 @@ kiblnd_setup_rd_kiov(lnet_ni_t *ni, kib_tx_t *tx, kib_rdma_desc_t *rd,
                sg_set_page(sg, kiov->kiov_page, fragnob,
                            kiov->kiov_offset + offset);
                sg = sg_next(sg);
+               if (!sg) {
+                       CERROR("lacking enough sg entries to map tx\n");
+                       return -EFAULT;
+               }
 
                offset = 0;
                kiov++;