From patchwork Wed Dec 5 22:31:57 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3.5.y.z, extended, stable] Patch "target: Avoid integer overflow in se_dev_align_max_sectors()" has been added to staging queue Date: Wed, 05 Dec 2012 12:31:57 -0000 From: Herton Ronaldo Krzesinski X-Patchwork-Id: 204022 Message-Id: <1354746717-22705-1-git-send-email-herton.krzesinski@canonical.com> To: Roland Dreier Cc: kernel-team@lists.ubuntu.com, Nicholas Bellinger This is a note to let you know that I have just added a patch titled target: Avoid integer overflow in se_dev_align_max_sectors() to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Herton ------ >From 1f66d2d5d4094baeafa28a1b729ab7c5a1e63030 Mon Sep 17 00:00:00 2001 From: Roland Dreier Date: Wed, 31 Oct 2012 09:16:45 -0700 Subject: [PATCH] target: Avoid integer overflow in se_dev_align_max_sectors() X-Extended-Stable: 3.5 commit 3e03989b5868acf69a391a424dc71fcd6cc48167 upstream. The expression (max_sectors * block_size) might overflow a u32 (indeed, since iblock sets max_hw_sectors to UINT_MAX, it is guaranteed to overflow and end up with a much-too-small result in many common cases). Fix this by doing an equivalent calculation that doesn't require multiplication. While we're touching this code, avoid splitting a printk format across two lines and use pr_info(...) instead of printk(KERN_INFO ...). Signed-off-by: Roland Dreier Signed-off-by: Nicholas Bellinger [ herton: unfuzz patch ] Signed-off-by: Herton Ronaldo Krzesinski --- drivers/target/target_core_device.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) -- 1.7.9.5 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c index 5ad9728..8542099 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c @@ -824,20 +824,20 @@ int se_dev_check_shutdown(struct se_device *dev) u32 se_dev_align_max_sectors(u32 max_sectors, u32 block_size) { - u32 tmp, aligned_max_sectors; + u32 aligned_max_sectors; + u32 alignment; /* * Limit max_sectors to a PAGE_SIZE aligned value for modern * transport_allocate_data_tasks() operation. */ - tmp = rounddown((max_sectors * block_size), PAGE_SIZE); - aligned_max_sectors = (tmp / block_size); - if (max_sectors != aligned_max_sectors) { - printk(KERN_INFO "Rounding down aligned max_sectors from %u" - " to %u\n", max_sectors, aligned_max_sectors); - return aligned_max_sectors; - } + alignment = max(1ul, PAGE_SIZE / block_size); + aligned_max_sectors = rounddown(max_sectors, alignment); + + if (max_sectors != aligned_max_sectors) + pr_info("Rounding down aligned max_sectors from %u to %u\n", + max_sectors, aligned_max_sectors); - return max_sectors; + return aligned_max_sectors; } void se_dev_set_default_attribs(