From 332ef3310bc37ff29fd4382d6dfb38a787078091 Mon Sep 17 00:00:00 2001
From: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date: Sun, 1 Jul 2007 13:56:03 +0200
Subject: [PATCH] firewire: fw-sbp2: add a boundary check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add rudimentary check for the case that the page table overflows due to
merging of s/g elements by the IOMMU.  This would have lead to
overwriting of arbitrary memory.

After this change I expect that an offending command will be
unsuccessfully retried until the scsi_device is taken offline by SCSI
core.  It's a border case and not worth to implement a recovery
strategy.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: Kristian Høgsberg <krh@redhat.com>
---
 drivers/firewire/fw-sbp2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c
index 212674d723e3..c7518ea4c8ee 100644
--- a/drivers/firewire/fw-sbp2.c
+++ b/drivers/firewire/fw-sbp2.c
@@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb)
 		sg_len = sg_dma_len(sg + i);
 		sg_addr = sg_dma_address(sg + i);
 		while (sg_len) {
+			/* FIXME: This won't get us out of the pinch. */
+			if (unlikely(j >= ARRAY_SIZE(orb->page_table))) {
+				fw_error("page table overflow\n");
+				goto fail_page_table;
+			}
 			l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH);
 			orb->page_table[j].low = sg_addr;
 			orb->page_table[j].high = (l << 16);
-- 
GitLab