[patch 32/37] CRYPTO: api: scatterwalk_copychunks() fails toadvance through scatterlist

From: Greg KH
Date: Fri Mar 30 2007 - 17:16:51 EST

Next message: Greg KH: "[patch 33/37] libata: clear TF before IDENTIFYing"
Previous message: Andrew Morton: "Re: [patch] remove artificial software max_loop limit"
In reply to: Greg KH: "[patch 29/37] ide: revert "ide: fix drive side 80c cable check,take 2" for now"
Next in thread: Patrick McHardy: "Re: [patch 32/37] CRYPTO: api: scatterwalk_copychunks() fails toadvance through scatterlist"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.

------------------
From: J. Bruce Fields <bfields@xxxxxxxxxxxxxx>

[CRYPTO] api: scatterwalk_copychunks() fails to advance through scatterlist

In the loop in scatterwalk_copychunks(), if walk->offset is zero,
then scatterwalk_pagedone rounds that up to the nearest page boundary:

walk->offset += PAGE_SIZE - 1;
walk->offset &= PAGE_MASK;

which is a no-op in this case, so we don't advance to the next element
of the scatterlist array:

if (walk->offset >= walk->sg->offset + walk->sg->length)
scatterwalk_start(walk, sg_next(walk->sg));

and we end up copying the same data twice.

It appears that other callers of scatterwalk_{page}done first advance
walk->offset, so I believe that's the correct thing to do here.

This caused a bug in NFS when run with krb5p security, which would
cause some writes to fail with permissions errors--for example, writes
of less than 8 bytes (the des blocksize) at the start of a file.

A git-bisect shows the bug was originally introduced by
5c64097aa0f6dc4f27718ef47ca9a12538d62860, first in 2.6.19-rc1.

Cc: Chuck Ebbert <cebbert@xxxxxxxxxx>
Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
crypto/scatterwalk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -91,6 +91,8 @@ void scatterwalk_copychunks(void *buf, s
memcpy_dir(buf, vaddr, len_this_page, out);
scatterwalk_unmap(vaddr, out);

+ scatterwalk_advance(walk, nbytes);
+
if (nbytes == len_this_page)
break;

@@ -99,7 +101,5 @@ void scatterwalk_copychunks(void *buf, s

scatterwalk_pagedone(walk, out, 1);
}
-
- scatterwalk_advance(walk, nbytes);
}
EXPORT_SYMBOL_GPL(scatterwalk_copychunks);

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 33/37] libata: clear TF before IDENTIFYing"
Previous message: Andrew Morton: "Re: [patch] remove artificial software max_loop limit"
In reply to: Greg KH: "[patch 29/37] ide: revert "ide: fix drive side 80c cable check,take 2" for now"
Next in thread: Patrick McHardy: "Re: [patch 32/37] CRYPTO: api: scatterwalk_copychunks() fails toadvance through scatterlist"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]