Commit f70ee5ec authored Mar 21, 2007 by J. Bruce Fields Committed by Herbert Xu Mar 21, 2007

[CRYPTO] api: scatterwalk_copychunks() fails to advance through scatterlist



In the loop in scatterwalk_copychunks(), if walk->offset is zero,
then scatterwalk_pagedone rounds that up to the nearest page boundary:

		walk->offset += PAGE_SIZE - 1;
		walk->offset &= PAGE_MASK;

which is a no-op in this case, so we don't advance to the next element
of the scatterlist array:

		if (walk->offset >= walk->sg->offset + walk->sg->length)
			scatterwalk_start(walk, sg_next(walk->sg));

and we end up copying the same data twice.

It appears that other callers of scatterwalk_{page}done first advance
walk->offset, so I believe that's the correct thing to do here.

This caused a bug in NFS when run with krb5p security, which would
cause some writes to fail with permissions errors--for example, writes
of less than 8 bytes (the des blocksize) at the start of a file.

A git-bisect shows the bug was originally introduced by
5c64097a, first in 2.6.19-rc1.

Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

parent 5851fadc

crypto/scatterwalk.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -91,6 +91,8 @@ void scatterwalk_copychunks(void buf, struct scatter_walk walk,
		memcpy_dir(buf, vaddr, len_this_page, out);
		scatterwalk_unmap(vaddr, out);

		scatterwalk_advance(walk, nbytes);

		if (nbytes == len_this_page)
		break;

		@@ -99,7 +101,5 @@ void scatterwalk_copychunks(void buf, struct scatter_walk walk,

		scatterwalk_pagedone(walk, out, 1);
		}

		scatterwalk_advance(walk, nbytes);
		}
		EXPORT_SYMBOL_GPL(scatterwalk_copychunks);

Admin message