When the discard length is not a multiple of RSXX_HW_BLK_SIZE, the
discard code will get into an infinite loop, even discarding data it is
not supposed to. This will also hang the system.
This can be reproduced by doing an ioctl BLKDISCARD to /dev/rsxx0 with
range from 0 to 1024.
Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
Cc: [email protected]
---
drivers/block/rsxx/dma.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/block/rsxx/dma.c b/drivers/block/rsxx/dma.c
index cf8cd29..d105a4a 100644
--- a/drivers/block/rsxx/dma.c
+++ b/drivers/block/rsxx/dma.c
@@ -708,7 +708,9 @@ int rsxx_dma_queue_bio(struct rsxx_cardinfo *card,
if (bio->bi_rw & REQ_DISCARD) {
bv_len = bio->bi_iter.bi_size;
- while (bv_len > 0) {
+ if (bv_len < RSXX_HW_BLK_SIZE)
+ bio_endio(bio, 0);
+ while (bv_len >= RSXX_HW_BLK_SIZE) {
tgt = rsxx_get_dma_tgt(card, addr8);
laddr = rsxx_addr8_to_laddr(addr8, card);
--
1.7.1
On 2014-06-30 11:31, Thadeu Lima de Souza Cascardo wrote:
> When the discard length is not a multiple of RSXX_HW_BLK_SIZE, the
> discard code will get into an infinite loop, even discarding data it is
> not supposed to. This will also hang the system.
>
> This can be reproduced by doing an ioctl BLKDISCARD to /dev/rsxx0 with
> range from 0 to 1024.
That is a bug that should be fixed in the discard code, not worked
around in the driver.
--
Jens Axboe