From 4c3864cf97711d73b12905fea720570cf814d179 Mon Sep 17 00:00:00 2001
From: Patrick Farrell <pfarrell@whamcloud.com>
Date: Tue, 30 Jul 2019 14:10:32 -0400
Subject: [PATCH] LU-12600 tgt: shortio size should be unsigned

The short_io_size value is accepting unsigned values from
req_capsule_get_size, and so needs to be unsigned as well.

If it's not, it's possible for the short_io_size memcopy to
act on an incorrect value and cause memory corruption.

Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Signed-off-by: Patrick Farrell <pfarrell@whamcloud.com>
Change-Id: I043e314cd43a7b40519f951a605fa5a36ff91dcf
Reviewed-on: https://review.whamcloud.com/35653
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lustre/target/tgt_handler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lustre/target/tgt_handler.c b/lustre/target/tgt_handler.c
index 2165de9..027b05d 100644
--- a/lustre/target/tgt_handler.c
+++ b/lustre/target/tgt_handler.c
@@ -2388,7 +2388,7 @@ out_lock:
 EXPORT_SYMBOL(tgt_brw_read);
 
 static int tgt_shortio2pages(struct niobuf_local *local, int npages,
-			     unsigned char *buf, int size)
+			     unsigned char *buf, unsigned int size)
 {
 	int	i, off, len;
 	char	*ptr;
@@ -2586,7 +2586,7 @@ int tgt_brw_write(struct tgt_session_info *tsi)
 	if (rc < 0)
 		GOTO(out_lock, rc);
 	if (body->oa.o_flags & OBD_FL_SHORT_IO) {
-		int short_io_size;
+		unsigned int short_io_size;
 		unsigned char *short_io_buf;
 
 		short_io_size = req_capsule_get_size(&req->rq_pill,
-- 
1.8.3.1