From: Bart Van Assche <Bart.VanAssche@sandisk.com>
To: "hch@lst.de" <hch@lst.de>
Cc: "ddiss@suse.de" <ddiss@suse.de>, "hare@suse.com" <hare@suse.com>,
"target-devel@vger.kernel.org" <target-devel@vger.kernel.org>,
"agrover@redhat.com" <agrover@redhat.com>,
"nab@linux-iscsi.org" <nab@linux-iscsi.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH 05/19] target: Allocate sg-list correctly
Date: Fri, 5 May 2017 15:49:24 +0000 [thread overview]
Message-ID: <1493999363.2744.3.camel@sandisk.com> (raw)
In-Reply-To: <20170505090653.GA5248@lst.de>
On Fri, 2017-05-05 at 11:06 +0200, Christoph Hellwig wrote:
> On Thu, May 04, 2017 at 03:50:48PM -0700, Bart Van Assche wrote:
> > Avoid that the iSCSI target driver complains about "Initial page entry
> > out-of-bounds" and closes the connection if the SCSI Data-Out buffer
> > is larger than the buffer size specified through the CDB. This patch
> > prevents that running the libiscsi regression tests against LIO trigger
> > an infinite loop of libiscsi submitting a command, LIO closing the
> > connection and libiscsi resubmitting the same command.
>
> Can you add a bit more of an explanation of why this happens? I've
> just tried to verify the area, but at least while sitting in a conference
> talk I can't quite make sense of the changes.
Hello Christoph,
The aspects of SCSI command processing that are relevant in this context are:
* When the iSCSI target driver receives a SCSI command it calls
transport_init_se_cmd() to initialize struct se_cmd. The iSCSI target driver
passes the number of bytes that will be transferred into the "data_length"
argument of transport_init_se_cmd(). That function stores the data length in
the .data_length member of struct se_cmd. The value passed by target drivers
to transport_init_se_cmd() is what is called the Expected Data Transfer
Length (EDTL) in the iSCSI RFC.
* After CDB parsing has finished target_cmd_size_check() is called. If EDTL
exceeds the data buffer size extracted from the SCSI CDB (CDBL) then
.data_length is reduced to CDBL.
* Next target_alloc_sgl() allocates an sg-list for .data_length bytes (CDBL).
* iscsit_allocate_iovecs() allocates a struct kvec (.iov_data) also for
.data_length bytes (CDBL).
* iscsit_get_dataout() calls rx_data() and tries to store EDTL bytes in the
allocated struct kvec. If EDTL > CDBL then .iov_data overflows and this
usually triggers a crash. With the patch that prevents .iov_data overflows
the initiator is disconnected. In the case of libiscsi, it keeps retrying
forever to resubmit SCSI commands for which EDTL > CDBL.
In other words, initially EDTL is stored into .data_length and later on the
value of .data_length changes to CDBL. My proposal to avoid the buffer
overflows is to store both EDTL and CDBL in struct se_cmd and to allocate an
sg-list per command that can store EDTL bytes instead of CDBL bytes.
Bart.
next prev parent reply other threads:[~2017-05-05 15:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20170504225102.8931-1-bart.vanassche@sandisk.com>
2017-05-04 22:50 ` [PATCH 03/19] target: Avoid that aborting a command sporadically hangs Bart Van Assche
2017-05-05 6:12 ` Hannes Reinecke
2017-05-05 8:53 ` Christoph Hellwig
2017-05-05 15:00 ` Bart Van Assche
2017-05-11 0:23 ` Bart Van Assche
2017-05-07 22:20 ` Nicholas A. Bellinger
2017-05-08 21:25 ` Bart Van Assche
2017-05-10 4:48 ` Nicholas A. Bellinger
2017-05-04 22:50 ` [PATCH 04/19] target/fileio: Avoid that zero-length READ and WRITE commands hang Bart Van Assche
2017-05-05 6:14 ` Hannes Reinecke
2017-05-05 8:54 ` Christoph Hellwig
2017-05-07 22:28 ` Nicholas A. Bellinger
2017-05-04 22:50 ` [PATCH 05/19] target: Allocate sg-list correctly Bart Van Assche
2017-05-05 6:15 ` Hannes Reinecke
2017-05-05 9:06 ` Christoph Hellwig
2017-05-05 15:49 ` Bart Van Assche [this message]
2017-05-07 22:45 ` Nicholas A. Bellinger
2017-05-08 17:46 ` Bart Van Assche
2017-05-10 4:03 ` Nicholas A. Bellinger
2017-05-10 6:12 ` Nicholas A. Bellinger
2017-05-10 20:31 ` Bart Van Assche
2017-05-11 5:28 ` Nicholas A. Bellinger
2017-05-04 22:50 ` [PATCH 06/19] target: Fix data buffer size for VERIFY and WRITE AND VERIFY commands Bart Van Assche
2017-05-05 9:42 ` Christoph Hellwig
2017-05-05 15:51 ` Bart Van Assche
2017-05-07 22:49 ` Nicholas A. Bellinger
2017-05-08 18:07 ` Bart Van Assche
2017-05-10 4:28 ` Nicholas A. Bellinger
2017-05-10 15:16 ` Bart Van Assche
2017-05-11 5:09 ` Nicholas A. Bellinger
2017-05-04 22:51 ` [PATCH 17/19] target/iscsi: Simplify timer manipulation code Bart Van Assche
2017-05-05 11:24 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493999363.2744.3.camel@sandisk.com \
--to=bart.vanassche@sandisk.com \
--cc=agrover@redhat.com \
--cc=ddiss@suse.de \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.