From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linux-iscsi.org ([67.23.28.174]:49428 "EHLO linux-iscsi.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751555AbdEJE2L (ORCPT ); Wed, 10 May 2017 00:28:11 -0400 Message-ID: <1494390488.16894.86.camel@haakon3.risingtidesystems.com> Subject: Re: [PATCH 06/19] target: Fix data buffer size for VERIFY and WRITE AND VERIFY commands From: "Nicholas A. Bellinger" To: Bart Van Assche Cc: "hch@lst.de" , "ddiss@suse.de" , "hare@suse.com" , "target-devel@vger.kernel.org" , "agrover@redhat.com" , "stable@vger.kernel.org" Date: Tue, 09 May 2017 21:28:08 -0700 In-Reply-To: <1494266862.2591.14.camel@sandisk.com> References: <20170504225102.8931-1-bart.vanassche@sandisk.com> <20170504225102.8931-7-bart.vanassche@sandisk.com> <1494197384.30469.34.camel@haakon3.risingtidesystems.com> <1494266862.2591.14.camel@sandisk.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: On Mon, 2017-05-08 at 18:07 +0000, Bart Van Assche wrote: > On Sun, 2017-05-07 at 15:49 -0700, Nicholas A. Bellinger wrote: > > On Thu, 2017-05-04 at 15:50 -0700, Bart Van Assche wrote: > > > For VERIFY and WRITE AND VERIFY commands the size of the SCSI > > > Data-Out buffer can differ from the size of the data area on > > > the storage medium that is affected by the command. Make sure > > > that the Data-Out buffer size is computed correctly. Apparently > > > this part got dropped from my previous VERIFY / WRITE AND VERIFY > > > patch before I posted it due to rebasing. > > > > > > Fixes: commit 0e2eb7d12eaa ("target: Fix VERIFY and WRITE VERIFY command parsing") > > > Signed-off-by: Bart Van Assche > > > Cc: Hannes Reinecke > > > Cc: Christoph Hellwig > > > Cc: Andy Grover > > > Cc: David Disseldorp > > > Cc: > > > --- > > > drivers/target/target_core_sbc.c | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c > > > index a0ad618f1b1a..51489d96cb31 100644 > > > --- a/drivers/target/target_core_sbc.c > > > +++ b/drivers/target/target_core_sbc.c > > > @@ -888,9 +888,10 @@ static sense_reason_t sbc_parse_verify(struct se_cmd *cmd, int *sectors, > > > sense_reason_t > > > sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) > > > { > > > + enum { INVALID_SIZE = 1 }; > > > struct se_device *dev = cmd->se_dev; > > > unsigned char *cdb = cmd->t_task_cdb; > > > - unsigned int size; > > > + unsigned int size = INVALID_SIZE; > > > u32 sectors = 0; > > > sense_reason_t ret; > > > > > > @@ -1212,7 +1213,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) > > > return TCM_ADDRESS_OUT_OF_RANGE; > > > } > > > > > > - if (!(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE)) > > > + if (size == INVALID_SIZE) > > > size = sbc_get_size(cmd, sectors); > > > } > > > > > > > This patch has no effect. > > Hello Nic, > > That's a misinterpretation of your side. What this patch does is to ensure > that 'size' remains zero if a VERIFY or WRITE AND VERIFY command is submitted > with BYTCHK == 0. SBC mentions clearly that BYTCHK == 0 means that there is > no Data-Out buffer, or in other words, that the size of the Data-Out buffer > is zero. > > From the sg_verify man page: > > When --ndo=NDO is not given then the verify starts at the logical block > address given by the --lba=LBA option and continues for --count=COUNT > blocks. > > In other words, sg_verify is able to submit a VERIFY command without Data-Out > buffer (NDO is the size of the Data-Out buffer in bytes). > That's fine the spec says no data is associated with bytchk = 0. The point is the 'size' value in sbc_parse_cdb() is what's extracted from the received CDB, and compared against extended data transfer length (cmd->data_length) in target_cmd_size_check() to determine overflow or underflow. Attempting to make 'size' in sbc_parse_cdb() enforce what the spec says, instead of what it actually is in the received CDB is completely wrong. No other CDB does this, and *VERIFY* is no exception. If you're worried about non zero transfer length with bytchk = 0 getting processed, go ahead and return TCM_INVALID_CDB_FIELD from sbc_parse_verify() when this happens, like every other sanity check does. Of course, that's exactly the test case libiscsi does during test_writeverify16_residuals, send bythck = 0 with overflow and underflow with a non zero transfer length. > > Anyways, I've fixed both cases and will post the proper fix inline > > against patch #19. > > Do you perhaps mean patch "target: Fix sbc_parse_verify bytchk = 0 handling"? > (https://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending.git/commit/?h=for-next&id=d7d40280f868463d01a82186fd61cdc0e590381f) > > If you want to know my opinion about that patch: it doesn't fix anything but > breaks the sbc_parse_verify() function and definitely doesn't make the > behavior of VERIFY nor WRITE AND VERIFY more compliant with the SCSI specs. You are incorrect. It addresses the regression your code introduced that broke existing behavior for WRITE_VERIFY_*, when sbc_parse_verify() dropped SCF_SCSI_DATA_CDB for bytchk = 0 that allowed overflow to trigger an NULL pointer dereference. Perhaps you should verify existing code before your sbc_parse_verify() changes to see what I'm talking about.