From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linux-iscsi.org ([67.23.28.174]:41720 "EHLO
        linux-iscsi.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754028AbdEKFJb (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 11 May 2017 01:09:31 -0400
Message-ID: <1494479368.16894.127.camel@haakon3.risingtidesystems.com>
Subject: Re: [PATCH 06/19] target: Fix data buffer size for VERIFY and WRITE
 AND VERIFY commands
From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
To: Bart Van Assche <Bart.VanAssche@sandisk.com>
Cc: "hch@lst.de" <hch@lst.de>, "ddiss@suse.de" <ddiss@suse.de>,
        "hare@suse.com" <hare@suse.com>,
        "target-devel@vger.kernel.org" <target-devel@vger.kernel.org>,
        "agrover@redhat.com" <agrover@redhat.com>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>
Date: Wed, 10 May 2017 22:09:28 -0700
In-Reply-To: <1494429409.2578.4.camel@sandisk.com>
References: <20170504225102.8931-1-bart.vanassche@sandisk.com>
         <20170504225102.8931-7-bart.vanassche@sandisk.com>
         <1494197384.30469.34.camel@haakon3.risingtidesystems.com>
         <1494266862.2591.14.camel@sandisk.com>
         <1494390488.16894.86.camel@haakon3.risingtidesystems.com>
         <1494429409.2578.4.camel@sandisk.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, 2017-05-10 at 15:16 +0000, Bart Van Assche wrote:
> On Tue, 2017-05-09 at 21:28 -0700, Nicholas A. Bellinger wrote:
> > Attempting to make 'size' in sbc_parse_cdb() enforce what the spec says,
> > instead of what it actually is in the received CDB is completely wrong.
> 
> Please look again at e.g. the sg_verify source code. If it sets BYTCHK to
> zero it doesn't submit a Data-Out buffer. The only initiator that submits
> a Data-Out buffer and sets BYTCHK to zero is libiscsi when testing overflow
> behavior.

To repeat, it doesn't matter what the spec says, or what some host sends
or doesn't send.

The usage of 'size' in sbc_parse_cdb() is strictly for the value of the
transfer length extracted from a received CDB, and used to determine
overflow or underflow vs. fabric EDTL within target_cmd_size_check().

Any patch that attempts to arbitrarily set this to a value other than
what was received by a CDB that contains a transfer length field is
wrong.

As mentioned earlier, if you're genuinely concerned about btychk = 0
with a non zero transfer length, then I'm happy to apply the following
patch post -rc1:

diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index 2cc8753..af618a6 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -869,6 +869,9 @@ static sense_reason_t sbc_parse_verify(struct se_cmd *cmd, unsigned int *sectors
 
        switch (bytchk) {
        case 0:
+               if (*sectors)
+                       return TCM_INVALID_CDB_FIELD;
+               /* fall-through */
        case 1:
                cmd->se_cmd_flags |= SCF_SCSI_DATA_CDB;
                break;