From: Mike Christie <mchristi@redhat.com>
To: lixiubo@cmss.chinamobile.com, agrover@redhat.com, nab@linux-iscsi.org
Cc: shli@kernel.org, sheng@yasker.org, linux-scsi@vger.kernel.org,
target-devel@vger.kernel.org, namei.unix@gmail.com,
bryantly@linux.vnet.ibm.com
Subject: Re: [PATCHv4 1/4] tcmu: Fix possible overwrite of t_data_sg's last iov[]
Date: Tue, 21 Mar 2017 15:39:41 -0400 [thread overview]
Message-ID: <3c280e94-d626-2978-737d-eb4ae79bd64f@redhat.com> (raw)
In-Reply-To: <1490085382-28658-2-git-send-email-lixiubo@cmss.chinamobile.com>
On 03/21/2017 04:36 AM, lixiubo@cmss.chinamobile.com wrote:
> From: Xiubo Li <lixiubo@cmss.chinamobile.com>
>
> If there has BIDI data, its first iov[] will overwrite the last
> iov[] for se_cmd->t_data_sg.
>
> To fix this, we can just increase the iov pointer, but this may
> introuduce a new memory leakage bug: If the se_cmd->data_length
> and se_cmd->t_bidi_data_sg->length are all not aligned up to the
> DATA_BLOCK_SIZE, the actual length needed maybe larger than just
> sum of them.
>
> So, this could be avoided by rounding all the data lengthes up
> to DATA_BLOCK_SIZE.
>
> Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
> Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
> ---
> drivers/target/target_core_user.c | 34 +++++++++++++++++++++++-----------
> 1 file changed, 23 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 57defc3..65d475f 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -394,6 +394,20 @@ static bool is_ring_space_avail(struct tcmu_dev *udev, size_t cmd_size, size_t d
> return true;
> }
>
> +static inline size_t tcmu_cmd_get_data_length(struct tcmu_cmd *tcmu_cmd)
> +{
> + struct se_cmd *se_cmd = tcmu_cmd->se_cmd;
> + size_t data_length = round_up(se_cmd->data_length, DATA_BLOCK_SIZE);
> +
> + if (se_cmd->se_cmd_flags & SCF_BIDI) {
> + BUG_ON(!(se_cmd->t_bidi_data_sg && se_cmd->t_bidi_data_nents));
> + data_length += round_up(se_cmd->t_bidi_data_sg->length,
> + DATA_BLOCK_SIZE);
> + }
> +
> + return data_length;
> +}
> +
> static sense_reason_t
> tcmu_queue_cmd_ring(struct tcmu_cmd *tcmu_cmd)
> {
> @@ -407,7 +421,7 @@ static bool is_ring_space_avail(struct tcmu_dev *udev, size_t cmd_size, size_t d
> uint32_t cmd_head;
> uint64_t cdb_off;
> bool copy_to_data_area;
> - size_t data_length;
> + size_t data_length = tcmu_cmd_get_data_length(tcmu_cmd);
> DECLARE_BITMAP(old_bitmap, DATA_BLOCK_BITS);
>
> if (test_bit(TCMU_DEV_BIT_BROKEN, &udev->flags))
> @@ -433,11 +447,6 @@ static bool is_ring_space_avail(struct tcmu_dev *udev, size_t cmd_size, size_t d
>
> mb = udev->mb_addr;
> cmd_head = mb->cmd_head % udev->cmdr_size; /* UAM */
> - data_length = se_cmd->data_length;
> - if (se_cmd->se_cmd_flags & SCF_BIDI) {
> - BUG_ON(!(se_cmd->t_bidi_data_sg && se_cmd->t_bidi_data_nents));
> - data_length += se_cmd->t_bidi_data_sg->length;
> - }
> if ((command_size > (udev->cmdr_size / 2)) ||
> data_length > udev->data_size) {
> pr_warn("TCMU: Request of size %zu/%zu is too big for %u/%zu "
> @@ -511,11 +520,14 @@ static bool is_ring_space_avail(struct tcmu_dev *udev, size_t cmd_size, size_t d
> entry->req.iov_dif_cnt = 0;
>
> /* Handle BIDI commands */
> - iov_cnt = 0;
> - alloc_and_scatter_data_area(udev, se_cmd->t_bidi_data_sg,
> - se_cmd->t_bidi_data_nents, &iov, &iov_cnt, false);
> - entry->req.iov_bidi_cnt = iov_cnt;
> -
> + if (se_cmd->se_cmd_flags & SCF_BIDI) {
> + iov_cnt = 0;
> + iov++;
> + alloc_and_scatter_data_area(udev, se_cmd->t_bidi_data_sg,
> + se_cmd->t_bidi_data_nents, &iov, &iov_cnt,
> + false);
> + entry->req.iov_bidi_cnt = iov_cnt;
> + }
> /* cmd's data_bitmap is what changed in process */
> bitmap_xor(tcmu_cmd->data_bitmap, old_bitmap, udev->data_bitmap,
> DATA_BLOCK_BITS);
>
Patch looks ok to me.
Reviewed-by: Mike Christie <mchristi@redhat.com>
next prev parent reply other threads:[~2017-03-21 19:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-21 8:36 [PATCHv4 0/4] tcmu: bug fix and dynamic growing data area support lixiubo
2017-03-21 8:36 ` [PATCHv4 1/4] tcmu: Fix possible overwrite of t_data_sg's last iov[] lixiubo
2017-03-21 19:39 ` Mike Christie [this message]
2017-03-21 8:36 ` [PATCHv4 2/4] tcmu: Fix wrongly calculating of the base_command_size lixiubo
2017-03-21 19:53 ` Mike Christie
2017-03-21 8:36 ` [PATCHv4 3/4] tcmu: Add dynamic growing data area feature support lixiubo
2017-03-21 8:36 ` [PATCHv4 4/4] tcmu: Add global data block pool support lixiubo
2017-03-21 19:12 ` [PATCHv4 0/4] tcmu: bug fix and dynamic growing data area support Bryant G. Ly
2017-03-23 16:02 ` Ilias Tsitsimpis
[not found] ` <c28c75c3-0ab8-4320-9716-b36fc027ff50@email.android.com>
2017-03-25 8:57 ` Ilias Tsitsimpis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3c280e94-d626-2978-737d-eb4ae79bd64f@redhat.com \
--to=mchristi@redhat.com \
--cc=agrover@redhat.com \
--cc=bryantly@linux.vnet.ibm.com \
--cc=linux-scsi@vger.kernel.org \
--cc=lixiubo@cmss.chinamobile.com \
--cc=nab@linux-iscsi.org \
--cc=namei.unix@gmail.com \
--cc=sheng@yasker.org \
--cc=shli@kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.