From: Bart Van Assche <Bart.VanAssche@sandisk.com>
To: "hch@lst.de" <hch@lst.de>
Cc: "ddiss@suse.de" <ddiss@suse.de>, "hare@suse.com" <hare@suse.com>,
"target-devel@vger.kernel.org" <target-devel@vger.kernel.org>,
"agrover@redhat.com" <agrover@redhat.com>,
"nab@linux-iscsi.org" <nab@linux-iscsi.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH 05/19] target: Allocate sg-list correctly
Date: Fri, 5 May 2017 15:49:24 +0000 [thread overview]
Message-ID: <1493999363.2744.3.camel@sandisk.com> (raw)
In-Reply-To: <20170505090653.GA5248@lst.de>
On Fri, 2017-05-05 at 11:06 +0200, Christoph Hellwig wrote:
> On Thu, May 04, 2017 at 03:50:48PM -0700, Bart Van Assche wrote:
> > Avoid that the iSCSI target driver complains about "Initial page entry
> > out-of-bounds" and closes the connection if the SCSI Data-Out buffer
> > is larger than the buffer size specified through the CDB. This patch
> > prevents that running the libiscsi regression tests against LIO trigger
> > an infinite loop of libiscsi submitting a command, LIO closing the
> > connection and libiscsi resubmitting the same command.
>
> Can you add a bit more of an explanation of why this happens? I've
> just tried to verify the area, but at least while sitting in a conference
> talk I can't quite make sense of the changes.
Hello Christoph,
The aspects of SCSI command processing that are relevant in this context are:
* When the iSCSI target driver receives a SCSI command it calls
transport_init_se_cmd() to initialize struct se_cmd. The iSCSI target driver
passes the number of bytes that will be transferred into the "data_length"
argument of transport_init_se_cmd(). That function stores the data length in
the .data_length member of struct se_cmd. The value passed by target drivers
to transport_init_se_cmd() is what is called the Expected Data Transfer
Length (EDTL) in the iSCSI RFC.
* After CDB parsing has finished target_cmd_size_check() is called. If EDTL
exceeds the data buffer size extracted from the SCSI CDB (CDBL) then
.data_length is reduced to CDBL.
* Next target_alloc_sgl() allocates an sg-list for .data_length bytes (CDBL).
* iscsit_allocate_iovecs() allocates a struct kvec (.iov_data) also for
.data_length bytes (CDBL).
* iscsit_get_dataout() calls rx_data() and tries to store EDTL bytes in the
allocated struct kvec. If EDTL > CDBL then .iov_data overflows and this
usually triggers a crash. With the patch that prevents .iov_data overflows
the initiator is disconnected. In the case of libiscsi, it keeps retrying
forever to resubmit SCSI commands for which EDTL > CDBL.
In other words, initially EDTL is stored into .data_length and later on the
value of .data_length changes to CDBL. My proposal to avoid the buffer
overflows is to store both EDTL and CDBL in struct se_cmd and to allocate an
sg-list per command that can store EDTL bytes instead of CDBL bytes.
Bart.
next prev parent reply other threads:[~2017-05-05 15:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20170504225102.8931-1-bart.vanassche@sandisk.com>
2017-05-04 22:50 ` [PATCH 03/19] target: Avoid that aborting a command sporadically hangs Bart Van Assche
2017-05-05 6:12 ` Hannes Reinecke
2017-05-05 8:53 ` Christoph Hellwig
2017-05-05 15:00 ` Bart Van Assche
2017-05-11 0:23 ` Bart Van Assche
2017-05-07 22:20 ` Nicholas A. Bellinger
2017-05-08 21:25 ` Bart Van Assche
2017-05-10 4:48 ` Nicholas A. Bellinger
2017-05-04 22:50 ` [PATCH 04/19] target/fileio: Avoid that zero-length READ and WRITE commands hang Bart Van Assche
2017-05-05 6:14 ` Hannes Reinecke
2017-05-05 8:54 ` Christoph Hellwig
2017-05-07 22:28 ` Nicholas A. Bellinger
2017-05-04 22:50 ` [PATCH 05/19] target: Allocate sg-list correctly Bart Van Assche
2017-05-05 6:15 ` Hannes Reinecke
2017-05-05 9:06 ` Christoph Hellwig
2017-05-05 15:49 ` Bart Van Assche [this message]
2017-05-07 22:45 ` Nicholas A. Bellinger
2017-05-08 17:46 ` Bart Van Assche
2017-05-10 4:03 ` Nicholas A. Bellinger
2017-05-10 6:12 ` Nicholas A. Bellinger
2017-05-10 20:31 ` Bart Van Assche
2017-05-11 5:28 ` Nicholas A. Bellinger
2017-05-04 22:50 ` [PATCH 06/19] target: Fix data buffer size for VERIFY and WRITE AND VERIFY commands Bart Van Assche
2017-05-05 9:42 ` Christoph Hellwig
2017-05-05 15:51 ` Bart Van Assche
2017-05-07 22:49 ` Nicholas A. Bellinger
2017-05-08 18:07 ` Bart Van Assche
2017-05-10 4:28 ` Nicholas A. Bellinger
2017-05-10 15:16 ` Bart Van Assche
2017-05-11 5:09 ` Nicholas A. Bellinger
2017-05-04 22:51 ` [PATCH 17/19] target/iscsi: Simplify timer manipulation code Bart Van Assche
2017-05-05 11:24 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493999363.2744.3.camel@sandisk.com \
--to=bart.vanassche@sandisk.com \
--cc=agrover@redhat.com \
--cc=ddiss@suse.de \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).