mbox series

[0/2] Fix target not properly truncating command data length

Message ID 20210209072202.41154-1-a.miloserdov@yadro.com (mailing list archive)
Headers show
Series Fix target not properly truncating command data length | expand

Message

Aleksandr Miloserdov Feb. 9, 2021, 7:22 a.m. UTC
SPC-5 (4.2.5.6 Allocation length) requires to terminate transfers to the
Data In Buffer when the number of bytes or blocks specified by the
ALLOCATION LENGTH field have been transferred or when all available data
have been transferred, whichever is less.

PERSISTENT RESERVE IN service actions in TCM don't follow the clause and
return ALLOCATION LENGTH of data, even if actual number of data in reply
is less (e.g. there are no reservation keys).

That causes an underflow and a failure in libiscsi PrinReadKeys.Simple
that expects Data In Buffer size equal to ADDITIONAL LENGTH + 8.

This patch series fixes this behavior.
It is intended for 5.11/scsi-queue branch.

Aleksandr Miloserdov (2):
  scsi: target: core: Add cmd length set before cmd complete
  scsi: target: core: Prevent underflow for service actions

 drivers/target/target_core_pr.c        |  6 ++++++
 drivers/target/target_core_transport.c | 15 +++++++++++----
 include/target/target_core_backend.h   |  1 +
 3 files changed, 18 insertions(+), 4 deletions(-)

Comments

Martin K. Petersen Feb. 23, 2021, 3:22 a.m. UTC | #1
Aleksandr,

> SPC-5 (4.2.5.6 Allocation length) requires to terminate transfers to
> the Data In Buffer when the number of bytes or blocks specified by the
> ALLOCATION LENGTH field have been transferred or when all available
> data have been transferred, whichever is less.
>
> PERSISTENT RESERVE IN service actions in TCM don't follow the clause
> and return ALLOCATION LENGTH of data, even if actual number of data in
> reply is less (e.g. there are no reservation keys).
>
> That causes an underflow and a failure in libiscsi PrinReadKeys.Simple
> that expects Data In Buffer size equal to ADDITIONAL LENGTH + 8.

Applied to 5.12/scsi-staging, thanks!
Martin K. Petersen Feb. 26, 2021, 2:22 a.m. UTC | #2
On Tue, 9 Feb 2021 10:22:00 +0300, Aleksandr Miloserdov wrote:

> SPC-5 (4.2.5.6 Allocation length) requires to terminate transfers to the
> Data In Buffer when the number of bytes or blocks specified by the
> ALLOCATION LENGTH field have been transferred or when all available data
> have been transferred, whichever is less.
> 
> PERSISTENT RESERVE IN service actions in TCM don't follow the clause and
> return ALLOCATION LENGTH of data, even if actual number of data in reply
> is less (e.g. there are no reservation keys).
> 
> [...]

Applied to 5.12/scsi-queue, thanks!

[1/2] scsi: target: core: Add cmd length set before cmd complete
      https://git.kernel.org/mkp/scsi/c/1c73e0c5e54d
[2/2] scsi: target: core: Prevent underflow for service actions
      https://git.kernel.org/mkp/scsi/c/14d24e2cc774