[25/33] target/iscsi: Avoid overflowing the receive buffer

Message ID	20170523234854.21452-26-bart.vanassche@sandisk.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <target-devel-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates 63.163.107.21 as permitted sender) receiver=protection.outlook.com; client-ip=63.163.107.21; helo=milsmgep15.sandisk.com; From: Bart Van Assche <bart.vanassche@sandisk.com> To: Nicholas Bellinger <nab@linux-iscsi.org> CC: <target-devel@vger.kernel.org>, Bart Van Assche <bart.vanassche@sandisk.com>, Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.com>, David Disseldorp <ddiss@suse.de>, <stable@vger.kernel.org> Subject: [PATCH 25/33] target/iscsi: Avoid overflowing the receive buffer Date: Tue, 23 May 2017 16:48:46 -0700 Message-ID: <20170523234854.21452-26-bart.vanassche@sandisk.com> In-Reply-To: <20170523234854.21452-1-bart.vanassche@sandisk.com> References: <20170523234854.21452-1-bart.vanassche@sandisk.com> MIME-Version: 1.0 Content-Type: text/plain WDCIPOUTBOUND: EOP-TRUE X-Microsoft-Exchange-Diagnostics: 1; CY4PR04MB0504; 20:XJGtInsJX2TqdLNh5jxgyBZDZxhDo29X+P0I3+p1voee84iFg/rPFdqE9kqCULVticD5qtZO1qOdQU/VI7BwCXaMArX1LS8h5GwUTs5SlzM/kHqsQ/gFcm4brKFQtHjl5uWN7zJ0Yl85TCypTlG7Nyki8HpLrkvGly+6v1XeNvFiuTASa/bxGa3oKEqePOl9ngJMnTmlyIv5ezoQkcD+uOGIbs/kIU62b0CQkXgDKBgDfjF5vfmzR9XMBsVuc4ZxF7zF93MtLbrjZqpq4CZXYtvDVvPIy7bUcmobXOTQim0Pl5RzmW/zOhmeNY+dtdFmggYgnAY4GfTTelKMp3RoC9vaYjy6drP3tcoyQiNrRehK93+CHtaKSO237TrfpVGLjZYgMSEeYp6UDKy1OZSY8buNqc8BYL8v+tmmqQSX9VlB8gebK0yY/WOSEAi1O1b0yjtAoLxn6EvHaAODnoAZ7EiyykFrF86NOXGV4CLzLjlxlkvqMsHhWMgbabkrzsOi SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY4PR04MB0504; 7:RGu+OAbG//wHmDN7xMijOnn3YNPLIqKQ8VybcyAPlkak+twjabh9TtXWbz7Pt/5aa68sS4P5N+UmrXYynybwdYfDMbaJRTgM1jOtLa2UQuKS8rg8+t4qF8nDOulZsBQBPvVEChhkNCEwUg4E41Oj70WmXkQ3RRWOrg86+wPoAtKegMTrTVUi592lzPAYTxv1cPM7/wWRReLfdlDRuS4TfCZYfaeF1qlFotG9uK+6RyTlaDFEqwJ7AxKuvGk7DJXorDEMbZ/LQNYtWM/Zphu6sCAC7dOCf81kMrAOI81o3yN8DPHWtkpMhN7mewNKgotfT37eR7/0jzV7muIKsKpwcA==; 20:ZeiPvljyNRcbmG5dGxrJGvTifQWN7tL0lCc9bcv2239ZpJz8NwzptpC3/bzKR08XG08Vnzco3GQEwiGns0YXdD0IwQwUp1Ily8YoQjAESRuwIaQBCuIhu2nXWptRd2fYkAOJFlAUCV+C6vfnIsrnSG2mLXG4rGK09smpjhhT+ak= Sender: target-devel-owner@vger.kernel.org Precedence: bulk

Message ID

20170523234854.21452-26-bart.vanassche@sandisk.com (mailing list archive)

State

New, archived

Headers

Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates
	63.163.107.21 as permitted sender)
	receiver=protection.outlook.com; 
	client-ip=63.163.107.21; helo=milsmgep15.sandisk.com;
From: Bart Van Assche <bart.vanassche@sandisk.com>
To: Nicholas Bellinger <nab@linux-iscsi.org>
CC: <target-devel@vger.kernel.org>,
	Bart Van Assche <bart.vanassche@sandisk.com>,
	Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.com>,
	David Disseldorp <ddiss@suse.de>, <stable@vger.kernel.org>
Subject: [PATCH 25/33] target/iscsi: Avoid overflowing the receive buffer
Date: Tue, 23 May 2017 16:48:46 -0700
Message-ID: <20170523234854.21452-26-bart.vanassche@sandisk.com>
In-Reply-To: <20170523234854.21452-1-bart.vanassche@sandisk.com>
References: <20170523234854.21452-1-bart.vanassche@sandisk.com>
MIME-Version: 1.0
Content-Type: text/plain
WDCIPOUTBOUND: EOP-TRUE
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 May 2017 23:49:06.2899
	(UTC)
X-MS-Exchange-CrossTenant-Id: b61c8803-16f3-4c35-9b17-6f65f441df86
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b61c8803-16f3-4c35-9b17-6f65f441df86;
	Ip=[63.163.107.21]; Helo=[milsmgep15.sandisk.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR04MB0504
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Bart Van Assche May 23, 2017, 11:48 p.m. UTC

Since target_alloc_sgl() and iscsit_allocate_iovecs() allocate
buffer space for se_cmd.data_length bytes and since that number
can be smaller than the iSCSI Expected Data Transfer Length
(EDTL), ensure that the iSCSI target driver does not attempt to
receive more bytes than what fits in the receive buffer. Always
receive the full immediate data buffer.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: David Disseldorp <ddiss@suse.de>
Cc: <stable@vger.kernel.org>
---
 drivers/target/iscsi/iscsi_target.c      | 27 ++++++++++++++++++++++++---
 drivers/target/iscsi/iscsi_target_util.c |  1 +
 include/target/iscsi/iscsi_target_core.h |  1 +
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 86acf81c1cf9..c91604feca18 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1564,9 +1564,11 @@  iscsit_get_dataout(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
 {
 	struct kvec *iov;
 	u32 checksum, iov_count = 0, padding = 0, rx_got = 0, rx_size = 0;
-	u32 payload_length = ntoh24(hdr->dlength);
+	u32 payload_length;
 	int iov_ret, data_crc_failed = 0;
 
+	payload_length = min_t(u32, cmd->se_cmd.data_length,
+			       ntoh24(hdr->dlength));
 	rx_size += payload_length;
 	iov = &cmd->iov_data[0];
 
@@ -2577,14 +2579,33 @@  static int iscsit_handle_immediate_data(
 	u32 checksum, iov_count = 0, padding = 0;
 	struct iscsi_conn *conn = cmd->conn;
 	struct kvec *iov;
+	void *overflow_buf = NULL;
 
-	iov_ret = iscsit_map_iovec(cmd, cmd->iov_data, cmd->write_data_done, length);
+	BUG_ON(cmd->write_data_done > cmd->se_cmd.data_length);
+	rx_size = min(cmd->se_cmd.data_length - cmd->write_data_done, length);
+	iov_ret = iscsit_map_iovec(cmd, cmd->iov_data, cmd->write_data_done,
+				   rx_size);
 	if (iov_ret < 0)
 		return IMMEDIATE_DATA_CANNOT_RECOVER;
 
-	rx_size = length;
 	iov_count = iov_ret;
 	iov = &cmd->iov_data[0];
+	if (rx_size < length) {
+		/*
+		 * Special case: length of immediate data exceeds the data
+		 * buffer size derived from the CDB (overflow).
+		 */
+		overflow_buf = kmalloc(length - rx_size, GFP_KERNEL);
+		if (!overflow_buf) {
+			iscsit_unmap_iovec(cmd);
+			return IMMEDIATE_DATA_CANNOT_RECOVER;
+		}
+		cmd->overflow_buf = overflow_buf;
+		iov[iov_count].iov_base = overflow_buf;
+		iov[iov_count].iov_len = length - rx_size;
+		iov_count++;
+		rx_size = length;
+	}
 
 	padding = ((-length) & 3);
 	if (padding != 0) {
diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
index 1e36f83b5961..68371a7e54d8 100644
--- a/drivers/target/iscsi/iscsi_target_util.c
+++ b/drivers/target/iscsi/iscsi_target_util.c
@@ -705,6 +705,7 @@  void iscsit_release_cmd(struct iscsi_cmd *cmd)
 	kfree(cmd->pdu_list);
 	kfree(cmd->seq_list);
 	kfree(cmd->tmr_req);
+	kfree(cmd->overflow_buf);
 	kfree(cmd->iov_data);
 	kfree(cmd->text_in_ptr);
 
diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
index 275581d483dd..968825200ecb 100644
--- a/include/target/iscsi/iscsi_target_core.h
+++ b/include/target/iscsi/iscsi_target_core.h
@@ -462,6 +462,7 @@  struct iscsi_cmd {
 	struct timer_list	dataout_timer;
 	/* Iovecs for SCSI data payload RX/TX w/ kernel level sockets */
 	struct kvec		*iov_data;
+	void			*overflow_buf;
 	/* Iovecs for miscellaneous purposes */
 #define ISCSI_MISC_IOVECS			5
 	struct kvec		iov_misc[ISCSI_MISC_IOVECS];

[25/33] target/iscsi: Avoid overflowing the receive buffer

Commit Message

Patch