From patchwork Tue Dec 4 00:48:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bijan Mottahedeh X-Patchwork-Id: 10710983 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 873A71057 for ; Tue, 4 Dec 2018 00:48:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2450A29F55 for ; Tue, 4 Dec 2018 00:48:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 15ADB2A84D; Tue, 4 Dec 2018 00:48:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 67E5A2A822 for ; Tue, 4 Dec 2018 00:48:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726020AbeLDAsi (ORCPT ); Mon, 3 Dec 2018 19:48:38 -0500 Received: from userp2130.oracle.com ([156.151.31.86]:37120 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725903AbeLDAsi (ORCPT ); Mon, 3 Dec 2018 19:48:38 -0500 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wB40iHO5132857; Tue, 4 Dec 2018 00:48:34 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=mcgF9QGVXrITv9BkIMJY7RFg9llKgxcuIDYmVnVFkPM=; b=WDYdf4xCQ534/VgXOgxW00PjtFaS6ZoMbymVppQILDiXdi5flNNGN1tHaPlFkq7DheSG bE/YCPEghOjQc7aKqVD/FQh0wohw2NBMjbttcG68Xc53nja96kPF/sanaWdXxRbwpZYN JQ8iT1/71jyPCmNhHHPAlYFVDZv2JXJUuo3tYU2dpRPx008Id6F+finUIy3cO9Ds9WX6 sJ4Hq5OFl+LeUd29ZNwmlMIJNRLcfIZwpjY4rnRw0cok+8GrLk5Te60fJXMfjiKviRBV b9c9nyocDCeDWFkVqgy58R+1nTSgutn56pzVFP0hAaiz4PGSK32ucRboYpUkysZJ86Zy sA== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2p3hqtsk3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 04 Dec 2018 00:48:34 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id wB40mXwa003076 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 4 Dec 2018 00:48:33 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wB40mX5x027046; Tue, 4 Dec 2018 00:48:33 GMT Received: from ca-ldom147.us.oracle.com (/10.129.68.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Dec 2018 16:48:32 -0800 From: Bijan Mottahedeh To: kvm@vger.kernel.org, target-devel@vger.kernel.org, mst@redhat.com Cc: jasowang@redhat.com, silviu.smarandache@oracle.com, bijan.mottahedeh@oracle.com Subject: [PATCH v2 1/4] vhost/scsi: Respond to control queue operations Date: Mon, 3 Dec 2018 16:48:20 -0800 Message-Id: <1543884503-32281-2-git-send-email-bijan.mottahedeh@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> References: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9096 signatures=668686 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812040003 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The vhost-scsi driver currently does not handle any control queue operations. In particular, vhost_scsi_ctl_handle_kick, merely prints out a debug message but does nothing else. This can cause guest VMs to hang. As part of SCSI recovery from an error, e.g., an I/O timeout, the SCSI midlayer attempts to abort the failed operation. The SCSI virtio driver translates the abort to a SCSI TMF request that gets put on the control queue (virtscsi_abort -> virtscsi_tmf). The SCSI virtio driver then waits indefinitely for this request to be completed, but it never will because vhost-scsi never responds to that request. To avoid a hang, always respond to control queue operations; explicitly reject TMF requests, and return a no-op response to event requests. Signed-off-by: Bijan Mottahedeh --- drivers/vhost/scsi.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index c24bb69..faf0dcf 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -1048,9 +1048,199 @@ static void vhost_scsi_submission_work(struct work_struct *work) mutex_unlock(&vq->mutex); } +static void +vhost_scsi_send_tmf_resp(struct vhost_scsi *vs, + struct vhost_virtqueue *vq, + int head, unsigned int out) +{ + struct virtio_scsi_ctrl_tmf_resp __user *resp; + struct virtio_scsi_ctrl_tmf_resp rsp; + int ret; + + pr_debug("%s\n", __func__); + memset(&rsp, 0, sizeof(rsp)); + rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; + resp = vq->iov[out].iov_base; + ret = __copy_to_user(resp, &rsp, sizeof(rsp)); + if (!ret) + vhost_add_used_and_signal(&vs->dev, vq, head, 0); + else + pr_err("Faulted on virtio_scsi_ctrl_tmf_resp\n"); +} + +static void +vhost_scsi_send_an_resp(struct vhost_scsi *vs, + struct vhost_virtqueue *vq, + int head, unsigned int out) +{ + struct virtio_scsi_ctrl_an_resp __user *resp; + struct virtio_scsi_ctrl_an_resp rsp; + int ret; + + pr_debug("%s\n", __func__); + memset(&rsp, 0, sizeof(rsp)); /* event_actual = 0 */ + rsp.response = VIRTIO_SCSI_S_OK; + resp = vq->iov[out].iov_base; + ret = __copy_to_user(resp, &rsp, sizeof(rsp)); + if (!ret) + vhost_add_used_and_signal(&vs->dev, vq, head, 0); + else + pr_err("Faulted on virtio_scsi_ctrl_an_resp\n"); +} + +static void +vhost_scsi_ctl_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) +{ + union { + __virtio32 type; + struct virtio_scsi_ctrl_an_req an; + struct virtio_scsi_ctrl_tmf_req tmf; + } v_req; + struct iov_iter out_iter; + unsigned int out = 0, in = 0; + int head; + size_t req_size, rsp_size, typ_size; + size_t out_size, in_size; + u8 *lunp; + void *req; + + mutex_lock(&vq->mutex); + /* + * We can handle the vq only after the endpoint is setup by calling the + * VHOST_SCSI_SET_ENDPOINT ioctl. + */ + if (!vq->private_data) + goto out; + + vhost_disable_notify(&vs->dev, vq); + + for (;;) { + head = vhost_get_vq_desc(vq, vq->iov, + ARRAY_SIZE(vq->iov), &out, &in, + NULL, NULL); + pr_debug("vhost_get_vq_desc: head: %d, out: %u in: %u\n", + head, out, in); + /* On error, stop handling until the next kick. */ + if (unlikely(head < 0)) + break; + /* Nothing new? Wait for eventfd to tell us they refilled. */ + if (head == vq->num) { + if (unlikely(vhost_enable_notify(&vs->dev, vq))) { + vhost_disable_notify(&vs->dev, vq); + continue; + } + break; + } + + /* + * Get the size of request and response buffers. + */ + out_size = iov_length(vq->iov, out); + in_size = iov_length(&vq->iov[out], in); + + /* + * Copy over the virtio-scsi request header, which for a + * ANY_LAYOUT enabled guest may span multiple iovecs, or a + * single iovec may contain both the header + outgoing + * WRITE payloads. + * + * copy_from_iter() will advance out_iter, so that it will + * point at the start of the outgoing WRITE payload, if + * DMA_TO_DEVICE is set. + */ + iov_iter_init(&out_iter, WRITE, vq->iov, out, out_size); + + req = &v_req.type; + typ_size = sizeof(v_req.type); + + if (unlikely(!copy_from_iter_full(req, typ_size, &out_iter))) { + vq_err(vq, "Faulted on copy_from_iter tmf type\n"); + /* + * The size of the response buffer varies based on + * the request type and must be validated against it. + * Since the request type is not known, don't send + * a response. + */ + continue; + } + + switch (v_req.type) { + case VIRTIO_SCSI_T_TMF: + req = &v_req.tmf; + lunp = &v_req.tmf.lun[0]; + req_size = sizeof(struct virtio_scsi_ctrl_tmf_req); + rsp_size = sizeof(struct virtio_scsi_ctrl_tmf_resp); + break; + case VIRTIO_SCSI_T_AN_QUERY: + case VIRTIO_SCSI_T_AN_SUBSCRIBE: + req = &v_req.an; + lunp = &v_req.an.lun[0]; + req_size = sizeof(struct virtio_scsi_ctrl_an_req); + rsp_size = sizeof(struct virtio_scsi_ctrl_an_resp); + break; + default: + vq_err(vq, "Unknown control request %d", v_req.type); + continue; + } + + /* + * Check for a sane response buffer so we can report early + * errors back to the guest. + */ + if (unlikely(in_size < rsp_size)) { + vq_err(vq, + "Resp buf too small, need min %zu bytes got %zu", + rsp_size, in_size); + /* + * Notifications are disabled at this point; + * continue so they can be eventually enabled + * when processing terminates. + */ + continue; + } + + if (unlikely(out_size < req_size)) { + vq_err(vq, + "Req buf too small, need min %zu bytes got %zu", + req_size, out_size); + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; + } + + req += typ_size; + req_size -= typ_size; + + if (unlikely(!copy_from_iter_full(req, req_size, &out_iter))) { + vq_err(vq, "Faulted on copy_from_iter\n"); + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; + } + + /* virtio-scsi spec requires byte 0 of the lun to be 1 */ + if (unlikely(*lunp != 1)) { + vq_err(vq, "Illegal virtio-scsi lun: %u\n", *lunp); + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; + } + + if (v_req.type == VIRTIO_SCSI_T_TMF) { + pr_debug("%s tmf %d\n", __func__, v_req.tmf.subtype); + vhost_scsi_send_tmf_resp(vs, vq, head, out); + } else + vhost_scsi_send_an_resp(vs, vq, head, out); + } +out: + mutex_unlock(&vq->mutex); +} + static void vhost_scsi_ctl_handle_kick(struct vhost_work *work) { + struct vhost_virtqueue *vq = container_of(work, struct vhost_virtqueue, + poll.work); + struct vhost_scsi *vs = container_of(vq->dev, struct vhost_scsi, dev); + pr_debug("%s: The handling func for control queue.\n", __func__); + vhost_scsi_ctl_handle_vq(vs, vq); } static void From patchwork Tue Dec 4 00:48:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bijan Mottahedeh X-Patchwork-Id: 10710993 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3C68213BF for ; Tue, 4 Dec 2018 00:48:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FA1D2A87D for ; Tue, 4 Dec 2018 00:48:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 23F5F2A8D1; Tue, 4 Dec 2018 00:48:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D3C32A87D for ; Tue, 4 Dec 2018 00:48:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726054AbeLDAsl (ORCPT ); Mon, 3 Dec 2018 19:48:41 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:60764 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725943AbeLDAsj (ORCPT ); Mon, 3 Dec 2018 19:48:39 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wB40iGOa103093; Tue, 4 Dec 2018 00:48:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=TsRvQk8Ceez4G/6BwNN3mvCH7LQw165jXJxtS76IUpQ=; b=5cArJmae6eA0Jz2Y0F4RrHFTiDqVJ1fChjbd0c/BbsC0eNn3K5OSeBzoNojMb0GT58nV zdUakEuEPyvYxiIiMipcdIa+CnuDwZRvmc8ZwVtWZ+YHZpE4wbb8a51aBkQYol7MNnmH ztgJvs6WPviT00Q7QVicdqyEG6TymlP9vYHmVswAyTMbrw8bzXhdcCVtCFOch51GY4ZC GoSFnfIuJFErAPsv/TeNCwEek3UuXqLpNoOj0lkbitfetWh80drab+r+5o+ly3dBwcxm F70ybnmOLu6TlHJRJK3wDILlifetcLAEotsP3XpL5qF+LC//nx/3dpvgq90G7kVgZh5+ Hg== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2p3j8q9k6e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 04 Dec 2018 00:48:35 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wB40mY4q019234 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 4 Dec 2018 00:48:34 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wB40mYkq001242; Tue, 4 Dec 2018 00:48:34 GMT Received: from ca-ldom147.us.oracle.com (/10.129.68.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Dec 2018 16:48:33 -0800 From: Bijan Mottahedeh To: kvm@vger.kernel.org, target-devel@vger.kernel.org, mst@redhat.com Cc: jasowang@redhat.com, silviu.smarandache@oracle.com, bijan.mottahedeh@oracle.com Subject: [PATCH v2 2/4] vhost/scsi: Extract common handling code from control queue handler Date: Mon, 3 Dec 2018 16:48:21 -0800 Message-Id: <1543884503-32281-3-git-send-email-bijan.mottahedeh@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> References: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9096 signatures=668686 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812040003 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Prepare to change the request queue handler to use common handling routines. Signed-off-by: Bijan Mottahedeh --- drivers/vhost/scsi.c | 271 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 172 insertions(+), 99 deletions(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index faf0dcf..d8c7612 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -203,6 +203,19 @@ struct vhost_scsi { int vs_events_nr; /* num of pending events, protected by vq->mutex */ }; +/* + * Context for processing request and control queue operations. + */ +struct vhost_scsi_ctx { + int head; + unsigned int out, in; + size_t req_size, rsp_size; + size_t out_size, in_size; + u8 *target, *lunp; + void *req; + struct iov_iter out_iter; +}; + static struct workqueue_struct *vhost_scsi_workqueue; /* Global spinlock to protect vhost_scsi TPG list for vhost IOCTL access */ @@ -1048,10 +1061,107 @@ static void vhost_scsi_submission_work(struct work_struct *work) mutex_unlock(&vq->mutex); } +static int +vhost_scsi_get_desc(struct vhost_scsi *vs, struct vhost_virtqueue *vq, + struct vhost_scsi_ctx *vc) +{ + int ret = -ENXIO; + + vc->head = vhost_get_vq_desc(vq, vq->iov, + ARRAY_SIZE(vq->iov), &vc->out, &vc->in, + NULL, NULL); + + pr_debug("vhost_get_vq_desc: head: %d, out: %u in: %u\n", + vc->head, vc->out, vc->in); + + /* On error, stop handling until the next kick. */ + if (unlikely(vc->head < 0)) + goto done; + + /* Nothing new? Wait for eventfd to tell us they refilled. */ + if (vc->head == vq->num) { + if (unlikely(vhost_enable_notify(&vs->dev, vq))) { + vhost_disable_notify(&vs->dev, vq); + ret = -EAGAIN; + } + goto done; + } + + /* + * Get the size of request and response buffers. + */ + vc->out_size = iov_length(vq->iov, vc->out); + vc->in_size = iov_length(&vq->iov[vc->out], vc->in); + + /* + * Copy over the virtio-scsi request header, which for a + * ANY_LAYOUT enabled guest may span multiple iovecs, or a + * single iovec may contain both the header + outgoing + * WRITE payloads. + * + * copy_from_iter() will advance out_iter, so that it will + * point at the start of the outgoing WRITE payload, if + * DMA_TO_DEVICE is set. + */ + iov_iter_init(&vc->out_iter, WRITE, vq->iov, vc->out, vc->out_size); + ret = 0; + +done: + return ret; +} + +static int +vhost_scsi_chk_size(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc) +{ + if (unlikely(vc->in_size < vc->rsp_size)) { + vq_err(vq, + "Response buf too small, need min %zu bytes got %zu", + vc->rsp_size, vc->in_size); + return -EINVAL; + } else if (unlikely(vc->out_size < vc->req_size)) { + vq_err(vq, + "Request buf too small, need min %zu bytes got %zu", + vc->req_size, vc->out_size); + return -EIO; + } + + return 0; +} + +static int +vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc, + struct vhost_scsi_tpg **tpgp) +{ + int ret = -EIO; + + if (unlikely(!copy_from_iter_full(vc->req, vc->req_size, + &vc->out_iter))) + vq_err(vq, "Faulted on copy_from_iter\n"); + else if (unlikely(*vc->lunp != 1)) + /* virtio-scsi spec requires byte 0 of the lun to be 1 */ + vq_err(vq, "Illegal virtio-scsi lun: %u\n", *vc->lunp); + else { + struct vhost_scsi_tpg **vs_tpg, *tpg; + + vs_tpg = vq->private_data; /* validated at handler entry */ + + tpg = READ_ONCE(vs_tpg[*vc->target]); + if (unlikely(!tpg)) + vq_err(vq, "Target 0x%x does not exist\n", *vc->target); + else { + if (tpgp) + *tpgp = tpg; + ret = 0; + } + } + + return ret; +} + static void vhost_scsi_send_tmf_resp(struct vhost_scsi *vs, - struct vhost_virtqueue *vq, - int head, unsigned int out) + struct vhost_virtqueue *vq, + struct vhost_scsi_ctx *vc) { struct virtio_scsi_ctrl_tmf_resp __user *resp; struct virtio_scsi_ctrl_tmf_resp rsp; @@ -1060,18 +1170,18 @@ static void vhost_scsi_submission_work(struct work_struct *work) pr_debug("%s\n", __func__); memset(&rsp, 0, sizeof(rsp)); rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; - resp = vq->iov[out].iov_base; + resp = vq->iov[vc->out].iov_base; ret = __copy_to_user(resp, &rsp, sizeof(rsp)); if (!ret) - vhost_add_used_and_signal(&vs->dev, vq, head, 0); + vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0); else pr_err("Faulted on virtio_scsi_ctrl_tmf_resp\n"); } static void vhost_scsi_send_an_resp(struct vhost_scsi *vs, - struct vhost_virtqueue *vq, - int head, unsigned int out) + struct vhost_virtqueue *vq, + struct vhost_scsi_ctx *vc) { struct virtio_scsi_ctrl_an_resp __user *resp; struct virtio_scsi_ctrl_an_resp rsp; @@ -1080,10 +1190,10 @@ static void vhost_scsi_submission_work(struct work_struct *work) pr_debug("%s\n", __func__); memset(&rsp, 0, sizeof(rsp)); /* event_actual = 0 */ rsp.response = VIRTIO_SCSI_S_OK; - resp = vq->iov[out].iov_base; + resp = vq->iov[vc->out].iov_base; ret = __copy_to_user(resp, &rsp, sizeof(rsp)); if (!ret) - vhost_add_used_and_signal(&vs->dev, vq, head, 0); + vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0); else pr_err("Faulted on virtio_scsi_ctrl_an_resp\n"); } @@ -1096,13 +1206,9 @@ static void vhost_scsi_submission_work(struct work_struct *work) struct virtio_scsi_ctrl_an_req an; struct virtio_scsi_ctrl_tmf_req tmf; } v_req; - struct iov_iter out_iter; - unsigned int out = 0, in = 0; - int head; - size_t req_size, rsp_size, typ_size; - size_t out_size, in_size; - u8 *lunp; - void *req; + struct vhost_scsi_ctx vc; + size_t typ_size; + int ret; mutex_lock(&vq->mutex); /* @@ -1112,52 +1218,28 @@ static void vhost_scsi_submission_work(struct work_struct *work) if (!vq->private_data) goto out; + memset(&vc, 0, sizeof(vc)); + vhost_disable_notify(&vs->dev, vq); for (;;) { - head = vhost_get_vq_desc(vq, vq->iov, - ARRAY_SIZE(vq->iov), &out, &in, - NULL, NULL); - pr_debug("vhost_get_vq_desc: head: %d, out: %u in: %u\n", - head, out, in); - /* On error, stop handling until the next kick. */ - if (unlikely(head < 0)) - break; - /* Nothing new? Wait for eventfd to tell us they refilled. */ - if (head == vq->num) { - if (unlikely(vhost_enable_notify(&vs->dev, vq))) { - vhost_disable_notify(&vs->dev, vq); - continue; - } - break; - } + ret = vhost_scsi_get_desc(vs, vq, &vc); + if (ret) + goto err; /* - * Get the size of request and response buffers. + * Get the request type first in order to setup + * other parameters dependent on the type. */ - out_size = iov_length(vq->iov, out); - in_size = iov_length(&vq->iov[out], in); - - /* - * Copy over the virtio-scsi request header, which for a - * ANY_LAYOUT enabled guest may span multiple iovecs, or a - * single iovec may contain both the header + outgoing - * WRITE payloads. - * - * copy_from_iter() will advance out_iter, so that it will - * point at the start of the outgoing WRITE payload, if - * DMA_TO_DEVICE is set. - */ - iov_iter_init(&out_iter, WRITE, vq->iov, out, out_size); - - req = &v_req.type; + vc.req = &v_req.type; typ_size = sizeof(v_req.type); - if (unlikely(!copy_from_iter_full(req, typ_size, &out_iter))) { + if (unlikely(!copy_from_iter_full(vc.req, typ_size, + &vc.out_iter))) { vq_err(vq, "Faulted on copy_from_iter tmf type\n"); /* - * The size of the response buffer varies based on - * the request type and must be validated against it. + * The size of the response buffer depends on the + * request type and must be validated against it. * Since the request type is not known, don't send * a response. */ @@ -1166,17 +1248,19 @@ static void vhost_scsi_submission_work(struct work_struct *work) switch (v_req.type) { case VIRTIO_SCSI_T_TMF: - req = &v_req.tmf; - lunp = &v_req.tmf.lun[0]; - req_size = sizeof(struct virtio_scsi_ctrl_tmf_req); - rsp_size = sizeof(struct virtio_scsi_ctrl_tmf_resp); + vc.req = &v_req.tmf; + vc.req_size = sizeof(struct virtio_scsi_ctrl_tmf_req); + vc.rsp_size = sizeof(struct virtio_scsi_ctrl_tmf_resp); + vc.lunp = &v_req.tmf.lun[0]; + vc.target = &v_req.tmf.lun[1]; break; case VIRTIO_SCSI_T_AN_QUERY: case VIRTIO_SCSI_T_AN_SUBSCRIBE: - req = &v_req.an; - lunp = &v_req.an.lun[0]; - req_size = sizeof(struct virtio_scsi_ctrl_an_req); - rsp_size = sizeof(struct virtio_scsi_ctrl_an_resp); + vc.req = &v_req.an; + vc.req_size = sizeof(struct virtio_scsi_ctrl_an_req); + vc.rsp_size = sizeof(struct virtio_scsi_ctrl_an_resp); + vc.lunp = &v_req.an.lun[0]; + vc.target = NULL; break; default: vq_err(vq, "Unknown control request %d", v_req.type); @@ -1184,50 +1268,39 @@ static void vhost_scsi_submission_work(struct work_struct *work) } /* - * Check for a sane response buffer so we can report early - * errors back to the guest. + * Validate the size of request and response buffers. + * Check for a sane response buffer so we can report + * early errors back to the guest. */ - if (unlikely(in_size < rsp_size)) { - vq_err(vq, - "Resp buf too small, need min %zu bytes got %zu", - rsp_size, in_size); - /* - * Notifications are disabled at this point; - * continue so they can be eventually enabled - * when processing terminates. - */ - continue; - } + ret = vhost_scsi_chk_size(vq, &vc); + if (ret) + goto err; - if (unlikely(out_size < req_size)) { - vq_err(vq, - "Req buf too small, need min %zu bytes got %zu", - req_size, out_size); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; - } - - req += typ_size; - req_size -= typ_size; - - if (unlikely(!copy_from_iter_full(req, req_size, &out_iter))) { - vq_err(vq, "Faulted on copy_from_iter\n"); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; - } + /* + * Get the rest of the request now that its size is known. + */ + vc.req += typ_size; + vc.req_size -= typ_size; - /* virtio-scsi spec requires byte 0 of the lun to be 1 */ - if (unlikely(*lunp != 1)) { - vq_err(vq, "Illegal virtio-scsi lun: %u\n", *lunp); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; - } + ret = vhost_scsi_get_req(vq, &vc, NULL); + if (ret) + goto err; - if (v_req.type == VIRTIO_SCSI_T_TMF) { - pr_debug("%s tmf %d\n", __func__, v_req.tmf.subtype); - vhost_scsi_send_tmf_resp(vs, vq, head, out); - } else - vhost_scsi_send_an_resp(vs, vq, head, out); + if (v_req.type == VIRTIO_SCSI_T_TMF) + vhost_scsi_send_tmf_resp(vs, vq, &vc); + else + vhost_scsi_send_an_resp(vs, vq, &vc); +err: + /* + * ENXIO: No more requests, or read error, wait for next kick + * EINVAL: Invalid response buffer, drop the request + * EIO: Respond with bad target + * EAGAIN: Pending request + */ + if (ret == -ENXIO) + break; + else if (ret == -EIO) + vhost_scsi_send_bad_target(vs, vq, vc.head, vc.out); } out: mutex_unlock(&vq->mutex); From patchwork Tue Dec 4 00:48:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bijan Mottahedeh X-Patchwork-Id: 10710991 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0372B17D5 for ; Tue, 4 Dec 2018 00:48:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E38CA2A88F for ; Tue, 4 Dec 2018 00:48:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D7C322A967; Tue, 4 Dec 2018 00:48:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D49BC2A8D1 for ; Tue, 4 Dec 2018 00:48:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726065AbeLDAsl (ORCPT ); Mon, 3 Dec 2018 19:48:41 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:60770 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726027AbeLDAsk (ORCPT ); Mon, 3 Dec 2018 19:48:40 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wB40iuqP103494; Tue, 4 Dec 2018 00:48:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=VLUPg9kQoxBgOS5AOifFjKNnY5UUG0oXvWi2U1izYKk=; b=Z6jTkkZU6BlGBp9/f+0XaUWKEPKAH7qR4RFsV14ejKu6j6hMUs7UCd3Ly33beMA58LEj x33qug2dJsy7jVIvl9R0EL6Dx+huC880uWP/fH+y7ZNsypEZfTfWQXnjRqFGn9pSu0mj phaOpnCijQtdtlwYRbQ5oyoBU45ZmOfiA+97QFLUyuAozyeha98qfttpnEHW87pS9Dad BDqYjqjTTXm8v/1DD5mEePc+Bw4qQCKOdc8m9EBILZwXsx0SoxYilQ5AvMsV9LcoMF9y GBIMk14HdG6NnlnV1fOH+d7UtiOBY4DbW9RGSZPhhcu3cyDFUMSyc1cHopxkwxMIJJGt 2g== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2p3j8q9k6f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 04 Dec 2018 00:48:35 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wB40mZNn019246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 4 Dec 2018 00:48:35 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wB40mYw0001248; Tue, 4 Dec 2018 00:48:34 GMT Received: from ca-ldom147.us.oracle.com (/10.129.68.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Dec 2018 16:48:34 -0800 From: Bijan Mottahedeh To: kvm@vger.kernel.org, target-devel@vger.kernel.org, mst@redhat.com Cc: jasowang@redhat.com, silviu.smarandache@oracle.com, bijan.mottahedeh@oracle.com Subject: [PATCH v2 3/4] vhost/scsi: Use common handling code in request queue handler Date: Mon, 3 Dec 2018 16:48:22 -0800 Message-Id: <1543884503-32281-4-git-send-email-bijan.mottahedeh@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> References: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9096 signatures=668686 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=9 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812040003 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Change the request queue handler to use common handling routines same as the control queue handler. Signed-off-by: Bijan Mottahedeh --- drivers/vhost/scsi.c | 361 +++++++++++++++++++++++---------------------------- 1 file changed, 164 insertions(+), 197 deletions(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index d8c7612..3eae17e 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -813,24 +813,120 @@ static void vhost_scsi_submission_work(struct work_struct *work) pr_err("Faulted on virtio_scsi_cmd_resp\n"); } +static int +vhost_scsi_get_desc(struct vhost_scsi *vs, struct vhost_virtqueue *vq, + struct vhost_scsi_ctx *vc) +{ + int ret = -ENXIO; + + vc->head = vhost_get_vq_desc(vq, vq->iov, + ARRAY_SIZE(vq->iov), &vc->out, &vc->in, + NULL, NULL); + + pr_debug("vhost_get_vq_desc: head: %d, out: %u in: %u\n", + vc->head, vc->out, vc->in); + + /* On error, stop handling until the next kick. */ + if (unlikely(vc->head < 0)) + goto done; + + /* Nothing new? Wait for eventfd to tell us they refilled. */ + if (vc->head == vq->num) { + if (unlikely(vhost_enable_notify(&vs->dev, vq))) { + vhost_disable_notify(&vs->dev, vq); + ret = -EAGAIN; + } + goto done; + } + + /* + * Get the size of request and response buffers. + * FIXME: Not correct for BIDI operation + */ + vc->out_size = iov_length(vq->iov, vc->out); + vc->in_size = iov_length(&vq->iov[vc->out], vc->in); + + /* + * Copy over the virtio-scsi request header, which for a + * ANY_LAYOUT enabled guest may span multiple iovecs, or a + * single iovec may contain both the header + outgoing + * WRITE payloads. + * + * copy_from_iter() will advance out_iter, so that it will + * point at the start of the outgoing WRITE payload, if + * DMA_TO_DEVICE is set. + */ + iov_iter_init(&vc->out_iter, WRITE, vq->iov, vc->out, vc->out_size); + ret = 0; + +done: + return ret; +} + +static int +vhost_scsi_chk_size(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc) +{ + if (unlikely(vc->in_size < vc->rsp_size)) { + vq_err(vq, + "Response buf too small, need min %zu bytes got %zu", + vc->rsp_size, vc->in_size); + return -EINVAL; + } else if (unlikely(vc->out_size < vc->req_size)) { + vq_err(vq, + "Request buf too small, need min %zu bytes got %zu", + vc->req_size, vc->out_size); + return -EIO; + } + + return 0; +} + +static int +vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc, + struct vhost_scsi_tpg **tpgp) +{ + int ret = -EIO; + + if (unlikely(!copy_from_iter_full(vc->req, vc->req_size, + &vc->out_iter))) { + vq_err(vq, "Faulted on copy_from_iter\n"); + } else if (unlikely(*vc->lunp != 1)) { + /* virtio-scsi spec requires byte 0 of the lun to be 1 */ + vq_err(vq, "Illegal virtio-scsi lun: %u\n", *vc->lunp); + } else { + struct vhost_scsi_tpg **vs_tpg, *tpg; + + vs_tpg = vq->private_data; /* validated at handler entry */ + + tpg = READ_ONCE(vs_tpg[*vc->target]); + if (unlikely(!tpg)) { + vq_err(vq, "Target 0x%x does not exist\n", *vc->target); + } else { + if (tpgp) + *tpgp = tpg; + ret = 0; + } + } + + return ret; +} + static void vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) { struct vhost_scsi_tpg **vs_tpg, *tpg; struct virtio_scsi_cmd_req v_req; struct virtio_scsi_cmd_req_pi v_req_pi; + struct vhost_scsi_ctx vc; struct vhost_scsi_cmd *cmd; - struct iov_iter out_iter, in_iter, prot_iter, data_iter; + struct iov_iter in_iter, prot_iter, data_iter; u64 tag; u32 exp_data_len, data_direction; - unsigned int out = 0, in = 0; - int head, ret, prot_bytes; - size_t req_size, rsp_size = sizeof(struct virtio_scsi_cmd_resp); - size_t out_size, in_size; + int ret, prot_bytes; u16 lun; - u8 *target, *lunp, task_attr; + u8 task_attr; bool t10_pi = vhost_has_feature(vq, VIRTIO_SCSI_F_T10_PI); - void *req, *cdb; + void *cdb; mutex_lock(&vq->mutex); /* @@ -841,85 +937,47 @@ static void vhost_scsi_submission_work(struct work_struct *work) if (!vs_tpg) goto out; + memset(&vc, 0, sizeof(vc)); + vc.rsp_size = sizeof(struct virtio_scsi_cmd_resp); + vhost_disable_notify(&vs->dev, vq); for (;;) { - head = vhost_get_vq_desc(vq, vq->iov, - ARRAY_SIZE(vq->iov), &out, &in, - NULL, NULL); - pr_debug("vhost_get_vq_desc: head: %d, out: %u in: %u\n", - head, out, in); - /* On error, stop handling until the next kick. */ - if (unlikely(head < 0)) - break; - /* Nothing new? Wait for eventfd to tell us they refilled. */ - if (head == vq->num) { - if (unlikely(vhost_enable_notify(&vs->dev, vq))) { - vhost_disable_notify(&vs->dev, vq); - continue; - } - break; - } - /* - * Check for a sane response buffer so we can report early - * errors back to the guest. - */ - if (unlikely(vq->iov[out].iov_len < rsp_size)) { - vq_err(vq, "Expecting at least virtio_scsi_cmd_resp" - " size, got %zu bytes\n", vq->iov[out].iov_len); - break; - } + ret = vhost_scsi_get_desc(vs, vq, &vc); + if (ret) + goto err; + /* * Setup pointers and values based upon different virtio-scsi * request header if T10_PI is enabled in KVM guest. */ if (t10_pi) { - req = &v_req_pi; - req_size = sizeof(v_req_pi); - lunp = &v_req_pi.lun[0]; - target = &v_req_pi.lun[1]; + vc.req = &v_req_pi; + vc.req_size = sizeof(v_req_pi); + vc.lunp = &v_req_pi.lun[0]; + vc.target = &v_req_pi.lun[1]; } else { - req = &v_req; - req_size = sizeof(v_req); - lunp = &v_req.lun[0]; - target = &v_req.lun[1]; + vc.req = &v_req; + vc.req_size = sizeof(v_req); + vc.lunp = &v_req.lun[0]; + vc.target = &v_req.lun[1]; } - /* - * FIXME: Not correct for BIDI operation - */ - out_size = iov_length(vq->iov, out); - in_size = iov_length(&vq->iov[out], in); /* - * Copy over the virtio-scsi request header, which for a - * ANY_LAYOUT enabled guest may span multiple iovecs, or a - * single iovec may contain both the header + outgoing - * WRITE payloads. - * - * copy_from_iter() will advance out_iter, so that it will - * point at the start of the outgoing WRITE payload, if - * DMA_TO_DEVICE is set. + * Validate the size of request and response buffers. + * Check for a sane response buffer so we can report + * early errors back to the guest. */ - iov_iter_init(&out_iter, WRITE, vq->iov, out, out_size); + ret = vhost_scsi_chk_size(vq, &vc); + if (ret) + goto err; - if (unlikely(!copy_from_iter_full(req, req_size, &out_iter))) { - vq_err(vq, "Faulted on copy_from_iter\n"); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; - } - /* virtio-scsi spec requires byte 0 of the lun to be 1 */ - if (unlikely(*lunp != 1)) { - vq_err(vq, "Illegal virtio-scsi lun: %u\n", *lunp); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; - } + ret = vhost_scsi_get_req(vq, &vc, &tpg); + if (ret) + goto err; + + ret = -EIO; /* bad target on any error from here on */ - tpg = READ_ONCE(vs_tpg[*target]); - if (unlikely(!tpg)) { - /* Target does not exist, fail the request */ - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; - } /* * Determine data_direction by calculating the total outgoing * iovec sizes + incoming iovec sizes vs. virtio-scsi request + @@ -937,17 +995,17 @@ static void vhost_scsi_submission_work(struct work_struct *work) */ prot_bytes = 0; - if (out_size > req_size) { + if (vc.out_size > vc.req_size) { data_direction = DMA_TO_DEVICE; - exp_data_len = out_size - req_size; - data_iter = out_iter; - } else if (in_size > rsp_size) { + exp_data_len = vc.out_size - vc.req_size; + data_iter = vc.out_iter; + } else if (vc.in_size > vc.rsp_size) { data_direction = DMA_FROM_DEVICE; - exp_data_len = in_size - rsp_size; + exp_data_len = vc.in_size - vc.rsp_size; - iov_iter_init(&in_iter, READ, &vq->iov[out], in, - rsp_size + exp_data_len); - iov_iter_advance(&in_iter, rsp_size); + iov_iter_init(&in_iter, READ, &vq->iov[vc.out], vc.in, + vc.rsp_size + exp_data_len); + iov_iter_advance(&in_iter, vc.rsp_size); data_iter = in_iter; } else { data_direction = DMA_NONE; @@ -963,16 +1021,14 @@ static void vhost_scsi_submission_work(struct work_struct *work) if (data_direction != DMA_TO_DEVICE) { vq_err(vq, "Received non zero pi_bytesout," " but wrong data_direction\n"); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; + goto err; } prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesout); } else if (v_req_pi.pi_bytesin) { if (data_direction != DMA_FROM_DEVICE) { vq_err(vq, "Received non zero pi_bytesin," " but wrong data_direction\n"); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; + goto err; } prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesin); } @@ -1009,8 +1065,7 @@ static void vhost_scsi_submission_work(struct work_struct *work) vq_err(vq, "Received SCSI CDB with command_size: %d that" " exceeds SCSI_MAX_VARLEN_CDB_SIZE: %d\n", scsi_command_size(cdb), VHOST_SCSI_MAX_CDB_SIZE); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; + goto err; } cmd = vhost_scsi_get_tag(vq, tpg, cdb, tag, lun, task_attr, exp_data_len + prot_bytes, @@ -1018,13 +1073,12 @@ static void vhost_scsi_submission_work(struct work_struct *work) if (IS_ERR(cmd)) { vq_err(vq, "vhost_scsi_get_tag failed %ld\n", PTR_ERR(cmd)); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; + goto err; } cmd->tvc_vhost = vs; cmd->tvc_vq = vq; - cmd->tvc_resp_iov = vq->iov[out]; - cmd->tvc_in_iovs = in; + cmd->tvc_resp_iov = vq->iov[vc.out]; + cmd->tvc_in_iovs = vc.in; pr_debug("vhost_scsi got command opcode: %#02x, lun: %d\n", cmd->tvc_cdb[0], cmd->tvc_lun); @@ -1032,14 +1086,12 @@ static void vhost_scsi_submission_work(struct work_struct *work) " %d\n", cmd, exp_data_len, prot_bytes, data_direction); if (data_direction != DMA_NONE) { - ret = vhost_scsi_mapal(cmd, - prot_bytes, &prot_iter, - exp_data_len, &data_iter); - if (unlikely(ret)) { + if (unlikely(vhost_scsi_mapal(cmd, prot_bytes, + &prot_iter, exp_data_len, + &data_iter))) { vq_err(vq, "Failed to map iov to sgl\n"); vhost_scsi_release_cmd(&cmd->tvc_se_cmd); - vhost_scsi_send_bad_target(vs, vq, head, out); - continue; + goto err; } } /* @@ -1047,7 +1099,7 @@ static void vhost_scsi_submission_work(struct work_struct *work) * complete the virtio-scsi request in TCM callback context via * vhost_scsi_queue_data_in() and vhost_scsi_queue_status() */ - cmd->tvc_vq_desc = head; + cmd->tvc_vq_desc = vc.head; /* * Dispatch cmd descriptor for cmwq execution in process * context provided by vhost_scsi_workqueue. This also ensures @@ -1056,112 +1108,27 @@ static void vhost_scsi_submission_work(struct work_struct *work) */ INIT_WORK(&cmd->work, vhost_scsi_submission_work); queue_work(vhost_scsi_workqueue, &cmd->work); + ret = 0; +err: + /* + * ENXIO: No more requests, or read error, wait for next kick + * EINVAL: Invalid response buffer, drop the request + * EIO: Respond with bad target + * EAGAIN: Pending request + */ + if (ret == -ENXIO) + break; + else if (ret == -EIO) + vhost_scsi_send_bad_target(vs, vq, vc.head, vc.out); } out: mutex_unlock(&vq->mutex); } -static int -vhost_scsi_get_desc(struct vhost_scsi *vs, struct vhost_virtqueue *vq, - struct vhost_scsi_ctx *vc) -{ - int ret = -ENXIO; - - vc->head = vhost_get_vq_desc(vq, vq->iov, - ARRAY_SIZE(vq->iov), &vc->out, &vc->in, - NULL, NULL); - - pr_debug("vhost_get_vq_desc: head: %d, out: %u in: %u\n", - vc->head, vc->out, vc->in); - - /* On error, stop handling until the next kick. */ - if (unlikely(vc->head < 0)) - goto done; - - /* Nothing new? Wait for eventfd to tell us they refilled. */ - if (vc->head == vq->num) { - if (unlikely(vhost_enable_notify(&vs->dev, vq))) { - vhost_disable_notify(&vs->dev, vq); - ret = -EAGAIN; - } - goto done; - } - - /* - * Get the size of request and response buffers. - */ - vc->out_size = iov_length(vq->iov, vc->out); - vc->in_size = iov_length(&vq->iov[vc->out], vc->in); - - /* - * Copy over the virtio-scsi request header, which for a - * ANY_LAYOUT enabled guest may span multiple iovecs, or a - * single iovec may contain both the header + outgoing - * WRITE payloads. - * - * copy_from_iter() will advance out_iter, so that it will - * point at the start of the outgoing WRITE payload, if - * DMA_TO_DEVICE is set. - */ - iov_iter_init(&vc->out_iter, WRITE, vq->iov, vc->out, vc->out_size); - ret = 0; - -done: - return ret; -} - -static int -vhost_scsi_chk_size(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc) -{ - if (unlikely(vc->in_size < vc->rsp_size)) { - vq_err(vq, - "Response buf too small, need min %zu bytes got %zu", - vc->rsp_size, vc->in_size); - return -EINVAL; - } else if (unlikely(vc->out_size < vc->req_size)) { - vq_err(vq, - "Request buf too small, need min %zu bytes got %zu", - vc->req_size, vc->out_size); - return -EIO; - } - - return 0; -} - -static int -vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc, - struct vhost_scsi_tpg **tpgp) -{ - int ret = -EIO; - - if (unlikely(!copy_from_iter_full(vc->req, vc->req_size, - &vc->out_iter))) - vq_err(vq, "Faulted on copy_from_iter\n"); - else if (unlikely(*vc->lunp != 1)) - /* virtio-scsi spec requires byte 0 of the lun to be 1 */ - vq_err(vq, "Illegal virtio-scsi lun: %u\n", *vc->lunp); - else { - struct vhost_scsi_tpg **vs_tpg, *tpg; - - vs_tpg = vq->private_data; /* validated at handler entry */ - - tpg = READ_ONCE(vs_tpg[*vc->target]); - if (unlikely(!tpg)) - vq_err(vq, "Target 0x%x does not exist\n", *vc->target); - else { - if (tpgp) - *tpgp = tpg; - ret = 0; - } - } - - return ret; -} - static void -vhost_scsi_send_tmf_resp(struct vhost_scsi *vs, - struct vhost_virtqueue *vq, - struct vhost_scsi_ctx *vc) +vhost_scsi_send_tmf_reject(struct vhost_scsi *vs, + struct vhost_virtqueue *vq, + struct vhost_scsi_ctx *vc) { struct virtio_scsi_ctrl_tmf_resp __user *resp; struct virtio_scsi_ctrl_tmf_resp rsp; @@ -1287,7 +1254,7 @@ static void vhost_scsi_submission_work(struct work_struct *work) goto err; if (v_req.type == VIRTIO_SCSI_T_TMF) - vhost_scsi_send_tmf_resp(vs, vq, &vc); + vhost_scsi_send_tmf_reject(vs, vq, &vc); else vhost_scsi_send_an_resp(vs, vq, &vc); err: From patchwork Tue Dec 4 00:48:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bijan Mottahedeh X-Patchwork-Id: 10710987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2517A1057 for ; Tue, 4 Dec 2018 00:48:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 479042A304 for ; Tue, 4 Dec 2018 00:48:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3813B2A2C4; Tue, 4 Dec 2018 00:48:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DCCE229FD1 for ; Tue, 4 Dec 2018 00:48:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726042AbeLDAsk (ORCPT ); Mon, 3 Dec 2018 19:48:40 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:60768 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725903AbeLDAsj (ORCPT ); Mon, 3 Dec 2018 19:48:39 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wB40ivnk103497; Tue, 4 Dec 2018 00:48:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2018-07-02; bh=/BTOL+zkRMSAORepvzvomd+jpAoklWlptgWKYeFIPAY=; b=F5LVhXPDvigc52+9AxKEWMogjsJK4F8bPfkRAdHK7S1P5siO/v0MdK+S8pUA0psYVsr4 R4H5BiFucal5KtvNvJQ7GW1ZHkxWOZnqarD5Mt99Tf24XhN3YFzKc3LuolubZRTnjsru m5BW06XeHMw8XMry5ePrFtMOSD74isVMixWfXnHh25dmWU1svAgcwDwffZFqFTs+1ilE Otm2IzcvlXPXbXIkU61pzSq6EZ1BZ8nyPVyvtCAjgbTya8zi8GpL4uYAhHPDKyjBn/PM Q1HS9JBLGme78X4T1r9Hg1Pzy7VrNTQP24Jeq5p5x6xCmtp7LOiKxcERJiP8TPBk5ajZ 6Q== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2p3j8q9k6g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 04 Dec 2018 00:48:36 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wB40mZsm028874 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 4 Dec 2018 00:48:35 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wB40mZkp027117; Tue, 4 Dec 2018 00:48:35 GMT Received: from ca-ldom147.us.oracle.com (/10.129.68.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Dec 2018 16:48:34 -0800 From: Bijan Mottahedeh To: kvm@vger.kernel.org, target-devel@vger.kernel.org, mst@redhat.com Cc: jasowang@redhat.com, silviu.smarandache@oracle.com, bijan.mottahedeh@oracle.com Subject: [PATCH v2 4/4] vhost/scsi: Use copy_to_iter() to send control queue response Date: Mon, 3 Dec 2018 16:48:23 -0800 Message-Id: <1543884503-32281-5-git-send-email-bijan.mottahedeh@oracle.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> References: <1543884503-32281-1-git-send-email-bijan.mottahedeh@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9096 signatures=668686 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=979 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812040003 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Uses copy_to_iter() instead of __copy_to_user() in order to ensure user address range validation through access_ok(). Signed-off-by: Bijan Mottahedeh --- drivers/vhost/scsi.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index 3eae17e..28c9cb6 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -1130,16 +1130,18 @@ static void vhost_scsi_submission_work(struct work_struct *work) struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc) { - struct virtio_scsi_ctrl_tmf_resp __user *resp; struct virtio_scsi_ctrl_tmf_resp rsp; + struct iov_iter iov_iter; int ret; pr_debug("%s\n", __func__); memset(&rsp, 0, sizeof(rsp)); rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; - resp = vq->iov[vc->out].iov_base; - ret = __copy_to_user(resp, &rsp, sizeof(rsp)); - if (!ret) + + iov_iter_init(&iov_iter, READ, &vq->iov[vc->out], vc->in, sizeof(rsp)); + + ret = copy_to_iter(&rsp, sizeof(rsp), &iov_iter); + if (likely(ret == sizeof(rsp))) vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0); else pr_err("Faulted on virtio_scsi_ctrl_tmf_resp\n"); @@ -1150,16 +1152,18 @@ static void vhost_scsi_submission_work(struct work_struct *work) struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc) { - struct virtio_scsi_ctrl_an_resp __user *resp; struct virtio_scsi_ctrl_an_resp rsp; + struct iov_iter iov_iter; int ret; pr_debug("%s\n", __func__); memset(&rsp, 0, sizeof(rsp)); /* event_actual = 0 */ rsp.response = VIRTIO_SCSI_S_OK; - resp = vq->iov[vc->out].iov_base; - ret = __copy_to_user(resp, &rsp, sizeof(rsp)); - if (!ret) + + iov_iter_init(&iov_iter, READ, &vq->iov[vc->out], vc->in, sizeof(rsp)); + + ret = copy_to_iter(&rsp, sizeof(rsp), &iov_iter); + if (likely(ret == sizeof(rsp))) vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0); else pr_err("Faulted on virtio_scsi_ctrl_an_resp\n");