From patchwork Fri Feb 6 05:06:35 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Nicholas A. Bellinger" X-Patchwork-Id: 5788551 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id EFF2DBF440 for ; Fri, 6 Feb 2015 05:40:04 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0A34120155 for ; Fri, 6 Feb 2015 05:40:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F3F2120160 for ; Fri, 6 Feb 2015 05:40:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751734AbbBFFjv (ORCPT ); Fri, 6 Feb 2015 00:39:51 -0500 Received: from mail-oi0-f54.google.com ([209.85.218.54]:52279 "EHLO mail-oi0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750824AbbBFFjs (ORCPT ); Fri, 6 Feb 2015 00:39:48 -0500 Received: by mail-oi0-f54.google.com with SMTP id v63so5022149oia.13 for ; Thu, 05 Feb 2015 21:39:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=OkCrYXHHezBXj0BH2c9bMCxH46du1mekAqpiMc/joqU=; b=FFy0qLuWyhilwG9z10IP3C8s8JwBdA/zoRc7P/vyXyV5gmUSXZ1zl9y08IGPZqMIi+ Lgm10X9LkD6wJ6j8cPiBMrTuq4lvue6VeJTw8mstUgBUKsp+YFRpTtJmcjS3B+RcDpgG 0bF8gZEHjI+hDGSqzHiBd04YJJAfl8v9k1fr/ri3SevH3fzaMGw8kymTlUX0fULQkbsa xNS6K22aEaN6BQizwRp6CRfIw33i+C/fuMCAsfFINZSMBzI7Z+zEIMrdTCJyfX58aks4 QQGznt2Ot0k30/dZLbwp54cp0BsZ9XIirRDylstNZYyg3eTx2KDvqHmy54JY4ENGM5Li 8jFQ== X-Gm-Message-State: ALoCoQmnjc7QA80qYnCl3dsUwpsIEjsU7FUj3O7POdtrn8yBwPLwaQO/GSDf8uWrM4NaQbyYdHmG X-Received: by 10.202.208.211 with SMTP id h202mr1224919oig.25.1423201187817; Thu, 05 Feb 2015 21:39:47 -0800 (PST) Received: from localhost.localdomain (mail.linux-iscsi.org. [67.23.28.174]) by mx.google.com with ESMTPSA id x8sm800393obg.18.2015.02.05.21.39.47 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 05 Feb 2015 21:39:47 -0800 (PST) From: "Nicholas A. Bellinger" To: target-devel Cc: linux-scsi , kvm-devel , Paolo Bonzini , "Michael S. Tsirkin" , Al Viro , Christoph Hellwig , Nicholas Bellinger Subject: [PATCH-v4 2/8] vhost/scsi: Fix incorrect early vhost_scsi_handle_vq failures Date: Fri, 6 Feb 2015 05:06:35 +0000 Message-Id: <1423199201-14659-3-git-send-email-nab@daterainc.com> X-Mailer: git-send-email 1.7.2.5 In-Reply-To: <1423199201-14659-1-git-send-email-nab@daterainc.com> References: <1423199201-14659-1-git-send-email-nab@daterainc.com> Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Nicholas Bellinger This patch fixes vhost_scsi_handle_vq() failure cases that result in BUG_ON() getting triggered when vhost_scsi_free_cmd() is called, and ->tvc_se_cmd has not been initialized by target_submit_cmd_map_sgls(). It changes tcm_vhost_release_cmd() to use tcm_vhost_cmd->tvc_nexus for obtaining se_session pointer reference. Also, avoid calling put_page() on NULL sg->page entries in vhost_scsi_map_to_sgl() failure path. Cc: Michael S. Tsirkin Cc: Paolo Bonzini Signed-off-by: Nicholas Bellinger --- drivers/vhost/scsi.c | 52 +++++++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index 29dfdf6..62de820 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -462,7 +462,7 @@ static void tcm_vhost_release_cmd(struct se_cmd *se_cmd) { struct tcm_vhost_cmd *tv_cmd = container_of(se_cmd, struct tcm_vhost_cmd, tvc_se_cmd); - struct se_session *se_sess = se_cmd->se_sess; + struct se_session *se_sess = tv_cmd->tvc_nexus->tvn_se_sess; int i; if (tv_cmd->tvc_sgl_count) { @@ -864,9 +864,11 @@ vhost_scsi_map_iov_to_sgl(struct tcm_vhost_cmd *cmd, ret = vhost_scsi_map_to_sgl(cmd, sg, sgl_count, &iov[i], cmd->tvc_upages, write); if (ret < 0) { - for (i = 0; i < cmd->tvc_sgl_count; i++) - put_page(sg_page(&cmd->tvc_sgl[i])); - + for (i = 0; i < cmd->tvc_sgl_count; i++) { + struct page *page = sg_page(&cmd->tvc_sgl[i]); + if (page) + put_page(page); + } cmd->tvc_sgl_count = 0; return ret; } @@ -905,9 +907,11 @@ vhost_scsi_map_iov_to_prot(struct tcm_vhost_cmd *cmd, ret = vhost_scsi_map_to_sgl(cmd, prot_sg, prot_sgl_count, &iov[i], cmd->tvc_upages, write); if (ret < 0) { - for (i = 0; i < cmd->tvc_prot_sgl_count; i++) - put_page(sg_page(&cmd->tvc_prot_sgl[i])); - + for (i = 0; i < cmd->tvc_prot_sgl_count; i++) { + struct page *page = sg_page(&cmd->tvc_prot_sgl[i]); + if (page) + put_page(page); + } cmd->tvc_prot_sgl_count = 0; return ret; } @@ -1065,12 +1069,14 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) if (unlikely(vq->iov[0].iov_len < req_size)) { pr_err("Expecting virtio-scsi header: %zu, got %zu\n", req_size, vq->iov[0].iov_len); - break; + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } ret = memcpy_fromiovecend(req, &vq->iov[0], 0, req_size); if (unlikely(ret)) { vq_err(vq, "Faulted on virtio_scsi_cmd_req\n"); - break; + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } /* virtio-scsi spec requires byte 0 of the lun to be 1 */ @@ -1101,14 +1107,16 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) if (data_direction != DMA_TO_DEVICE) { vq_err(vq, "Received non zero do_pi_niov" ", but wrong data_direction\n"); - goto err_cmd; + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesout); } else if (v_req_pi.pi_bytesin) { if (data_direction != DMA_FROM_DEVICE) { vq_err(vq, "Received non zero di_pi_niov" ", but wrong data_direction\n"); - goto err_cmd; + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesin); } @@ -1148,7 +1156,8 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) vq_err(vq, "Received SCSI CDB with command_size: %d that" " exceeds SCSI_MAX_VARLEN_CDB_SIZE: %d\n", scsi_command_size(cdb), TCM_VHOST_MAX_CDB_SIZE); - goto err_cmd; + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } cmd = vhost_scsi_get_tag(vq, tpg, cdb, tag, lun, task_attr, @@ -1157,7 +1166,8 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) if (IS_ERR(cmd)) { vq_err(vq, "vhost_scsi_get_tag failed %ld\n", PTR_ERR(cmd)); - goto err_cmd; + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } pr_debug("Allocated tv_cmd: %p exp_data_len: %d, data_direction" @@ -1178,7 +1188,9 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) if (unlikely(ret)) { vq_err(vq, "Failed to map iov to" " prot_sgl\n"); - goto err_free; + tcm_vhost_release_cmd(&cmd->tvc_se_cmd); + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } } if (data_direction != DMA_NONE) { @@ -1187,7 +1199,9 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) data_direction == DMA_FROM_DEVICE); if (unlikely(ret)) { vq_err(vq, "Failed to map iov to sgl\n"); - goto err_free; + tcm_vhost_release_cmd(&cmd->tvc_se_cmd); + vhost_scsi_send_bad_target(vs, vq, head, out); + continue; } } /* @@ -1205,14 +1219,6 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) INIT_WORK(&cmd->work, tcm_vhost_submission_work); queue_work(tcm_vhost_workqueue, &cmd->work); } - - mutex_unlock(&vq->mutex); - return; - -err_free: - vhost_scsi_free_cmd(cmd); -err_cmd: - vhost_scsi_send_bad_target(vs, vq, head, out); out: mutex_unlock(&vq->mutex); }