From patchwork Tue Feb 28 05:47:08 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xiubo Li <lixiubo@cmss.chinamobile.com>
X-Patchwork-Id: 9594721
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	04C78601D7 for <patchwork-target-devel@patchwork.kernel.org>;
	Tue, 28 Feb 2017 05:49:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E70FB284F5
	for <patchwork-target-devel@patchwork.kernel.org>;
	Tue, 28 Feb 2017 05:49:23 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D9082284FE; Tue, 28 Feb 2017 05:49:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C42C284EF
	for <patchwork-target-devel@patchwork.kernel.org>;
	Tue, 28 Feb 2017 05:49:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751248AbdB1FtW (ORCPT
	<rfc822;patchwork-target-devel@patchwork.kernel.org>);
	Tue, 28 Feb 2017 00:49:22 -0500
Received: from cmccmta1.chinamobile.com ([221.176.66.79]:13914 "EHLO
	cmccmta1.chinamobile.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750712AbdB1FtV (ORCPT
	<rfc822;target-devel@vger.kernel.org>);
	Tue, 28 Feb 2017 00:49:21 -0500
Received: from spf.mail.chinamobile.com (unknown[172.16.121.7]) by
	rmmx-syy-dmz-app01-12001 (RichMail) with SMTP id
	2ee158b50edd0d1-93646; Tue, 28 Feb 2017 13:47:09 +0800 (CST)
X-RM-TRANSID: 2ee158b50edd0d1-93646
X-RM-SPAM-FLAG: 00000000
Received: from promote.cache-dns.local.cache-dns.local
	(unknown[223.105.0.130])
	by rmsmtp-syy-appsvr04-12004 (RichMail) with SMTP id
	2ee458b50edc573-6ba88; Tue, 28 Feb 2017 13:47:09 +0800 (CST)
X-RM-TRANSID: 2ee458b50edc573-6ba88
From: lixiubo@cmss.chinamobile.com
To: agrover@redhat.com, nab@linux-iscsi.org
Cc: shli@kernel.org, sheng@yasker.org, linux-scsi@vger.kernel.org,
	target-devel@vger.kernel.org, namei.unix@gmail.com,
	mchristi@redhat.com, Xiubo Li <lixiubo@cmss.chinamobile.com>
Subject: [PATCH] target/user: Fix possible overwrite of t_data_sg's last
	iov[]
Date: Tue, 28 Feb 2017 13:47:08 +0800
Message-Id: <1488260828-28167-1-git-send-email-lixiubo@cmss.chinamobile.com>
X-Mailer: git-send-email 1.8.3.1
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Xiubo Li <lixiubo@cmss.chinamobile.com>

If there has BIDI data, its first iov[] will overwrite the last
iov[] for se_cmd->t_data_sg.

To fix this, we can just increase the iov pointer, but this may
introuduce a new memory leakage bug: If the se_cmd->data_length
and se_cmd->t_bidi_data_sg->length are all not aligned up to the
DATA_BLOCK_SIZE, the actual length needed maybe larger than just
sum of them.

So, this could be avoided by rounding all the data lengthes up
to DATA_BLOCK_SIZE.

Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
---
 drivers/target/target_core_user.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index 2e33100..59a18fd 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -429,10 +429,11 @@ static bool is_ring_space_avail(struct tcmu_dev *udev, size_t cmd_size, size_t d
 
 	mb = udev->mb_addr;
 	cmd_head = mb->cmd_head % udev->cmdr_size; /* UAM */
-	data_length = se_cmd->data_length;
+	data_length = round_up(se_cmd->data_length, DATA_BLOCK_SIZE);
 	if (se_cmd->se_cmd_flags & SCF_BIDI) {
 		BUG_ON(!(se_cmd->t_bidi_data_sg && se_cmd->t_bidi_data_nents));
-		data_length += se_cmd->t_bidi_data_sg->length;
+		data_length += round_up(se_cmd->t_bidi_data_sg->length,
+				DATA_BLOCK_SIZE);
 	}
 	if ((command_size > (udev->cmdr_size / 2)) ||
 	    data_length > udev->data_size) {
@@ -503,10 +504,14 @@ static bool is_ring_space_avail(struct tcmu_dev *udev, size_t cmd_size, size_t d
 	entry->req.iov_dif_cnt = 0;
 
 	/* Handle BIDI commands */
-	iov_cnt = 0;
-	alloc_and_scatter_data_area(udev, se_cmd->t_bidi_data_sg,
-		se_cmd->t_bidi_data_nents, &iov, &iov_cnt, false);
-	entry->req.iov_bidi_cnt = iov_cnt;
+	if (se_cmd->se_cmd_flags & SCF_BIDI) {
+		iov_cnt = 0;
+		iov++;
+		alloc_and_scatter_data_area(udev, se_cmd->t_bidi_data_sg,
+				se_cmd->t_bidi_data_nents, &iov, &iov_cnt,
+				false);
+		entry->req.iov_bidi_cnt = iov_cnt;
+	}
 
 	/* cmd's data_bitmap is what changed in process */
 	bitmap_xor(tcmu_cmd->data_bitmap, old_bitmap, udev->data_bitmap,