On Tue, 23 Mar 2021 22:24:30 +0100, mwilck@xxxxxxxx wrote:
> pscsi_map_sg() uses the variable nr_pages as a hint for bio_kmalloc()
> how many vector elements to allocate. If nr_pages is < BIO_MAX_PAGES,
> it will be reset to 0 after successful allocation of the bio.
>
> If bio_add_pc_page() fails later for whatever reason, pscsi_map_sg()
> tries to allocate another bio, passing nr_vecs=0. This causes
> bio_add_pc_page() to fail immediately in the next call. pci_map_sg()
> continues to allocate zero-length bios until memory is exhausted and
> the kernel crashes with OOM. This can be easily observed by exporting
> a SATA DVD drive via pscsi. The target crashes as soon as the client
> tries to access the DVD LUN. In the case I analyzed, bio_add_pc_page()
> would fail because the DVD device's max_sectors_kb (128) was
> exceeded.
>
> [...]
Applied to 5.12/scsi-fixes, thanks!
[1/2] target: pscsi: avoid OOM in pscsi_map_sg()
https://git.kernel.org/mkp/scsi/c/077ce028b8e0
[2/2] target: pscsi: cleanup after failure in pscsi_map_sg()
https://git.kernel.org/mkp/scsi/c/36fa766faa0c
--
Martin K. Petersen Oracle Linux Engineering
