[PATCH 3/3] tcm_qla2xxx: Fix FCP WRITE data corruption bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>

This patch fixes a potential FCP WRITE data corruption bug where
tcm_qla2xxx_handle_data() could be called via qla2x_tmpl->handle_data()
within an qla_target.c:qla_tgt_do_ctio_completion() exception path
during link layer failure before receiving the complete WRITE payload.

This patch addresses the scenario by adding an explict check for
qla_tgt_cmd->write_data_transferred == 1 within tcm_qla2xxx_handle_data()
to force a return of CHECK_CONDITION when this occurs.  We expect that
qla_tgt_cmd->write_data_transferred = 1 is only set within
qla_tgt_do_ctio_completion() with non exception status during
qla_tgt_cmd->state == QLA_TGT_STATE_NEED_DATA in order to signal that
the complete WRITE payload has been receieved.

Reported-by: Roland Dreier <roland@xxxxxxxxxxxxxxx>
Cc: Madhuranath Iyengar <mni@xxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxxxxxxxx>
---
 drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
index 30a8987..b6b594a 100644
--- a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
+++ b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
@@ -749,6 +749,16 @@ int tcm_qla2xxx_new_cmd_map(struct se_cmd *se_cmd)
 int tcm_qla2xxx_handle_data(struct qla_tgt_cmd *cmd)
 {
 	/*
+	 * Ensure that the complete FCP WRITE payload has been received.
+	 * Otherwise return an exception via CHECK_CONDITION status.
+	 */
+	if (!cmd->write_data_transferred) {
+		cmd->locked_rsp = 0;		
+
+		return transport_send_check_condition_and_sense(&cmd->se_cmd,
+				TCM_CHECK_CONDITION_ABORT_CMD, 0);
+	}
+	/*
 	 * We now tell TCM to queue this WRITE CDB with TRANSPORT_PROCESS_WRITE
 	 * status to the backstore processing thread.
 	 */
-- 
1.7.2.5

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux SCSI]     [Kernel Newbies]     [Linux SCSI Target Infrastructure]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Device Mapper]

  Powered by Linux