Re: [PATCH 3/3] tcm_qla2xxx: Fix FCP WRITE data corruption bug

"Madhu Iyengar" <mni@xxxxxxxxxxxxxxxxxxxxx> · Fri, 23 Sep 2011 20:09:22 -0500

Nic,

This looks fine to me.

Cheers,
Madhu

-----Original Message----- 
From: Nicholas A. Bellinger
Sent: Friday, September 23, 2011 4:11 AM
To: target-devel
Cc: Roland Dreier ; Madhuranath Iyengar ; Nicholas Bellinger
Subject: [PATCH 3/3] tcm_qla2xxx: Fix FCP WRITE data corruption bug

From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>

This patch fixes a potential FCP WRITE data corruption bug where
tcm_qla2xxx_handle_data() could be called via qla2x_tmpl->handle_data()
within an qla_target.c:qla_tgt_do_ctio_completion() exception path
during link layer failure before receiving the complete WRITE payload.

This patch addresses the scenario by adding an explict check for
qla_tgt_cmd->write_data_transferred == 1 within tcm_qla2xxx_handle_data()
to force a return of CHECK_CONDITION when this occurs.  We expect that
qla_tgt_cmd->write_data_transferred = 1 is only set within
qla_tgt_do_ctio_completion() with non exception status during
qla_tgt_cmd->state == QLA_TGT_STATE_NEED_DATA in order to signal that
the complete WRITE payload has been receieved.

Reported-by: Roland Dreier <roland@xxxxxxxxxxxxxxx>
Cc: Madhuranath Iyengar <mni@xxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c |   10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c 
b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
index 30a8987..b6b594a 100644
--- a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
+++ b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
@@ -749,6 +749,16 @@ int tcm_qla2xxx_new_cmd_map(struct se_cmd *se_cmd)
int tcm_qla2xxx_handle_data(struct qla_tgt_cmd *cmd)
{
 /*
+ * Ensure that the complete FCP WRITE payload has been received.
+ * Otherwise return an exception via CHECK_CONDITION status.
+ */
+ if (!cmd->write_data_transferred) {
+ cmd->locked_rsp = 0;
+
+ return transport_send_check_condition_and_sense(&cmd->se_cmd,
+ TCM_CHECK_CONDITION_ABORT_CMD, 0);
+ }
+ /*
 * We now tell TCM to queue this WRITE CDB with TRANSPORT_PROCESS_WRITE
 * status to the backstore processing thread.
 */
--
1.7.2.5 

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





