• Nicholas Bellinger's avatar
    target: Fix ->data_length re-assignment bug with SCSI overflow · 4c054ba6
    Nicholas Bellinger authored
    This patch fixes a long-standing bug with SCSI overflow handling
    where se_cmd->data_length was incorrectly being re-assigned to
    the larger CDB extracted allocation length, resulting in a number
    of fabric level errors that would end up causing a session reset
    in most cases.  So instead now:
    
     - Only re-assign se_cmd->data_length durining UNDERFLOW (to use the
       smaller value)
     - Use existing se_cmd->data_length for OVERFLOW (to use the smaller
       value)
    
    This fix has been tested with the following CDB to generate an
    SCSI overflow:
    
      sg_raw -r512 /dev/sdc 28 0 0 0 0 0 0 0 9 0
    
    Tested using iscsi-target, tcm_qla2xxx, loopback and tcm_vhost fabric
    ports.  Here is a bit more detail on each case:
    
     - iscsi-target: Bug with open-iscsi with overflow, sg_raw returns
                     -3584 bytes of data.
     - tcm_qla2xxx: Working as expected, returnins 512 bytes of data
     - loopback: sg_raw returns CHECK_CONDITION, from overflow rejection
                 in transport_generic_map_mem_to_cmd()
     - tcm_vhost: Same as loopback
    Reported-by: default avatarRoland Dreier <roland@purestorage.com>
    Cc: Roland Dreier <roland@purestorage.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Boaz Harrosh <bharrosh@panasas.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    4c054ba6
target_core_transport.c 84.9 KB