diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2012-09-07 17:30:32 +0200 |
---|---|---|
committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2012-09-07 20:04:08 +0200 |
commit | 306c11b28d7bb85a7adda741798a2b6b60dd305a (patch) | |
tree | 65639a992a1bf2ec8abc1836f935b0e67d634da5 /drivers | |
parent | target: fix use-after-free with PSCSI sense data (diff) | |
download | linux-306c11b28d7bb85a7adda741798a2b6b60dd305a.tar.xz linux-306c11b28d7bb85a7adda741798a2b6b60dd305a.zip |
target: go through normal processing for zero-length PSCSI commands
Right now, commands with a zero-size payload are skipped completely.
This is wrong; such commands should be passed down to the device and
processed normally.
For physical backends, this ignores completely things such as START
STOP UNIT. For virtual backends, we have a hack in place to clear a
unit attention state on a zero-size REQUEST SENSE, but we still do
not report errors properly on zero-length commands---out-of-bounds
0-block reads and writes, too small parameter list lengths, etc.
This patch fixes this for PSCSI. Uses of transport_kmap_data_sg are
guarded with a check for non-zero cmd->data_length; for all other
commands a zero length is handled properly in pscsi_execute_cmd.
The sole exception will be for now REPORT LUNS, which is handled
through the normal SPC emulation.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/target/target_core_pscsi.c | 8 | ||||
-rw-r--r-- | drivers/target/target_core_transport.c | 4 |
2 files changed, 7 insertions, 5 deletions
diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c index 5f7151d90344..9d7ce3daa262 100644 --- a/drivers/target/target_core_pscsi.c +++ b/drivers/target/target_core_pscsi.c @@ -688,11 +688,11 @@ static void pscsi_transport_complete(struct se_cmd *cmd, struct scatterlist *sg, * Hack to make sure that Write-Protect modepage is set if R/O mode is * forced. */ + if (!cmd->se_deve || !cmd->data_length) + goto after_mode_sense; + if (((cdb[0] == MODE_SENSE) || (cdb[0] == MODE_SENSE_10)) && (status_byte(result) << 1) == SAM_STAT_GOOD) { - if (!cmd->se_deve) - goto after_mode_sense; - if (cmd->se_deve->lun_flags & TRANSPORT_LUNFLAGS_READ_ONLY) { unsigned char *buf = transport_kmap_data_sg(cmd); @@ -709,7 +709,7 @@ static void pscsi_transport_complete(struct se_cmd *cmd, struct scatterlist *sg, } after_mode_sense: - if (sd->type != TYPE_TAPE) + if (sd->type != TYPE_TAPE || !cmd->data_length) goto after_mode_select; /* diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 8a29e3fd0195..7ddb0c33f644 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -2300,7 +2300,9 @@ int transport_generic_new_cmd(struct se_cmd *cmd) * into the fabric for data transfers, go ahead and complete it right * away. */ - if (!cmd->data_length) { + if (!cmd->data_length && + (cmd->se_dev->transport->transport_type != TRANSPORT_PLUGIN_PHBA_PDEV || + cmd->t_task_cdb[0] == REPORT_LUNS) { spin_lock_irq(&cmd->t_state_lock); cmd->t_state = TRANSPORT_COMPLETE; cmd->transport_state |= CMD_T_ACTIVE; |