On Tue, 2012-07-31 at 11:11 -0700, gre...@linuxfoundation.org wrote:
The patch below does not apply to the 3.5-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to stable@vger.kernel.org.
[...]
Here are the versions I applied to 3.2.y, for this and the following 3
target changes. The ordering is:
target-add-range-checking-to-unmap-emulation.patch
target-fix-reading-of-data-length-fields-for-unmap-commands.patch
target-fix-possible-integer-underflow-in-unmap-emulation.patch
target-check-number-of-unmap-descriptors-against-our-limit.patch
These also apply on top of 3.5 (with context reduced to 2 for
target-fix-reading-of-data-length-fields-for-unmap-commands.patch) and
build cleanly.
Ben.
--
Ben Hutchings
Experience is directly proportional to the value of equipment destroyed.
- Carolyn Scheppner
From: Roland Dreier rol...@purestorage.com
Date: Mon, 16 Jul 2012 15:34:22 -0700
Subject: target: Add range checking to UNMAP emulation
commit 2594e29865c291db162313187612cd9f14538f33 upstream.
When processing an UNMAP command, we need to make sure that the number
of blocks we're asked to UNMAP does not exceed our reported maximum
number of blocks per UNMAP, and that the range of blocks we're
unmapping doesn't go past the end of the device.
Signed-off-by: Roland Dreier rol...@purestorage.com
Signed-off-by: Nicholas Bellinger n...@linux-iscsi.org
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
drivers/target/target_core_cdb.c | 12
1 file changed, 12 insertions(+)
--- a/drivers/target/target_core_cdb.c
+++ b/drivers/target/target_core_cdb.c
@@ -1145,6 +1145,18 @@ int target_emulate_unmap(struct se_task
pr_debug(UNMAP: Using lba: %llu and range: %u\n,
(unsigned long long)lba, range);
+ if (range dev-se_sub_dev-se_dev_attrib.max_unmap_lba_count) {
+ cmd-scsi_sense_reason = TCM_INVALID_PARAMETER_LIST;
+ ret = -EINVAL;
+ goto err;
+ }
+
+ if (lba + range dev-transport-get_blocks(dev) + 1) {
+ cmd-scsi_sense_reason = TCM_ADDRESS_OUT_OF_RANGE;
+ ret = -EINVAL;
+ goto err;
+ }
+
ret = dev-transport-do_discard(dev, lba, range);
if (ret 0) {
pr_err(blkdev_issue_discard() failed: %d\n,
From: Roland Dreier rol...@purestorage.com
Date: Mon, 16 Jul 2012 15:34:25 -0700
Subject: target: Check number of unmap descriptors against our limit
commit 7409a6657aebf8be74c21d0eded80709b27275cb upstream.
Fail UNMAP commands that have more than our reported limit on unmap
descriptors.
Signed-off-by: Roland Dreier rol...@purestorage.com
Signed-off-by: Nicholas Bellinger n...@linux-iscsi.org
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
drivers/target/target_core_cdb.c |5 +
1 file changed, 5 insertions(+)
--- a/drivers/target/target_core_cdb.c
+++ b/drivers/target/target_core_cdb.c
@@ -1133,6 +1133,11 @@ int target_emulate_unmap(struct se_task
bd_dl = get_unaligned_be16(buf[2]);
size = min(size - 8, bd_dl);
+ if (size / 16 dev-se_sub_dev-se_dev_attrib.max_unmap_block_desc_count) {
+ cmd-scsi_sense_reason = TCM_INVALID_PARAMETER_LIST;
+ ret = -EINVAL;
+ goto err;
+ }
/* First UNMAP block descriptor starts at 8 byte offset */
ptr = buf[8];
From: Roland Dreier rol...@purestorage.com
Date: Mon, 16 Jul 2012 15:34:24 -0700
Subject: target: Fix possible integer underflow in UNMAP emulation
commit b7fc7f3777582dea85156a821d78a522a0c083aa upstream.
It's possible for an initiator to send us an UNMAP command with a
descriptor that is less than 8 bytes; in that case it's really bad for
us to set an unsigned int to that value, subtract 8 from it, and then
use that as a limit for our loop (since the value will wrap around to
a huge positive value).
Fix this by making size be signed and only looping if size = 16 (ie
if we have at least a full descriptor available).
Also remove offset as an obfuscated name for the constant 8.
Signed-off-by: Roland Dreier rol...@purestorage.com
Signed-off-by: Nicholas Bellinger n...@linux-iscsi.org
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
drivers/target/target_core_cdb.c | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/target/target_core_cdb.c
+++ b/drivers/target/target_core_cdb.c
@@ -1115,9 +1115,10 @@ int target_emulate_unmap(struct se_task
struct se_device *dev = cmd-se_dev;
unsigned char *buf, *ptr = NULL;
sector_t lba;
- unsigned int size = cmd-data_length, range;
- int ret = 0, offset;
- unsigned short dl, bd_dl;
+ int size = cmd-data_length;
+ u32 range;
+ int ret = 0;
+ int dl, bd_dl;
if (!dev-transport-do_discard) {
pr_err(UNMAP emulation not supported for: %s\n,
@@ -1126,20 +1127,19 @@ int target_emulate_unmap(struct se_task