nvmet: fix dsm failure when payload does not match sgl descriptor

sagigrimberg · keithbusch · commit b716e6889c95 · 2020-02-04T03:00:24.000+09:00
The host is allowed to pass the controller an sgl describing a buffer
that is larger than the dsm payload itself, allow it when executing
dsm.

Reported-by: Dakshaja Uppalapati &lt;dakshaja@chelsio.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;,
Reviewed-by: Max Gurtovoy &lt;maxg@mellanox.com&gt;
Signed-off-by: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Signed-off-by: Keith Busch &lt;kbusch@kernel.org&gt;
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
@@ -939,6 +939,17 @@ bool nvmet_check_data_len(struct nvmet_req *req, size_t data_len)
 }
 EXPORT_SYMBOL_GPL(nvmet_check_data_len);
 
+bool nvmet_check_data_len_lte(struct nvmet_req *req, size_t data_len)
+{
+	if (unlikely(data_len > req->transfer_len)) {
+		req->error_loc = offsetof(struct nvme_common_command, dptr);
+		nvmet_req_complete(req, NVME_SC_SGL_INVALID_DATA | NVME_SC_DNR);
+		return false;
+	}
+
+	return true;
+}
+
 int nvmet_req_alloc_sgl(struct nvmet_req *req)
 {
 	struct pci_dev *p2p_dev = NULL;
diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
@@ -280,7 +280,7 @@ static void nvmet_bdev_execute_discard(struct nvmet_req *req)
 
 static void nvmet_bdev_execute_dsm(struct nvmet_req *req)
 {
-	if (!nvmet_check_data_len(req, nvmet_dsm_len(req)))
+	if (!nvmet_check_data_len_lte(req, nvmet_dsm_len(req)))
 		return;
 
 	switch (le32_to_cpu(req->cmd->dsm.attributes)) {
diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c
@@ -336,7 +336,7 @@ static void nvmet_file_dsm_work(struct work_struct *w)
 
 static void nvmet_file_execute_dsm(struct nvmet_req *req)
 {
-	if (!nvmet_check_data_len(req, nvmet_dsm_len(req)))
+	if (!nvmet_check_data_len_lte(req, nvmet_dsm_len(req)))
 		return;
 	INIT_WORK(&req->f.work, nvmet_file_dsm_work);
 	schedule_work(&req->f.work);
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
@@ -374,6 +374,7 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq,
 		struct nvmet_sq *sq, const struct nvmet_fabrics_ops *ops);
 void nvmet_req_uninit(struct nvmet_req *req);
 bool nvmet_check_data_len(struct nvmet_req *req, size_t data_len);
+bool nvmet_check_data_len_lte(struct nvmet_req *req, size_t data_len);
 void nvmet_req_complete(struct nvmet_req *req, u16 status);
 int nvmet_req_alloc_sgl(struct nvmet_req *req);
 void nvmet_req_free_sgl(struct nvmet_req *req);

Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ static void nvmet_bdev_execute_discard(struct nvmet_req *req)`
`280`	`280`
`281`	`281`	`static void nvmet_bdev_execute_dsm(struct nvmet_req *req)`
`282`	`282`	`{`
`283`		`- if (!nvmet_check_data_len(req, nvmet_dsm_len(req)))`
	`283`	`+ if (!nvmet_check_data_len_lte(req, nvmet_dsm_len(req)))`
`284`	`284`	`return;`
`285`	`285`
`286`	`286`	`switch (le32_to_cpu(req->cmd->dsm.attributes)) {`
Original file line number	Diff line number	Diff line change
`@@ -336,7 +336,7 @@ static void nvmet_file_dsm_work(struct work_struct *w)`
`336`	`336`
`337`	`337`	`static void nvmet_file_execute_dsm(struct nvmet_req *req)`
`338`	`338`	`{`
`339`		`- if (!nvmet_check_data_len(req, nvmet_dsm_len(req)))`
	`339`	`+ if (!nvmet_check_data_len_lte(req, nvmet_dsm_len(req)))`
`340`	`340`	`return;`
`341`	`341`	`INIT_WORK(&req->f.work, nvmet_file_dsm_work);`
`342`	`342`	`schedule_work(&req->f.work);`