target/user: Return an error if cmd data size is too large

BugLink: http://bugs.launchpad.net/bugs/1646204 Userspace should be implementing VPD B0 (Block Limits) to inform the initiator of max data size, but just in case we do get a too-large request, do what the spec says and return INVALID_CDB_FIELD. Make sure to unlock udev->cmdr_lock before returning. Signed-off-by: Andy Grover <agrover@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Mike Christie <mchristi@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> (back ported from linux-next commit 554617b2) Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Conflicts: drivers/target/target_core_user.c Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

target/user: Return an error if cmd data size is too large
BugLink: http://bugs.launchpad.net/bugs/1646204 Userspace should be implementing VPD B0 (Block Limits) to inform the initiator of max data size, but just in case we do get a too-large request, do what the spec says and return INVALID_CDB_FIELD. Make sure to unlock udev->cmdr_lock before returning. Signed-off-by: Andy Grover <agrover@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Mike Christie <mchristi@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> (back ported from linux-next commit 554617b2) Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Conflicts: drivers/target/target_core_user.c Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
47561ccd · Andy Grover · Luis Henriques · 7dfe3ddb · 47561ccd
Commit 47561ccd authored Dec 08, 2016 by Andy Grover Committed by Luis Henriques Dec 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

drivers/target/target_core_user.c drivers/target/target_core_user.c +4 -1

No files found.
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -418,10 +418,13 @@ tcmu_queue_cmd_ring(struct tcmu_cmd *tcmu_cmd)
 	mb = udev->mb_addr;
 	cmd_head = mb->cmd_head % udev->cmdr_size; /* UAM */
 	if ((command_size > (udev->cmdr_size / 2))
-	    || tcmu_cmd->data_length > (udev->data_size - 1))
+	    || tcmu_cmd->data_length > (udev->data_size - 1)) {
 		pr_warn("TCMU: Request of size %zu/%zu may be too big for %u/%zu "
 			"cmd/data ring buffers\n", command_size, tcmu_cmd->data_length,
 			udev->cmdr_size, udev->data_size);
+		spin_unlock_irq(&udev->cmdr_lock);
+		return TCM_INVALID_CDB_FIELD;
+	}

 	while (!is_ring_space_avail(udev, command_size, tcmu_cmd->data_length)) {
 		int ret;