linux/drivers/target
Martin Wilck 077ce028b8 scsi: target: pscsi: Avoid OOM in pscsi_map_sg()
pscsi_map_sg() uses the variable nr_pages as a hint for bio_kmalloc() how
many vector elements to allocate. If nr_pages is < BIO_MAX_PAGES, it will
be reset to 0 after successful allocation of the bio.

If bio_add_pc_page() fails later for whatever reason, pscsi_map_sg() tries
to allocate another bio, passing nr_vecs = 0. This causes bio_add_pc_page()
to fail immediately in the next call. pci_map_sg() continues to allocate
zero-length bios until memory is exhausted and the kernel crashes with
OOM. This can be easily observed by exporting a SATA DVD drive via pscsi.
The target crashes as soon as the client tries to access the DVD LUN. In
the case I analyzed, bio_add_pc_page() would fail because the DVD device's
max_sectors_kb (128) was exceeded.

Avoid this by simply not resetting nr_pages to 0 after allocating the
bio. This way, the client receives an I/O error when it tries to send
requests exceeding the devices max_sectors_kb, and eventually gets it
right. The client must still limit max_sectors_kb e.g. by an udev rule if
(like in my case) the driver doesn't report valid block limits, otherwise
it encounters I/O errors.

Link: https://lore.kernel.org/r/20210323212431.15306-1-mwilck@suse.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin Wilck <mwilck@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-03-24 23:19:23 -04:00
..
iscsi SCSI misc on 20210219 2021-02-22 10:24:58 -08:00
loopback scsi: tcm_loop: Allow queues, can_queue and cmd_per_lun to be settable 2020-11-04 22:39:38 -05:00
sbp scsi: target: sbp: Remove unneeded semicolon 2021-02-08 22:08:34 -05:00
tcm_fc scsi: target: Make state_list per CPU 2020-11-04 22:39:38 -05:00
Kconfig
Makefile
target_core_alua.c scsi: target: alua: Remove in_interrupt() usage in core_alua_check_nonop_delay() 2021-01-22 20:25:25 -05:00
target_core_alua.h
target_core_configfs.c scsi: target: tcmu: Make pgr_support and alua_support attributes writable 2020-05-07 22:39:22 -04:00
target_core_device.c scsi: target: Make state_list per CPU 2020-11-04 22:39:38 -05:00
target_core_fabric_configfs.c
target_core_fabric_lib.c scsi: target: Handle short iSIDs 2020-07-08 00:14:34 -04:00
target_core_file.c SCSI misc on 20210219 2021-02-22 10:24:58 -08:00
target_core_file.h
target_core_hba.c
target_core_iblock.c block: Add bio_max_segs 2021-02-26 15:49:51 -07:00
target_core_iblock.h
target_core_internal.h scsi: target: Fix xcopy sess release leak 2020-07-08 00:14:34 -04:00
target_core_pr.c scsi: target: core: Prevent underflow for service actions 2021-02-22 22:21:29 -05:00
target_core_pr.h
target_core_pscsi.c scsi: target: pscsi: Avoid OOM in pscsi_map_sg() 2021-03-24 23:19:23 -04:00
target_core_pscsi.h
target_core_rd.c scsi: target: rd: Drop double zeroing 2020-10-07 23:50:03 -04:00
target_core_rd.h
target_core_sbc.c scsi: target: Return COMPARE AND WRITE miscompare offsets 2020-11-04 22:02:43 -05:00
target_core_spc.c scsi: target: use an enum to track emulate_ua_intlck_ctrl 2020-02-21 17:37:16 -05:00
target_core_stat.c
target_core_tmr.c scsi: target: Make state_list per CPU 2020-11-04 22:39:38 -05:00
target_core_tpg.c scsi: target: Drop sess_cmd_lock from I/O path 2020-11-04 22:39:37 -05:00
target_core_transport.c scsi: target: core: Add cmd length set before cmd complete 2021-02-22 22:21:29 -05:00
target_core_ua.c scsi: target: use an enum to track emulate_ua_intlck_ctrl 2020-02-21 17:37:16 -05:00
target_core_ua.h
target_core_user.c scsi: target: tcmu: Fix memory leak caused by wrong uio usage 2021-02-22 22:35:21 -05:00
target_core_xcopy.c scsi: target: Fix XCOPY NAA identifier lookup 2021-01-11 17:06:48 -05:00
target_core_xcopy.h scsi: target: Fix XCOPY NAA identifier lookup 2021-01-11 17:06:48 -05:00