Re: [PATCH] tcm_vhost: Fix tv_cmd leak in vhost_scsi_handle_vq

Nicholas A. Bellinger Tue, 09 Apr 2013 08:46:52 -0700

On Tue, 2013-04-09 at 17:16 +0800, Asias He wrote:
> If we fail to submit the allocated tv_vmd to tcm_vhost_submission_work,
> we will leak the tv_vmd. Free tv_vmd on fail path.
> 
> Signed-off-by: Asias He <as...@redhat.com>
> ---
>  drivers/vhost/tcm_vhost.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/vhost/tcm_vhost.c b/drivers/vhost/tcm_vhost.c
> index 3351ed3..1f9116c 100644
> --- a/drivers/vhost/tcm_vhost.c
> +++ b/drivers/vhost/tcm_vhost.c
> @@ -860,7 +860,7 @@ static void vhost_scsi_handle_vq(struct vhost_scsi *vs,
>                       vq_err(vq, "Expecting virtio_scsi_cmd_resp, got %zu"
>                               " bytes, out: %d, in: %d\n",
>                               vq->iov[out].iov_len, out, in);
> -                     break;
> +                     goto err;
>               }
>  
>               tv_cmd->tvc_resp = vq->iov[out].iov_base;
> @@ -882,7 +882,7 @@ static void vhost_scsi_handle_vq(struct vhost_scsi *vs,
>                               " exceeds SCSI_MAX_VARLEN_CDB_SIZE: %d\n",
>                               scsi_command_size(tv_cmd->tvc_cdb),
>                               TCM_VHOST_MAX_CDB_SIZE);
> -                     break; /* TODO */
> +                     goto err;
>               }
>               tv_cmd->tvc_lun = ((v_req.lun[2] << 8) | v_req.lun[3]) & 0x3FFF;
>  
> @@ -895,7 +895,7 @@ static void vhost_scsi_handle_vq(struct vhost_scsi *vs,
>                                       data_direction == DMA_TO_DEVICE);
>                       if (unlikely(ret)) {
>                               vq_err(vq, "Failed to map iov to sgl\n");
> -                             break; /* TODO */
> +                             goto err;
>                       }
>               }
>


Mmmm, I think these cases also require a VIRTIO_SCSI_S_BAD_TARGET +
__copy_to_user + vhost_add_used_and_signal similar to how !tv_tpg is
handled..  Otherwise virtio-scsi will end up in scsi timeout -> abort,
no..?

Ditto for the vhost_scsi_allocate_cmd failure case..

vhost-net uses vhost_discard_vq_desc for some failure cases,  is that
needed here for the failure cases before __copy_from_user is called..?

> @@ -916,6 +916,11 @@ static void vhost_scsi_handle_vq(struct vhost_scsi *vs,
>       }
>  
>       mutex_unlock(&vq->mutex);
> +     return;
> +
> +err:
> +     vhost_scsi_free_cmd(tv_cmd);
> +     mutex_unlock(&vq->mutex);
>  }
>  
>  static void vhost_scsi_ctl_handle_kick(struct vhost_work *work)


--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] tcm_vhost: Fix tv_cmd leak in vhost_scsi_handle_vq

Reply via email to