[PATCH 5.10 27/77] nvme-tcp: fix H2CData PDU send accounting (again)

From: Greg Kroah-Hartman
Date: Mon Nov 01 2021 - 05:34:36 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.10 26/77] ocfs2: fix race between searching chunks and release journal_head from buffer_head"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 24/77] mmc: sdhci: Map more voltage level to SDHCI_POWER_330"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 24/77] mmc: sdhci: Map more voltage level to SDHCI_POWER_330"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 26/77] ocfs2: fix race between searching chunks and release journal_head from buffer_head"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sagi Grimberg <sagi@xxxxxxxxxxx>

commit 25e1f67eda4a19c91dc05c84d6d413c53efb447b upstream.

We should not access request members after the last send, even to
determine if indeed it was the last data payload send. The reason is
that a completion could have arrived and trigger a new execution of the
request which overridden these members. This was fixed by commit
825619b09ad3 ("nvme-tcp: fix possible use-after-completion").

Commit e371af033c56 broke that assumption again to address cases where
multiple r2t pdus are sent per request. To fix it, we need to record the
request data_sent and data_len and after the payload network send we
reference these counters to determine weather we should advance the
request iterator.

Fixes: e371af033c56 ("nvme-tcp: fix incorrect h2cdata pdu offset accounting")
Reported-by: Keith Busch <kbusch@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # 5.10+
Signed-off-by: Sagi Grimberg <sagi@xxxxxxxxxxx>
Reviewed-by: Keith Busch <kbusch@xxxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/nvme/host/tcp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -910,12 +910,14 @@ static void nvme_tcp_fail_request(struct
static int nvme_tcp_try_send_data(struct nvme_tcp_request *req)
{
struct nvme_tcp_queue *queue = req->queue;
+ int req_data_len = req->data_len;

while (true) {
struct page *page = nvme_tcp_req_cur_page(req);
size_t offset = nvme_tcp_req_cur_offset(req);
size_t len = nvme_tcp_req_cur_length(req);
bool last = nvme_tcp_pdu_last_send(req, len);
+ int req_data_sent = req->data_sent;
int ret, flags = MSG_DONTWAIT;

if (last && !queue->data_digest && !nvme_tcp_queue_more(queue))
@@ -942,7 +944,7 @@ static int nvme_tcp_try_send_data(struct
* in the request where we don't want to modify it as we may
* compete with the RX path completing the request.
*/
- if (req->data_sent + ret < req->data_len)
+ if (req_data_sent + ret < req_data_len)
nvme_tcp_advance_req(req, ret);

/* fully successful last send in current PDU */

Next message: Greg Kroah-Hartman: "[PATCH 5.10 26/77] ocfs2: fix race between searching chunks and release journal_head from buffer_head"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 24/77] mmc: sdhci: Map more voltage level to SDHCI_POWER_330"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 24/77] mmc: sdhci: Map more voltage level to SDHCI_POWER_330"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 26/77] ocfs2: fix race between searching chunks and release journal_head from buffer_head"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]