Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4159948pxb; Mon, 27 Sep 2021 10:36:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJye9nlprl/eHm8eRuyRyKavG8IM42hRFnRFDN1VPfVTE/eRLaL8xIqwUwIxcfZOz2oJ4MtQ X-Received: by 2002:a63:6e03:: with SMTP id j3mr697704pgc.465.1632764189721; Mon, 27 Sep 2021 10:36:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632764189; cv=none; d=google.com; s=arc-20160816; b=e9cuuchPxMVMhSEWonKjoorxAehWMq3ZcmmB8CrCPRANpWjO4/llLtzUOObH+cJwKD WEC+R3++PIukhDcpPv3hnr9QLEySFmgCTjbqV5GDPigsMQXQ7FF9FuIqOHbBRkK60YLP VvqhR+rUQHvh7K+LhyFsMooGJZKheZbnmKEM+kzXtvbHhDe5MnJLii9kDaq2PTxPEHnL yuGWs7S+OIOXOWJW9JSqIk4jpZK6jav/b/IOAHdVYiJI7DyUvLvQkIuqEo/erMexPgpP hQpSCZcnUaj8l1Yhe7eCGvG4NzfSQp+irk1eGSHVqLcLRBxfufUqC0/jJ5ufovmIoJIX n+IQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BCedOTAwW4eDhZaefJmXQ3kSMvijO3Gb6uS4HTa9TII=; b=jSY3s+wfsRoN36FcvowxFFEFcAyboCY7VUo5OiNE7x/aONGmGWTetL54xq2KG/KLmn PXhYI9f3YwJYztVD3AFJl8r5OYf/LNWkmYY5xbvS4UsWnnmCAGnhdN2OKyeitT34yZMs ds9hjussc9EAqWxJ8GgOuIE+wFTMIB4SoaHNwnEFhpYCk0Ex9kG30H3K8eqx5ULK+ngd TvIA9q9Q6SPm8JttnbdzNU2lLZu0Mi+mTgq9xgnDq1gf75P3LnNJSAKdpdPVarg1oS/9 h+nW9D2aoB6p54o7qr2X589Sxp3t9KS+EMVQ3oQiFvhcpFFpn7iLD62ik4Y2R5ak7Osc 7eIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yjIT8Jw4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t34si22616480pfg.231.2021.09.27.10.36.16; Mon, 27 Sep 2021 10:36:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yjIT8Jw4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237884AbhI0RgY (ORCPT + 99 others); Mon, 27 Sep 2021 13:36:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:44586 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236198AbhI0Raf (ORCPT ); Mon, 27 Sep 2021 13:30:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D8C7960F4A; Mon, 27 Sep 2021 17:23:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632763385; bh=AAzw6SDUvq6M1tCKBlxfuU4NYcgoAyNvVxKy0fNnRaQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yjIT8Jw4r+mLB9p9ZjwQnH2skqSHZN6PnZc7LVlwk9y9qJkfUIXILM3NvNcXyVy2I bl1pYegj0ewAngOH9bz4Whei10yNtz9EmZhnQbzvfAxnOmIQ4tCFNRhSAt45L7fyl+ Bg4y6Kjpy7HZuCH4G++3Kc8b72OwYxaTMoSNAgDc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Nowak, Lukasz" , Sagi Grimberg , Keith Busch , Christoph Hellwig , Sasha Levin Subject: [PATCH 5.10 059/103] nvme-tcp: fix incorrect h2cdata pdu offset accounting Date: Mon, 27 Sep 2021 19:02:31 +0200 Message-Id: <20210927170227.806699954@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210927170225.702078779@linuxfoundation.org> References: <20210927170225.702078779@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sagi Grimberg [ Upstream commit e371af033c560b9dd1e861f8f0b503142bf0a06c ] When the controller sends us multiple r2t PDUs in a single request we need to account for it correctly as our send/recv context run concurrently (i.e. we get a new r2t with r2t_offset before we updated our iterator and req->data_sent marker). This can cause wrong offsets to be sent to the controller. To fix that, we will first know that this may happen only in the send sequence of the last page, hence we will take the r2t_offset to the h2c PDU data_offset, and in nvme_tcp_try_send_data loop, we make sure to increment the request markers also when we completed a PDU but we are expecting more r2t PDUs as we still did not send the entire data of the request. Fixes: 825619b09ad3 ("nvme-tcp: fix possible use-after-completion") Reported-by: Nowak, Lukasz Tested-by: Nowak, Lukasz Signed-off-by: Sagi Grimberg Reviewed-by: Keith Busch Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- drivers/nvme/host/tcp.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index a6b3b0762763..05ad6bee085c 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -611,7 +611,7 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, cpu_to_le32(data->hdr.hlen + hdgst + req->pdu_len + ddgst); data->ttag = pdu->ttag; data->command_id = nvme_cid(rq); - data->data_offset = cpu_to_le32(req->data_sent); + data->data_offset = pdu->r2t_offset; data->data_length = cpu_to_le32(req->pdu_len); return 0; } @@ -937,7 +937,15 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) nvme_tcp_ddgst_update(queue->snd_hash, page, offset, ret); - /* fully successful last write*/ + /* + * update the request iterator except for the last payload send + * in the request where we don't want to modify it as we may + * compete with the RX path completing the request. + */ + if (req->data_sent + ret < req->data_len) + nvme_tcp_advance_req(req, ret); + + /* fully successful last send in current PDU */ if (last && ret == len) { if (queue->data_digest) { nvme_tcp_ddgst_final(queue->snd_hash, @@ -949,7 +957,6 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) } return 1; } - nvme_tcp_advance_req(req, ret); } return -EAGAIN; } -- 2.33.0