linux-stable.git/drivers/infiniband/ulp, branch v4.0.7 Linux kernel stable tree iser-target: Fix possible use-after-free 2015-06-29T19:29:07+00:00 Sagi Grimberg sagig@mellanox.com 2015-06-04T16:49:21+00:00 ad57c140b86de638bc841a913fbbd87b4204abf2 commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream. iser connection termination process happens in 2 stages: - isert_wait_conn: - resumes rdma disconnect - wait for session commands - wait for flush completions (post a marked wr to signal we are done) - wait for logout completion - queue work for connection cleanup (depends on disconnected/timewait events) - isert_free_conn - last reference put on the connection In case we are terminating during IOs, we might be posting send/recv requests after we posted the last work request which might lead to a use-after-free condition in isert_handle_wc. After we posted the last wr in isert_wait_conn we are guaranteed that no successful completions will follow (meaning no new work request posts may happen) but other flush errors might still come. So before we put the last reference on the connection, we repeat the process of posting a marked work request (isert_wait4flush) in order to make sure all pending completions were flushed. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Jenny Falkovich <jennyf@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream.

iser connection termination process happens in 2 stages:
- isert_wait_conn:
  - resumes rdma disconnect
  - wait for session commands
  - wait for flush completions (post a marked wr to signal we are done)
  - wait for logout completion
  - queue work for connection cleanup (depends on disconnected/timewait
    events)
- isert_free_conn
  - last reference put on the connection

In case we are terminating during IOs, we might be posting send/recv
requests after we posted the last work request which might lead
to a use-after-free condition in isert_handle_wc.
After we posted the last wr in isert_wait_conn we are guaranteed that
no successful completions will follow (meaning no new work request posts
may happen) but other flush errors might still come. So before we
put the last reference on the connection, we repeat the process of
posting a marked work request (isert_wait4flush) in order to make sure all
pending completions were flushed.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iser-target: Fix variable-length response error completion 2015-06-29T19:29:07+00:00 Sagi Grimberg sagig@mellanox.com 2015-06-04T16:49:19+00:00 b4385f224870229f040ed5b1981c6b5e676b8a12 commit 9253e667ab50fd4611a60e1cdd6a6e05a1d91cf1 upstream. Since commit "2426bd456a6 target: Report correct response ..." we might get a command with data_size that does not fit to the number of allocated data sg elements. Given that we rely on cmd t_data_nents which might be different than the data_size, we sometimes receive local length error completion. The correct approach would be to take the command data_size into account when constructing the ib sg_list. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Jenny Falkovich <jennyf@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 9253e667ab50fd4611a60e1cdd6a6e05a1d91cf1 upstream.

Since commit "2426bd456a6 target: Report correct response ..."
we might get a command with data_size that does not fit to
the number of allocated data sg elements. Given that we rely on
cmd t_data_nents which might be different than the data_size,
we sometimes receive local length error completion. The correct
approach would be to take the command data_size into account when
constructing the ib sg_list.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
IB/iser: Fix wrong calculation of protection buffer length 2015-05-06T20:04:01+00:00 Sagi Grimberg sagig@mellanox.com 2015-04-14T15:08:13+00:00 6fb5785d6c07d834567ccf3f3ba2df9c3803b28b commit a065fe6aa25ba6ba93c02dc13486131bb3c64d5f upstream. This length miss-calculation may cause a silent data corruption in the DIX case and cause the device to reference unmapped area. Fixes: d77e65350f2d ('libiscsi, iser: Adjust data_length to include protection information') Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit a065fe6aa25ba6ba93c02dc13486131bb3c64d5f upstream.

This length miss-calculation may cause a silent data corruption
in the DIX case and cause the device to reference unmapped area.

Fixes: d77e65350f2d ('libiscsi, iser: Adjust data_length to include protection information')
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iser-target: Fix possible deadlock in RDMA_CM connection error 2015-05-06T20:03:53+00:00 Sagi Grimberg sagig@mellanox.com 2015-03-29T12:52:04+00:00 c1398bc9478760e098fd1a36c9d67eeaf1bc5813 commit 4a579da2586bd3b79b025947ea24ede2bbfede62 upstream. Before we reach to connection established we may get an error event. In this case the core won't teardown this connection (never established it), so we take care of freeing it ourselves. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 4a579da2586bd3b79b025947ea24ede2bbfede62 upstream.

Before we reach to connection established we may get an
error event. In this case the core won't teardown this
connection (never established it), so we take care of freeing
it ourselves.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iser-target: Fix session hang in case of an rdma read DIF error 2015-05-06T20:03:53+00:00 Sagi Grimberg sagig@mellanox.com 2015-03-29T12:52:03+00:00 6c617001eadca79dc3c26a6e2d2844ad48c1a178 commit 364189f0ada5478e4faf8a552d6071a650d757cd upstream. This hang was a result of a missing command put when a DIF error occurred during a rdma read (and we sent an CHECK_CONDITION error without passing it to the backend). Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 364189f0ada5478e4faf8a552d6071a650d757cd upstream.

This hang was a result of a missing command put when
a DIF error occurred during a rdma read (and we sent
an CHECK_CONDITION error without passing it to the
backend).

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-02-21T21:21:19+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-02-21T21:21:19+00:00 e20d3ef5406d3a28b76a63905b2a6bd3fb95c377 Pull SCSI target updates from Nicholas Bellinger: "The highlights this round include: - Update vhost-scsi to support F_ANY_LAYOUT using mm/iov_iter.c logic, and signal VERSION_1 support (MST + Viro + nab) - Fix iscsi/iser-target to remove problematic active_ts_set usage (Gavin Guo) - Update iscsi/iser-target to support multi-sequence sendtargets (Sagi) - Fix original PR_APTPL_BUF_LEN 8k size limitation (Martin Svec) - Add missing WRITE_SAME end-of-device sanity check (Bart) - Check for LBA + sectors wrap-around in sbc_parse_cdb() (nab) - Other various minor SPC/SBC compliance fixes based upon Ronnie Sahlberg test suite (nab)" * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (32 commits) target: Set LBPWS10 bit in Logical Block Provisioning EVPD target: Fail UNMAP when emulate_tpu=0 target: Fail WRITE_SAME w/ UNMAP=1 when emulate_tpws=0 target: Add sanity checks for DPO/FUA bit usage target: Perform PROTECT sanity checks for WRITE_SAME target: Fail I/O with PROTECT bit when protection is unsupported target: Check for LBA + sectors wrap-around in sbc_parse_cdb target: Add missing WRITE_SAME end-of-device sanity check iscsi-target: Avoid IN_LOGOUT failure case for iser-target target: Fix PR_APTPL_BUF_LEN buffer size limitation iscsi-target: Drop problematic active_ts_list usage iscsi/iser-target: Support multi-sequence sendtargets text response iser-target: Remove duplicate function names vhost/scsi: potential memory corruption vhost/scsi: Global tcm_vhost -> vhost_scsi rename vhost/scsi: Drop left-over scsi_tcq.h include vhost/scsi: Set VIRTIO_F_ANY_LAYOUT + VIRTIO_F_VERSION_1 feature bits vhost/scsi: Add ANY_LAYOUT support in vhost_scsi_handle_vq vhost/scsi: Add ANY_LAYOUT iov -> sgl mapping prerequisites vhost/scsi: Change vhost_scsi_map_to_sgl to accept iov ptr + len ... 
Pull SCSI target updates from Nicholas Bellinger:
 "The highlights this round include:

   - Update vhost-scsi to support F_ANY_LAYOUT using mm/iov_iter.c
     logic, and signal VERSION_1 support (MST + Viro + nab)

   - Fix iscsi/iser-target to remove problematic active_ts_set usage
     (Gavin Guo)

   - Update iscsi/iser-target to support multi-sequence sendtargets
     (Sagi)

   - Fix original PR_APTPL_BUF_LEN 8k size limitation (Martin Svec)

   - Add missing WRITE_SAME end-of-device sanity check (Bart)

   - Check for LBA + sectors wrap-around in sbc_parse_cdb() (nab)

   - Other various minor SPC/SBC compliance fixes based upon Ronnie
     Sahlberg test suite (nab)"

* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (32 commits)
  target: Set LBPWS10 bit in Logical Block Provisioning EVPD
  target: Fail UNMAP when emulate_tpu=0
  target: Fail WRITE_SAME w/ UNMAP=1 when emulate_tpws=0
  target: Add sanity checks for DPO/FUA bit usage
  target: Perform PROTECT sanity checks for WRITE_SAME
  target: Fail I/O with PROTECT bit when protection is unsupported
  target: Check for LBA + sectors wrap-around in sbc_parse_cdb
  target: Add missing WRITE_SAME end-of-device sanity check
  iscsi-target: Avoid IN_LOGOUT failure case for iser-target
  target: Fix PR_APTPL_BUF_LEN buffer size limitation
  iscsi-target: Drop problematic active_ts_list usage
  iscsi/iser-target: Support multi-sequence sendtargets text response
  iser-target: Remove duplicate function names
  vhost/scsi: potential memory corruption
  vhost/scsi: Global tcm_vhost -> vhost_scsi rename
  vhost/scsi: Drop left-over scsi_tcq.h include
  vhost/scsi: Set VIRTIO_F_ANY_LAYOUT + VIRTIO_F_VERSION_1 feature bits
  vhost/scsi: Add ANY_LAYOUT support in vhost_scsi_handle_vq
  vhost/scsi: Add ANY_LAYOUT iov -> sgl mapping prerequisites
  vhost/scsi: Change vhost_scsi_map_to_sgl to accept iov ptr + len
  ...
IB/iser: Release the iscsi endpoint if ep_disconnect wasn't called 2015-02-17T20:33:14+00:00 Ariel Nahum arieln@mellanox.com 2015-01-18T14:51:07+00:00 9a3119e4b787d8c855202eb0388b213f86f88714 In some cases, we might reach the iser connection termination without ep_disconnect being invoked (for example if user-space daemon doesn't exists. In this case, we need to free the iscsi endpoint when we remove the iser connection. Signed-off-by: Ariel Nahum <arieln@mellanox.com> Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Roland Dreier <roland@purestorage.com> 
In some cases, we might reach the iser connection termination without
ep_disconnect being invoked (for example if user-space daemon doesn't
exists. In this case, we need to free the iscsi endpoint when we
remove the iser connection.

Signed-off-by: Ariel Nahum <arieln@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
IB/iser: Fix memory regions possible leak 2015-02-17T20:32:46+00:00 Sagi Grimberg sagig@mellanox.com 2015-01-18T14:51:06+00:00 6606e6a2ff2710b473838b291dc533cd8fc1471f When teardown process starts during live IO, we need to keep the memory regions pool (frmr/fmr) until all in-flight tasks are properly released, since each task may return a memory region to the pool. In order to do this, we pass a destroy flag to iser_free_ib_conn_res to indicate we can destroy the device and the memory regions pool. iser_conn_release will pass it as true and also DEVICE_REMOVAL event (we need to let the device to properly remove). Also, Since we conditionally call iser_free_rx_descriptors, remove the extra check on iser_conn->rx_descs. Fixes: 5426b1711fd0 ("IB/iser: Collapse cleanup and disconnect handlers") Reported-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Roland Dreier <roland@purestorage.com> 
When teardown process starts during live IO, we need to keep the
memory regions pool (frmr/fmr) until all in-flight tasks are properly
released, since each task may return a memory region to the pool. In
order to do this, we pass a destroy flag to iser_free_ib_conn_res to
indicate we can destroy the device and the memory regions
pool. iser_conn_release will pass it as true and also DEVICE_REMOVAL
event (we need to let the device to properly remove).

Also, Since we conditionally call iser_free_rx_descriptors,
remove the extra check on iser_conn->rx_descs.

Fixes: 5426b1711fd0 ("IB/iser: Collapse cleanup and disconnect handlers")
Reported-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
IB/iser: Use correct dma direction when unmapping SGs 2015-02-13T19:27:31+00:00 Roi Dayan roid@mellanox.com 2014-12-28T12:26:11+00:00 c6c95ef4cec680f7a10aa425a9970744b35b6489 We always unmap SGs with the same direction instead of unmapping with the direction the mapping was done, fix that. Fixes: 9a8b08fad2ef ("IB/iser: Generalize iser_unmap_task_data and [...]") Signed-off-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Roland Dreier <roland@purestorage.com> 
We always unmap SGs with the same direction instead of unmapping
with the direction the mapping was done, fix that.

Fixes: 9a8b08fad2ef ("IB/iser: Generalize iser_unmap_task_data and [...]")
Signed-off-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
iscsi/iser-target: Support multi-sequence sendtargets text response 2015-02-12T19:24:29+00:00 Sagi Grimberg sagig@mellanox.com 2015-02-09T16:07:25+00:00 e4f4e8016e6823475291eb0da7cc95d0fada2237 In case sendtargets response is larger than initiator MRDSL, we send a partial sendtargets response (setting F=0, C=1, TTT!=0xffffffff), accept a consecutive empty text message and send the rest of the payload. In case we are done, we set F=1, C=0, TTT=0xffffffff. We do that by storing the sendtargets response bytes done under the session. This patch also makes iscsit_find_cmd_from_itt public for isert. (Re-add cmd->maxcmdsn_inc and clear in iscsit_build_text_rsp - nab) Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
In case sendtargets response is larger than initiator MRDSL, we
send a partial sendtargets response (setting F=0, C=1, TTT!=0xffffffff),
accept a consecutive empty text message and send the rest of the payload.
In case we are done, we set F=1, C=0, TTT=0xffffffff.
We do that by storing the sendtargets response bytes done under
the session.

This patch also makes iscsit_find_cmd_from_itt public for isert.

(Re-add cmd->maxcmdsn_inc and clear in iscsit_build_text_rsp - nab)

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>