linux-stable.git/drivers/target, branch v3.8.2 Linux kernel stable tree target: Add missing mapped_lun bounds checking during make_mappedlun setup 2013-03-03T22:03:34+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-02-19T02:31:37+00:00 89651d99c93fea49a2fdc97e8fa7f3fa60094108 commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream. This patch adds missing bounds checking for the configfs provided mapped_lun value during target_fabric_make_mappedlun() setup ahead of se_lun_acl initialization. This addresses a potential OOPs when using a mapped_lun value that exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within se_node_acl->device_list[]. Reported-by: Jan Engelhardt <jengelh@inai.de> Cc: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream.

This patch adds missing bounds checking for the configfs provided
mapped_lun value during target_fabric_make_mappedlun() setup ahead
of se_lun_acl initialization.

This addresses a potential OOPs when using a mapped_lun value that
exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within
se_node_acl->device_list[].

Reported-by: Jan Engelhardt <jengelh@inai.de>
Cc: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
target: Fix lookup of dynamic NodeACLs during cached demo-mode operation 2013-03-03T22:03:34+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-02-19T02:00:33+00:00 62bfc5c9f00702407220c34cb3110c37d2353480 commit fcf29481fb8e106daad6688f2e898226ee928992 upstream. This patch fixes a bug in core_tpg_check_initiator_node_acl() -> core_tpg_get_initiator_node_acl() where a dynamically created se_node_acl generated during session login would be skipped during subsequent lookup due to the '!acl->dynamic_node_acl' check, causing a new se_node_acl to be created with a duplicate ->initiatorname. This would occur when a fabric endpoint was configured with TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1 preventing the release of an existing se_node_acl during se_session shutdown. Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl() within core_dev_init_initiator_node_lun_acl() that originally required the extra '!acl->dynamic_node_acl' check, and just pass the configfs provided se_node_acl pointer instead. Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit fcf29481fb8e106daad6688f2e898226ee928992 upstream.

This patch fixes a bug in core_tpg_check_initiator_node_acl() ->
core_tpg_get_initiator_node_acl() where a dynamically created
se_node_acl generated during session login would be skipped during
subsequent lookup due to the '!acl->dynamic_node_acl' check, causing
a new se_node_acl to be created with a duplicate ->initiatorname.

This would occur when a fabric endpoint was configured with
TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1
preventing the release of an existing se_node_acl during se_session
shutdown.

Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl()
within core_dev_init_initiator_node_lun_acl() that originally
required the extra '!acl->dynamic_node_acl' check, and just pass
the configfs provided se_node_acl pointer instead.

Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
target: Fix divide by zero bug in fabric_max_sectors for unconfigured devices 2013-01-31T23:22:53+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-01-31T23:05:48+00:00 7a3cf6ca1ab2a2f7161c6dec5a787fc7a5de864e This patch fixes a possible divide by zero bug when the fabric_max_sectors device attribute is written and backend se_device failed to be successfully configured -> enabled. Go ahead and use block_size=512 within se_dev_set_fabric_max_sectors() in the event of a target_configure_device() failure case, as no valid dev->dev_attrib.block_size value will have been setup yet. Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes a possible divide by zero bug when the fabric_max_sectors
device attribute is written and backend se_device failed to be successfully
configured -> enabled.

Go ahead and use block_size=512 within se_dev_set_fabric_max_sectors()
in the event of a target_configure_device() failure case, as no valid
dev->dev_attrib.block_size value will have been setup yet.

Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Fix regression allowing unconfigured devices to fabric port link 2013-01-31T23:13:23+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-01-31T22:56:12+00:00 faa06ab9aed22f0ad0e15bbf3f80463b5dd7cbe0 This patch fixes a v3.8-rc1 regression bug where an unconfigured se_device was incorrectly allowed to perform a fabric port-link. This bug was introduced in commit: commit 0fd97ccf45be26fb01b3a412f1f6c6b5044b2f16 Author: Christoph Hellwig <hch@infradead.org> Date: Mon Oct 8 00:03:19 2012 -0400 target: kill struct se_subsystem_dev which ended up dropping the original se_subsystem_dev->se_dev_ptr check preventing this from happening with pre commit 0fd97ccf code. Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes a v3.8-rc1 regression bug where an unconfigured se_device
was incorrectly allowed to perform a fabric port-link.  This bug was
introduced in commit:

  commit 0fd97ccf45be26fb01b3a412f1f6c6b5044b2f16
  Author: Christoph Hellwig <hch@infradead.org>
  Date:   Mon Oct 8 00:03:19 2012 -0400

      target: kill struct se_subsystem_dev

which ended up dropping the original se_subsystem_dev->se_dev_ptr check
preventing this from happening with pre commit 0fd97ccf code.

Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Fix zero-length READ_CAPACITY_16 regression 2013-01-29T22:24:26+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-01-29T22:18:00+00:00 8b4b0dcbf70d10f3acd6a88fca0679ca711066e0 This patch fixes a regression introduced in v3.8-rc1 code where a zero-length READ_CAPACITY_16 was no longer returning GOOD status, but instead returning TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE to generate a CHECK_CONDITION status. This regression was introduced with the following commit: commit de103c93aff0bed0ae984274e5dc8b95899badab Author: Christoph Hellwig <hch@lst.de> Date: Tue Nov 6 12:24:09 2012 -0800 target: pass sense_reason as a return value and this patch has been tested with the following zero-length CDB: sg_raw /dev/sdd 9e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SCSI Status: Good Sense Information: sense buffer empty Also, convert sbc_emulate_readcapacity() to follow the same method of handling transport_kmap_data_sg() return values, but we never expect a zero-length request here. Cc: Christoph Hellwig <hch@lst.de> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes a regression introduced in v3.8-rc1 code where a
zero-length READ_CAPACITY_16 was no longer returning GOOD status, but
instead returning TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE to generate
a CHECK_CONDITION status.

This regression was introduced with the following commit:

  commit de103c93aff0bed0ae984274e5dc8b95899badab
  Author: Christoph Hellwig <hch@lst.de>
  Date:   Tue Nov 6 12:24:09 2012 -0800

      target: pass sense_reason as a return value

and this patch has been tested with the following zero-length CDB:

  sg_raw /dev/sdd 9e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  SCSI Status: Good

  Sense Information:
  sense buffer empty

Also, convert sbc_emulate_readcapacity() to follow the same method
of handling transport_kmap_data_sg() return values, but we never
expect a zero-length request here.

Cc: Christoph Hellwig <hch@lst.de>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Fix zero-length MODE_SENSE regression 2013-01-29T22:24:20+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-01-29T22:10:01+00:00 cab9609b449ae5a6875d7d4cef32a814527a3baa This patch fixes a regression introduced in v3.8-rc1 code where a zero-length MODE_SENSE was no longer returning GOOD status, but instead returning TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE to generate a CHECK_CONDITION status. This regression was introduced with the following commit: commit de103c93aff0bed0ae984274e5dc8b95899badab Author: Christoph Hellwig <hch@lst.de> Date: Tue Nov 6 12:24:09 2012 -0800 target: pass sense_reason as a return value and this patch has been tested with the following zero-length CDB: sg_raw /dev/sdd 5a 00 0a 00 00 00 00 00 00 00 SCSI Status: Good Sense Information: sense buffer empty Cc: Christoph Hellwig <hch@lst.de> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes a regression introduced in v3.8-rc1 code where
a zero-length MODE_SENSE was no longer returning GOOD status, but
instead returning TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE to generate
a CHECK_CONDITION status.

This regression was introduced with the following commit:

  commit de103c93aff0bed0ae984274e5dc8b95899badab
  Author: Christoph Hellwig <hch@lst.de>
  Date:   Tue Nov 6 12:24:09 2012 -0800

      target: pass sense_reason as a return value

and this patch has been tested with the following zero-length CDB:

  sg_raw /dev/sdd 5a 00 0a 00 00 00 00 00 00 00
  SCSI Status: Good

  Sense Information:
  sense buffer empty

Cc: Christoph Hellwig <hch@lst.de>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Fix zero-length INQUIRY additional sense code regression 2013-01-29T22:22:01+00:00 Nicholas Bellinger nab@linux-iscsi.org 2013-01-29T21:33:05+00:00 49df9fc9b9fd41e5749c5a9be2d2076328f75fc7 This patch fixes a minor regression introduced in v3.8-rc1 code where a zero-length INQUIRY was no longer returning the correct INVALID FIELD IN CDB additional sense code. This regression was introduced with the following commit: commit de103c93aff0bed0ae984274e5dc8b95899badab Author: Christoph Hellwig <hch@lst.de> Date: Tue Nov 6 12:24:09 2012 -0800 target: pass sense_reason as a return value and this patch has been tested with the following zero-length CDB: sg_raw /dev/sdd 12 00 83 00 00 00 SCSI Status: Check Condition Sense Information: Fixed format, current; Sense key: Illegal Request Additional sense: Invalid field in cdb Cc: Christoph Hellwig <hch@lst.de> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes a minor regression introduced in v3.8-rc1 code
where a zero-length INQUIRY was no longer returning the correct
INVALID FIELD IN CDB additional sense code.

This regression was introduced with the following commit:

  commit de103c93aff0bed0ae984274e5dc8b95899badab
  Author: Christoph Hellwig <hch@lst.de>
  Date:   Tue Nov 6 12:24:09 2012 -0800

      target: pass sense_reason as a return value

and this patch has been tested with the following zero-length CDB:

  sg_raw /dev/sdd 12 00 83 00 00 00
  SCSI Status: Check Condition

  Sense Information:
   Fixed format, current;  Sense key: Illegal Request
   Additional sense: Invalid field in cdb

Cc: Christoph Hellwig <hch@lst.de>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
iscsi-target: Fix CmdSN comparison (use cmd->cmd_sn instead of cmd->stat_sn) 2013-01-11T05:00:37+00:00 Roland Dreier roland@purestorage.com 2013-01-07T19:45:16+00:00 64fe4f4f181cc2fe97d4176bf6ee6e3725ae33ec Commit 64c13330a389 ("iscsi-target: Fix bug in handling of ExpStatSN ACK during u32 wrap-around") introduced a bug where we compare the wrong SN against our ExpCmdSN. Reported-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
Commit 64c13330a389 ("iscsi-target: Fix bug in handling of ExpStatSN
ACK during u32 wrap-around") introduced a bug where we compare the
wrong SN against our ExpCmdSN.

Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Release se_cmd when LUN lookup fails for TMR 2013-01-11T05:00:36+00:00 Roland Dreier roland@purestorage.com 2013-01-02T20:47:59+00:00 5a3b6fc0092c5f8dee7820064ee54d2631d48573 When transport_lookup_tmr_lun() fails and we return a task management response from target_complete_tmr_failure(), we need to call transport_cmd_check_stop_to_fabric() to release the last ref to the cmd after calling se_tfo->queue_tm_rsp(), or else we will never remove the failed TMR from the session command list (and we'll end up waiting forever when trying to tear down the session). (nab: Fix minor compile breakage) Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
When transport_lookup_tmr_lun() fails and we return a task management
response from target_complete_tmr_failure(), we need to call
transport_cmd_check_stop_to_fabric() to release the last ref to the
cmd after calling se_tfo->queue_tm_rsp(), or else we will never remove
the failed TMR from the session command list (and we'll end up waiting
forever when trying to tear down the session).

(nab: Fix minor compile breakage)

Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Fix use-after-free in LUN RESET handling 2013-01-11T05:00:35+00:00 Roland Dreier roland@purestorage.com 2013-01-02T20:47:58+00:00 72b59d6ee8adaa51f70377db0a1917ed489bead8 If a backend IO takes a really long then an initiator might abort a command, and then when it gives up on the abort, send a LUN reset too, all before we process any of the original command or the abort. (The abort will wait for the backend IO to complete too) When the backend IO final completes (or fails), the abort handling will proceed and queue up a "return aborted status" operation. Then, while that's still pending, the LUN reset might find the original command still on the LUN's list of commands and try to return aborted status again, which leads to a use-after free when the first se_tfo->queue_status call frees the command and then the second se_tfo->queue_status call runs. Fix this by removing a command from the LUN state_list when we first are about to queue aborted status; we shouldn't do anything LUN-related after we've started returning status, so this seems like the correct thing to do. Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
If a backend IO takes a really long then an initiator might abort a
command, and then when it gives up on the abort, send a LUN reset too,
all before we process any of the original command or the abort.  (The
abort will wait for the backend IO to complete too)

When the backend IO final completes (or fails), the abort handling
will proceed and queue up a "return aborted status" operation.  Then,
while that's still pending, the LUN reset might find the original
command still on the LUN's list of commands and try to return aborted
status again, which leads to a use-after free when the first
se_tfo->queue_status call frees the command and then the second
se_tfo->queue_status call runs.

Fix this by removing a command from the LUN state_list when we first
are about to queue aborted status; we shouldn't do anything
LUN-related after we've started returning status, so this seems like
the correct thing to do.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>