<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/target, branch v4.14.44</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>scsi: target: Fix fortify_panic kernel exception</title>
<updated>2018-05-09T07:51:51+00:00</updated>
<author>
<name>Bryant G Ly</name>
<email>bryantly@linux.vnet.ibm.com</email>
</author>
<published>2018-04-17T15:33:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2c698f7b169a5534c783a6f3ab35f8db275f456b'/>
<id>2c698f7b169a5534c783a6f3ab35f8db275f456b</id>
<content type='text'>
commit f5957dade4f373b04fa1f5315a489f18cc2c4cb4 upstream.

memcmp() requires the two buffers passed as arguments to be at least
'size' bytes long, otherwise a fortify_panic will trigger.

Use memchr_inv() instead of memcmp() to determine whether the received
payload is zeroed or not.

The bug was found by running a block backstore via LIO.

[  496.212958] Call Trace:
[  496.212960] [c0000007e58e3800] [c000000000cbbefc] fortify_panic+0x24/0x38 (unreliable)
[  496.212965] [c0000007e58e3860] [d00000000f150c28] iblock_execute_write_same+0x3b8/0x3c0 [target_core_iblock]
[  496.212976] [c0000007e58e3910] [d000000006c737d4] __target_execute_cmd+0x54/0x150 [target_core_mod]
[  496.212982] [c0000007e58e3940] [d000000006d32ce4] ibmvscsis_write_pending+0x74/0xe0 [ibmvscsis]
[  496.212991] [c0000007e58e39b0] [d000000006c74fc8] transport_generic_new_cmd+0x318/0x370 [target_core_mod]
[  496.213001] [c0000007e58e3a30] [d000000006c75084] transport_handle_cdb_direct+0x64/0xd0 [target_core_mod]
[  496.213011] [c0000007e58e3aa0] [d000000006c75298] target_submit_cmd_map_sgls+0x1a8/0x320 [target_core_mod]
[  496.213021] [c0000007e58e3b30] [d000000006c75458] target_submit_cmd+0x48/0x60 [target_core_mod]
[  496.213026] [c0000007e58e3bd0] [d000000006d34c20] ibmvscsis_scheduler+0x370/0x600 [ibmvscsis]
[  496.213031] [c0000007e58e3c90] [c00000000013135c] process_one_work+0x1ec/0x580
[  496.213035] [c0000007e58e3d20] [c000000000131798] worker_thread+0xa8/0x600
[  496.213039] [c0000007e58e3dc0] [c00000000013a468] kthread+0x168/0x1b0
[  496.213044] [c0000007e58e3e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4

[mkp: tweaked commit message]

Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout")
Signed-off-by: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
Reviewed-by: Steven Royer &lt;seroyer@linux.vnet.ibm.com&gt;
Tested-by: Taylor Jakobson &lt;tjakobs@us.ibm.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v4.13+
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f5957dade4f373b04fa1f5315a489f18cc2c4cb4 upstream.

memcmp() requires the two buffers passed as arguments to be at least
'size' bytes long, otherwise a fortify_panic will trigger.

Use memchr_inv() instead of memcmp() to determine whether the received
payload is zeroed or not.

The bug was found by running a block backstore via LIO.

[  496.212958] Call Trace:
[  496.212960] [c0000007e58e3800] [c000000000cbbefc] fortify_panic+0x24/0x38 (unreliable)
[  496.212965] [c0000007e58e3860] [d00000000f150c28] iblock_execute_write_same+0x3b8/0x3c0 [target_core_iblock]
[  496.212976] [c0000007e58e3910] [d000000006c737d4] __target_execute_cmd+0x54/0x150 [target_core_mod]
[  496.212982] [c0000007e58e3940] [d000000006d32ce4] ibmvscsis_write_pending+0x74/0xe0 [ibmvscsis]
[  496.212991] [c0000007e58e39b0] [d000000006c74fc8] transport_generic_new_cmd+0x318/0x370 [target_core_mod]
[  496.213001] [c0000007e58e3a30] [d000000006c75084] transport_handle_cdb_direct+0x64/0xd0 [target_core_mod]
[  496.213011] [c0000007e58e3aa0] [d000000006c75298] target_submit_cmd_map_sgls+0x1a8/0x320 [target_core_mod]
[  496.213021] [c0000007e58e3b30] [d000000006c75458] target_submit_cmd+0x48/0x60 [target_core_mod]
[  496.213026] [c0000007e58e3bd0] [d000000006d34c20] ibmvscsis_scheduler+0x370/0x600 [ibmvscsis]
[  496.213031] [c0000007e58e3c90] [c00000000013135c] process_one_work+0x1ec/0x580
[  496.213035] [c0000007e58e3d20] [c000000000131798] worker_thread+0xa8/0x600
[  496.213039] [c0000007e58e3dc0] [c00000000013a468] kthread+0x168/0x1b0
[  496.213044] [c0000007e58e3e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4

[mkp: tweaked commit message]

Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout")
Signed-off-by: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
Reviewed-by: Steven Royer &lt;seroyer@linux.vnet.ibm.com&gt;
Tested-by: Taylor Jakobson &lt;tjakobs@us.ibm.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v4.13+
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tcmu: release blocks for partially setup cmds</title>
<updated>2018-04-12T10:32:21+00:00</updated>
<author>
<name>Mike Christie</name>
<email>mchristi@redhat.com</email>
</author>
<published>2017-11-28T18:40:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bc166ca4234c241ae28b13bac8583d04bcdf9a9e'/>
<id>bc166ca4234c241ae28b13bac8583d04bcdf9a9e</id>
<content type='text'>
[ Upstream commit 810b8153c4243d2012a6ec002ddd3bbc9a9ae8c2 ]

If we cannot setup a cmd because we run out of ring space
or global pages release the blocks before sleeping. This
prevents a deadlock where dev0 has waiting_blocks set and
needs N blocks, but dev1 to devX have each allocated N / X blocks
and also hit the global block limit so they went to sleep.

find_free_blocks is not able to take the sleeping dev's
blocks becaause their waiting_blocks is set and even
if it was not the block returned by find_last_bit could equal
dbi_max. The latter will probably never happen because
DATA_BLOCK_BITS is so high but in the next patches
DATA_BLOCK_BITS and TCMU_GLOBAL_MAX_BLOCKS will be settable so
it might be lower and could happen.

Signed-off-by: Mike Christie &lt;mchristi@redhat.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 810b8153c4243d2012a6ec002ddd3bbc9a9ae8c2 ]

If we cannot setup a cmd because we run out of ring space
or global pages release the blocks before sleeping. This
prevents a deadlock where dev0 has waiting_blocks set and
needs N blocks, but dev1 to devX have each allocated N / X blocks
and also hit the global block limit so they went to sleep.

find_free_blocks is not able to take the sleeping dev's
blocks becaause their waiting_blocks is set and even
if it was not the block returned by find_last_bit could equal
dbi_max. The latter will probably never happen because
DATA_BLOCK_BITS is so high but in the next patches
DATA_BLOCK_BITS and TCMU_GLOBAL_MAX_BLOCKS will be settable so
it might be lower and could happen.

Signed-off-by: Mike Christie &lt;mchristi@redhat.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: make sure to wake up sleeping login worker</title>
<updated>2018-02-22T14:42:29+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2018-01-19T13:36:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c8d0f63c15851e7d6f41b455d74e4b2b0a862a09'/>
<id>c8d0f63c15851e7d6f41b455d74e4b2b0a862a09</id>
<content type='text'>
commit 1c130ae00b769a2e2df41bad3d6051ee8234b636 upstream.

Mike Christie reports:
  Starting in 4.14 iscsi logins will fail around 50% of the time.

Problem appears to be that iscsi_target_sk_data_ready() callback may
return without doing anything in case it finds the login work queue
is still blocked in sock_recvmsg().

Nicholas Bellinger says:
  It would indicate users providing their own -&gt;sk_data_ready() callback
  must be responsible for waking up a kthread context blocked on
  sock_recvmsg(..., MSG_WAITALL), when a second -&gt;sk_data_ready() is
  received before the first sock_recvmsg(..., MSG_WAITALL) completes.

So, do this and invoke the original data_ready() callback -- in
case of tcp sockets this takes care of waking the thread.

Disclaimer: I do not understand why this problem did not show up before
tcp prequeue removal.

(Drop WARN_ON usage - nab)

Reported-by: Mike Christie &lt;mchristi@redhat.com&gt;
Bisected-by: Mike Christie &lt;mchristi@redhat.com&gt;
Tested-by: Mike Christie &lt;mchristi@redhat.com&gt;
Diagnosed-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Fixes: e7942d0633c4 ("tcp: remove prequeue support")
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Cc: stable@vger.kernel.org # 4.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1c130ae00b769a2e2df41bad3d6051ee8234b636 upstream.

Mike Christie reports:
  Starting in 4.14 iscsi logins will fail around 50% of the time.

Problem appears to be that iscsi_target_sk_data_ready() callback may
return without doing anything in case it finds the login work queue
is still blocked in sock_recvmsg().

Nicholas Bellinger says:
  It would indicate users providing their own -&gt;sk_data_ready() callback
  must be responsible for waking up a kthread context blocked on
  sock_recvmsg(..., MSG_WAITALL), when a second -&gt;sk_data_ready() is
  received before the first sock_recvmsg(..., MSG_WAITALL) completes.

So, do this and invoke the original data_ready() callback -- in
case of tcp sockets this takes care of waking the thread.

Disclaimer: I do not understand why this problem did not show up before
tcp prequeue removal.

(Drop WARN_ON usage - nab)

Reported-by: Mike Christie &lt;mchristi@redhat.com&gt;
Bisected-by: Mike Christie &lt;mchristi@redhat.com&gt;
Tested-by: Mike Christie &lt;mchristi@redhat.com&gt;
Diagnosed-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Fixes: e7942d0633c4 ("tcp: remove prequeue support")
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Cc: stable@vger.kernel.org # 4.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>target/iscsi: avoid NULL dereference in CHAP auth error path</title>
<updated>2018-02-22T14:42:29+00:00</updated>
<author>
<name>David Disseldorp</name>
<email>ddiss@suse.de</email>
</author>
<published>2017-12-13T17:22:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4cbb9fdf133cc5a5dcb1ac7153791792976c62c9'/>
<id>4cbb9fdf133cc5a5dcb1ac7153791792976c62c9</id>
<content type='text'>
commit ce512d79d0466a604793addb6b769d12ee326822 upstream.

If chap_server_compute_md5() fails early, e.g. via CHAP_N mismatch, then
crypto_free_shash() is called with a NULL pointer which gets
dereferenced in crypto_shash_tfm().

Fixes: 69110e3cedbb ("iscsi-target: Use shash and ahash")
Suggested-by: Markus Elfring &lt;elfring@users.sourceforge.net&gt;
Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Cc: stable@vger.kernel.org # 4.6+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ce512d79d0466a604793addb6b769d12ee326822 upstream.

If chap_server_compute_md5() fails early, e.g. via CHAP_N mismatch, then
crypto_free_shash() is called with a NULL pointer which gets
dereferenced in crypto_shash_tfm().

Fixes: 69110e3cedbb ("iscsi-target: Use shash and ahash")
Suggested-by: Markus Elfring &lt;elfring@users.sourceforge.net&gt;
Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Cc: stable@vger.kernel.org # 4.6+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>block: fix blk_rq_append_bio</title>
<updated>2018-01-02T19:31:05+00:00</updated>
<author>
<name>Jens Axboe</name>
<email>axboe@kernel.dk</email>
</author>
<published>2017-12-18T07:40:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=88da02868f7741cc7c1d895840e236e6df5483ef'/>
<id>88da02868f7741cc7c1d895840e236e6df5483ef</id>
<content type='text'>
commit 0abc2a10389f0c9070f76ca906c7382788036b93 upstream.

Commit caa4b02476e3(blk-map: call blk_queue_bounce from blk_rq_append_bio)
moves blk_queue_bounce() into blk_rq_append_bio(), but don't consider
the fact that the bounced bio becomes invisible to caller since the
parameter type is 'struct bio *'. Make it a pointer to a pointer to
a bio, so the caller sees the right bio also after a bounce.

Fixes: caa4b02476e3 ("blk-map: call blk_queue_bounce from blk_rq_append_bio")
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Reported-by: Michele Ballabio &lt;barra_cuda@katamail.com&gt;
(handling failure of blk_rq_append_bio(), only call bio_get() after
blk_rq_append_bio() returns OK)
Tested-by: Michele Ballabio &lt;barra_cuda@katamail.com&gt;
Signed-off-by: Ming Lei &lt;ming.lei@redhat.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0abc2a10389f0c9070f76ca906c7382788036b93 upstream.

Commit caa4b02476e3(blk-map: call blk_queue_bounce from blk_rq_append_bio)
moves blk_queue_bounce() into blk_rq_append_bio(), but don't consider
the fact that the bounced bio becomes invisible to caller since the
parameter type is 'struct bio *'. Make it a pointer to a pointer to
a bio, so the caller sees the right bio also after a bounce.

Fixes: caa4b02476e3 ("blk-map: call blk_queue_bounce from blk_rq_append_bio")
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Reported-by: Michele Ballabio &lt;barra_cuda@katamail.com&gt;
(handling failure of blk_rq_append_bio(), only call bio_get() after
blk_rq_append_bio() returns OK)
Tested-by: Michele Ballabio &lt;barra_cuda@katamail.com&gt;
Signed-off-by: Ming Lei &lt;ming.lei@redhat.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>target/file: Do not return error for UNMAP if length is zero</title>
<updated>2017-12-20T09:10:26+00:00</updated>
<author>
<name>Jiang Yi</name>
<email>jiangyilism@gmail.com</email>
</author>
<published>2017-08-11T03:29:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f6a341e87c656f1e2e9959cfdd2d02561724558f'/>
<id>f6a341e87c656f1e2e9959cfdd2d02561724558f</id>
<content type='text'>
[ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ]

The function fd_execute_unmap() in target_core_file.c calles

ret = file-&gt;f_op-&gt;fallocate(file, mode, pos, len);

Some filesystems implement fallocate() to return error if
length is zero (e.g. btrfs) but according to SCSI Block
Commands spec UNMAP should return success for zero length.

Signed-off-by: Jiang Yi &lt;jiangyilism@gmail.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ]

The function fd_execute_unmap() in target_core_file.c calles

ret = file-&gt;f_op-&gt;fallocate(file, mode, pos, len);

Some filesystems implement fallocate() to return error if
length is zero (e.g. btrfs) but according to SCSI Block
Commands spec UNMAP should return success for zero length.

Signed-off-by: Jiang Yi &lt;jiangyilism@gmail.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target:fix condition return in core_pr_dump_initiator_port()</title>
<updated>2017-12-20T09:10:25+00:00</updated>
<author>
<name>tangwenji</name>
<email>tang.wenji@zte.com.cn</email>
</author>
<published>2017-08-24T11:59:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=23d3f106f88ca21fd2911ae2f3a4f8aa7b56fddc'/>
<id>23d3f106f88ca21fd2911ae2f3a4f8aa7b56fddc</id>
<content type='text'>
[ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ]

When is pr_reg-&gt;isid_present_at_reg is false,this function should return.

This fixes a regression originally introduced by:

  commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5
  Author: Andy Grover &lt;agrover@redhat.com&gt;
  Date:   Thu May 16 10:40:55 2013 -0700

      target: Alter core_pr_dump_initiator_port for ease of use

Signed-off-by: tangwenji &lt;tang.wenji@zte.com.cn&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ]

When is pr_reg-&gt;isid_present_at_reg is false,this function should return.

This fixes a regression originally introduced by:

  commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5
  Author: Andy Grover &lt;agrover@redhat.com&gt;
  Date:   Thu May 16 10:40:55 2013 -0700

      target: Alter core_pr_dump_initiator_port for ease of use

Signed-off-by: tangwenji &lt;tang.wenji@zte.com.cn&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: fix memory leak in lio_target_tiqn_addtpg()</title>
<updated>2017-12-20T09:10:25+00:00</updated>
<author>
<name>tangwenji</name>
<email>tang.wenji@zte.com.cn</email>
</author>
<published>2017-09-15T08:03:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e389507ad355226019147985c29a5b4282aa1e4d'/>
<id>e389507ad355226019147985c29a5b4282aa1e4d</id>
<content type='text'>
[ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ]

tpg must free when call core_tpg_register() return fail

Signed-off-by: tangwenji &lt;tang.wenji@zte.com.cn&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ]

tpg must free when call core_tpg_register() return fail

Signed-off-by: tangwenji &lt;tang.wenji@zte.com.cn&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()</title>
<updated>2017-12-20T09:10:25+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@wdc.com</email>
</author>
<published>2017-10-31T18:03:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=68d702c6689d83000060118f940e0adce88e42aa'/>
<id>68d702c6689d83000060118f940e0adce88e42aa</id>
<content type='text'>
[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]

Avoid that cmd-&gt;se_cmd.se_tfo is read after a command has already been
freed.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@wdc.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Mike Christie &lt;mchristi@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]

Avoid that cmd-&gt;se_cmd.se_tfo is read after a command has already been
freed.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@wdc.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Mike Christie &lt;mchristi@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target/iscsi: Detect conn_cmd_list corruption early</title>
<updated>2017-12-20T09:10:25+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@wdc.com</email>
</author>
<published>2017-10-31T18:03:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=96d275b841efc6decf61afafc1703f0e9b92253d'/>
<id>96d275b841efc6decf61afafc1703f0e9b92253d</id>
<content type='text'>
[ Upstream commit 6eaf69e4ec075f5af236c0c89f75639a195db904 ]

Certain behavior of the initiator can cause the target driver to
send both a reject and a SCSI response. If that happens two
target_put_sess_cmd() calls will occur without the command having
been removed from conn_cmd_list. In other words, conn_cmd_list
will get corrupted once the freed memory is reused. Although the
Linux kernel can detect list corruption if list debugging is
enabled, in this case the context in which list corruption is
detected is not related to the context that caused list corruption.
Hence add WARN_ON() statements that report the context that is
causing list corruption.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@wdc.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Mike Christie &lt;mchristi@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6eaf69e4ec075f5af236c0c89f75639a195db904 ]

Certain behavior of the initiator can cause the target driver to
send both a reject and a SCSI response. If that happens two
target_put_sess_cmd() calls will occur without the command having
been removed from conn_cmd_list. In other words, conn_cmd_list
will get corrupted once the freed memory is reused. Although the
Linux kernel can detect list corruption if list debugging is
enabled, in this case the context in which list corruption is
detected is not related to the context that caused list corruption.
Hence add WARN_ON() statements that report the context that is
causing list corruption.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@wdc.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Mike Christie &lt;mchristi@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
