<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/target/iscsi, branch v3.10</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>iscsi-target: Remove left over v3.10-rc debug printks</title>
<updated>2013-06-20T23:47:41+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2013-06-20T23:36:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=58807a524782744aed5fb7b8fefac7134721331a'/>
<id>58807a524782744aed5fb7b8fefac7134721331a</id>
<content type='text'>
Reported-by: Andy Grover &lt;agrover@redhat.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Reported-by: Andy Grover &lt;agrover@redhat.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target/iscsi: Fix op=disable + error handling cases in np_store_iser</title>
<updated>2013-06-20T23:47:32+00:00</updated>
<author>
<name>Andy Grover</name>
<email>agrover@redhat.com</email>
</author>
<published>2013-05-29T19:05:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=58bd0c69ffa27ea2309959836811e88004d73720'/>
<id>58bd0c69ffa27ea2309959836811e88004d73720</id>
<content type='text'>
Writing 0 when iser was not previously enabled, so succeed but do
nothing so that user-space code doesn't need a try: catch block
when ib_isert logic is not available.

Also, return actual error from add_network_portal using PTR_ERR
during op=enable failure.

Signed-off-by: Andy Grover &lt;agrover@redhat.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Writing 0 when iser was not previously enabled, so succeed but do
nothing so that user-space code doesn't need a try: catch block
when ib_isert logic is not available.

Also, return actual error from add_network_portal using PTR_ERR
during op=enable failure.

Signed-off-by: Andy Grover &lt;agrover@redhat.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer()</title>
<updated>2013-06-14T07:55:49+00:00</updated>
<author>
<name>Jörn Engel</name>
<email>joern@logfs.org</email>
</author>
<published>2013-05-30T20:36:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=574780fd5e6ec52bd43e0bdb777a19e4c4c6aa9c'/>
<id>574780fd5e6ec52bd43e0bdb777a19e4c4c6aa9c</id>
<content type='text'>
Here is a fun one.  Bug seems to have been introduced by commit 140854cb,
almost two years ago.  I have no idea why we only started seeing it now,
but we did.

Rough callgraph:
core_tpg_set_initiator_node_queue_depth()
`-&gt; spin_lock_irqsave(&amp;tpg-&gt;session_lock, flags);
`-&gt; lio_tpg_shutdown_session()
    `-&gt; iscsit_stop_time2retain_timer()
        `-&gt; spin_unlock_bh(&amp;se_tpg-&gt;session_lock);
        `-&gt; spin_lock_bh(&amp;se_tpg-&gt;session_lock);
`-&gt; spin_unlock_irqrestore(&amp;tpg-&gt;session_lock, flags);

core_tpg_set_initiator_node_queue_depth() used to call spin_lock_bh(),
but 140854cb changed that to spin_lock_irqsave().  However,
lio_tpg_shutdown_session() still claims to be called with spin_lock_bh()
held, as does iscsit_stop_time2retain_timer():
 *      Called with spin_lock_bh(&amp;struct se_portal_group-&gt;session_lock) held

Stale documentation is mostly annoying, but in this case the dropping
the lock with the _bh variant is plain wrong.  It is also wrong to drop
locks two functions below the lock-holder, but I will ignore that bit
for now.

After some more locking and unlocking we eventually hit this backtrace:
------------[ cut here ]------------
WARNING: at kernel/softirq.c:159 local_bh_enable_ip+0xe8/0x100()
Pid: 24645, comm: lio_helper.py Tainted: G           O 3.6.11+
Call Trace:
 [&lt;ffffffff8103e5ff&gt;] warn_slowpath_common+0x7f/0xc0
 [&lt;ffffffffa040ae37&gt;] ? iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod]
 [&lt;ffffffff8103e65a&gt;] warn_slowpath_null+0x1a/0x20
 [&lt;ffffffff810472f8&gt;] local_bh_enable_ip+0xe8/0x100
 [&lt;ffffffff815b8365&gt;] _raw_spin_unlock_bh+0x15/0x20
 [&lt;ffffffffa040ae37&gt;] iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod]
 [&lt;ffffffffa041149a&gt;] iscsit_stop_session+0xfa/0x1c0 [iscsi_target_mod]
 [&lt;ffffffffa0417fab&gt;] lio_tpg_shutdown_session+0x7b/0x90 [iscsi_target_mod]
 [&lt;ffffffffa033ede4&gt;] core_tpg_set_initiator_node_queue_depth+0xe4/0x290 [target_core_mod]
 [&lt;ffffffffa0409032&gt;] iscsit_tpg_set_initiator_node_queue_depth+0x12/0x20 [iscsi_target_mod]
 [&lt;ffffffffa0415c29&gt;] lio_target_nacl_store_cmdsn_depth+0xa9/0x180 [iscsi_target_mod]
 [&lt;ffffffffa0331b49&gt;] target_fabric_nacl_base_attr_store+0x39/0x40 [target_core_mod]
 [&lt;ffffffff811b857d&gt;] configfs_write_file+0xbd/0x120
 [&lt;ffffffff81148f36&gt;] vfs_write+0xc6/0x180
 [&lt;ffffffff81149251&gt;] sys_write+0x51/0x90
 [&lt;ffffffff815c0969&gt;] system_call_fastpath+0x16/0x1b
---[ end trace 3747632b9b164652 ]---

As a pure band-aid, this patch drops the _bh.

Signed-off-by: Joern Engel &lt;joern@logfs.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Here is a fun one.  Bug seems to have been introduced by commit 140854cb,
almost two years ago.  I have no idea why we only started seeing it now,
but we did.

Rough callgraph:
core_tpg_set_initiator_node_queue_depth()
`-&gt; spin_lock_irqsave(&amp;tpg-&gt;session_lock, flags);
`-&gt; lio_tpg_shutdown_session()
    `-&gt; iscsit_stop_time2retain_timer()
        `-&gt; spin_unlock_bh(&amp;se_tpg-&gt;session_lock);
        `-&gt; spin_lock_bh(&amp;se_tpg-&gt;session_lock);
`-&gt; spin_unlock_irqrestore(&amp;tpg-&gt;session_lock, flags);

core_tpg_set_initiator_node_queue_depth() used to call spin_lock_bh(),
but 140854cb changed that to spin_lock_irqsave().  However,
lio_tpg_shutdown_session() still claims to be called with spin_lock_bh()
held, as does iscsit_stop_time2retain_timer():
 *      Called with spin_lock_bh(&amp;struct se_portal_group-&gt;session_lock) held

Stale documentation is mostly annoying, but in this case the dropping
the lock with the _bh variant is plain wrong.  It is also wrong to drop
locks two functions below the lock-holder, but I will ignore that bit
for now.

After some more locking and unlocking we eventually hit this backtrace:
------------[ cut here ]------------
WARNING: at kernel/softirq.c:159 local_bh_enable_ip+0xe8/0x100()
Pid: 24645, comm: lio_helper.py Tainted: G           O 3.6.11+
Call Trace:
 [&lt;ffffffff8103e5ff&gt;] warn_slowpath_common+0x7f/0xc0
 [&lt;ffffffffa040ae37&gt;] ? iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod]
 [&lt;ffffffff8103e65a&gt;] warn_slowpath_null+0x1a/0x20
 [&lt;ffffffff810472f8&gt;] local_bh_enable_ip+0xe8/0x100
 [&lt;ffffffff815b8365&gt;] _raw_spin_unlock_bh+0x15/0x20
 [&lt;ffffffffa040ae37&gt;] iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod]
 [&lt;ffffffffa041149a&gt;] iscsit_stop_session+0xfa/0x1c0 [iscsi_target_mod]
 [&lt;ffffffffa0417fab&gt;] lio_tpg_shutdown_session+0x7b/0x90 [iscsi_target_mod]
 [&lt;ffffffffa033ede4&gt;] core_tpg_set_initiator_node_queue_depth+0xe4/0x290 [target_core_mod]
 [&lt;ffffffffa0409032&gt;] iscsit_tpg_set_initiator_node_queue_depth+0x12/0x20 [iscsi_target_mod]
 [&lt;ffffffffa0415c29&gt;] lio_target_nacl_store_cmdsn_depth+0xa9/0x180 [iscsi_target_mod]
 [&lt;ffffffffa0331b49&gt;] target_fabric_nacl_base_attr_store+0x39/0x40 [target_core_mod]
 [&lt;ffffffff811b857d&gt;] configfs_write_file+0xbd/0x120
 [&lt;ffffffff81148f36&gt;] vfs_write+0xc6/0x180
 [&lt;ffffffff81149251&gt;] sys_write+0x51/0x90
 [&lt;ffffffff815c0969&gt;] system_call_fastpath+0x16/0x1b
---[ end trace 3747632b9b164652 ]---

As a pure band-aid, this patch drops the _bh.

Signed-off-by: Joern Engel &lt;joern@logfs.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: Fix iscsit_free_cmd() se_cmd-&gt;cmd_kref shutdown handling</title>
<updated>2013-05-31T08:21:28+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2013-05-31T07:49:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=aafc9d158b0039e600fc429246c7bb04a111fb26'/>
<id>aafc9d158b0039e600fc429246c7bb04a111fb26</id>
<content type='text'>
With the introduction of target_get_sess_cmd() referencing counting for
ISCSI_OP_SCSI_CMD processing with iser-target, iscsit_free_cmd() usage
in traditional iscsi-target driver code now needs to be aware of the
active I/O shutdown case when a remaining se_cmd-&gt;cmd_kref reference may
exist after transport_generic_free_cmd() completes, requiring a final
target_put_sess_cmd() to release iscsi_cmd descriptor memory.

This patch changes iscsit_free_cmd() to invoke __iscsit_free_cmd() before
transport_generic_free_cmd() -&gt; target_put_sess_cmd(), and also avoids
aquiring the per-connection queue locks for typical fast-path calls
during normal ISTATE_REMOVE operation.

Also update iscsit_free_cmd() usage throughout iscsi-target to
use the new 'bool shutdown' parameter.

This patch fixes a regression bug introduced during v3.10-rc1 in
commit 3e1c81a95, that was causing the following WARNING to appear:

[  257.235153] ------------[ cut here]------------
[  257.240314] WARNING: at kernel/softirq.c:160 local_bh_enable_ip+0x3c/0x86()
[  257.248089] Modules linked in: vhost_scsi ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx tcm_loop
	tcm_fc libfc iscsi_target_mod target_core_pscsi target_core_file
	target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp
	libiscsi scsi_transport_iscsi loop acpi_cpufreq freq_table mperf
	kvm_intel kvm crc32c_intel button ehci_pci pcspkr joydev i2c_i801
	microcode ext3 jbd raid10 raid456 async_pq async_xor xor async_memcpy
	async_raid6_recov raid6_pq async_tx raid1 raid0 linear igb hwmon
	i2c_algo_bit i2c_core ptp ata_piix libata qla2xxx uhci_hcd ehci_hcd
	mlx4_core scsi_transport_fc scsi_tgt pps_core
[  257.308748] CPU: 1 PID: 3295 Comm: iscsi_ttx Not tainted 3.10.0-rc2+ #103
[  257.316329] Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.00.0057.031020111721 03/10/2011
[  257.327597]  ffffffff814c24b7 ffff880458331b58 ffffffff8138eef2 ffff880458331b98
[  257.335892]  ffffffff8102c052 ffff880400000008 0000000000000000 ffff88085bdf0000
[  257.344191]  ffff88085bdf00d8 ffff88085bdf00e0 ffff88085bdf00f8 ffff880458331ba8
[  257.352488] Call Trace:
[  257.355223]  [&lt;ffffffff8138eef2&gt;] dump_stack+0x19/0x1f
[  257.360963]  [&lt;ffffffff8102c052&gt;] warn_slowpath_common+0x62/0x7b
[  257.367669]  [&lt;ffffffff8102c080&gt;] warn_slowpath_null+0x15/0x17
[  257.374181]  [&lt;ffffffff81032345&gt;] local_bh_enable_ip+0x3c/0x86
[  257.380697]  [&lt;ffffffff813917fd&gt;] _raw_spin_unlock_bh+0x10/0x12
[  257.387311]  [&lt;ffffffffa029069c&gt;] iscsit_free_r2ts_from_list+0x5e/0x67 [iscsi_target_mod]
[  257.396438]  [&lt;ffffffffa02906c5&gt;] iscsit_release_cmd+0x20/0x223 [iscsi_target_mod]
[  257.404893]  [&lt;ffffffffa02977a4&gt;] lio_release_cmd+0x3a/0x3e [iscsi_target_mod]
[  257.412964]  [&lt;ffffffffa01d59a1&gt;] target_release_cmd_kref+0x7a/0x7c [target_core_mod]
[  257.421712]  [&lt;ffffffffa01d69bc&gt;] target_put_sess_cmd+0x5f/0x7f [target_core_mod]
[  257.430071]  [&lt;ffffffffa01d6d6d&gt;] transport_release_cmd+0x59/0x6f [target_core_mod]
[  257.438625]  [&lt;ffffffffa01d6eb4&gt;] transport_put_cmd+0x131/0x140 [target_core_mod]
[  257.446985]  [&lt;ffffffffa01d6192&gt;] ? transport_wait_for_tasks+0xfa/0x1d5 [target_core_mod]
[  257.456121]  [&lt;ffffffffa01d6f11&gt;] transport_generic_free_cmd+0x4e/0x52 [target_core_mod]
[  257.465159]  [&lt;ffffffff81050537&gt;] ? __migrate_task+0x110/0x110
[  257.471674]  [&lt;ffffffffa02904ba&gt;] iscsit_free_cmd+0x46/0x55 [iscsi_target_mod]
[  257.479741]  [&lt;ffffffffa0291edb&gt;] iscsit_immediate_queue+0x301/0x353 [iscsi_target_mod]
[  257.488683]  [&lt;ffffffffa0292f7e&gt;] iscsi_target_tx_thread+0x1c6/0x2a8 [iscsi_target_mod]
[  257.497623]  [&lt;ffffffff81047486&gt;] ? wake_up_bit+0x25/0x25
[  257.503652]  [&lt;ffffffffa0292db8&gt;] ? iscsit_ack_from_expstatsn+0xd5/0xd5 [iscsi_target_mod]
[  257.512882]  [&lt;ffffffff81046f89&gt;] kthread+0xb0/0xb8
[  257.518329]  [&lt;ffffffff81046ed9&gt;] ? kthread_freezable_should_stop+0x60/0x60
[  257.526105]  [&lt;ffffffff81396fec&gt;] ret_from_fork+0x7c/0xb0
[  257.532133]  [&lt;ffffffff81046ed9&gt;] ? kthread_freezable_should_stop+0x60/0x60
[  257.539906] ---[ end trace 5520397d0f2e0800 ]---

Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With the introduction of target_get_sess_cmd() referencing counting for
ISCSI_OP_SCSI_CMD processing with iser-target, iscsit_free_cmd() usage
in traditional iscsi-target driver code now needs to be aware of the
active I/O shutdown case when a remaining se_cmd-&gt;cmd_kref reference may
exist after transport_generic_free_cmd() completes, requiring a final
target_put_sess_cmd() to release iscsi_cmd descriptor memory.

This patch changes iscsit_free_cmd() to invoke __iscsit_free_cmd() before
transport_generic_free_cmd() -&gt; target_put_sess_cmd(), and also avoids
aquiring the per-connection queue locks for typical fast-path calls
during normal ISTATE_REMOVE operation.

Also update iscsit_free_cmd() usage throughout iscsi-target to
use the new 'bool shutdown' parameter.

This patch fixes a regression bug introduced during v3.10-rc1 in
commit 3e1c81a95, that was causing the following WARNING to appear:

[  257.235153] ------------[ cut here]------------
[  257.240314] WARNING: at kernel/softirq.c:160 local_bh_enable_ip+0x3c/0x86()
[  257.248089] Modules linked in: vhost_scsi ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx tcm_loop
	tcm_fc libfc iscsi_target_mod target_core_pscsi target_core_file
	target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp
	libiscsi scsi_transport_iscsi loop acpi_cpufreq freq_table mperf
	kvm_intel kvm crc32c_intel button ehci_pci pcspkr joydev i2c_i801
	microcode ext3 jbd raid10 raid456 async_pq async_xor xor async_memcpy
	async_raid6_recov raid6_pq async_tx raid1 raid0 linear igb hwmon
	i2c_algo_bit i2c_core ptp ata_piix libata qla2xxx uhci_hcd ehci_hcd
	mlx4_core scsi_transport_fc scsi_tgt pps_core
[  257.308748] CPU: 1 PID: 3295 Comm: iscsi_ttx Not tainted 3.10.0-rc2+ #103
[  257.316329] Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.00.0057.031020111721 03/10/2011
[  257.327597]  ffffffff814c24b7 ffff880458331b58 ffffffff8138eef2 ffff880458331b98
[  257.335892]  ffffffff8102c052 ffff880400000008 0000000000000000 ffff88085bdf0000
[  257.344191]  ffff88085bdf00d8 ffff88085bdf00e0 ffff88085bdf00f8 ffff880458331ba8
[  257.352488] Call Trace:
[  257.355223]  [&lt;ffffffff8138eef2&gt;] dump_stack+0x19/0x1f
[  257.360963]  [&lt;ffffffff8102c052&gt;] warn_slowpath_common+0x62/0x7b
[  257.367669]  [&lt;ffffffff8102c080&gt;] warn_slowpath_null+0x15/0x17
[  257.374181]  [&lt;ffffffff81032345&gt;] local_bh_enable_ip+0x3c/0x86
[  257.380697]  [&lt;ffffffff813917fd&gt;] _raw_spin_unlock_bh+0x10/0x12
[  257.387311]  [&lt;ffffffffa029069c&gt;] iscsit_free_r2ts_from_list+0x5e/0x67 [iscsi_target_mod]
[  257.396438]  [&lt;ffffffffa02906c5&gt;] iscsit_release_cmd+0x20/0x223 [iscsi_target_mod]
[  257.404893]  [&lt;ffffffffa02977a4&gt;] lio_release_cmd+0x3a/0x3e [iscsi_target_mod]
[  257.412964]  [&lt;ffffffffa01d59a1&gt;] target_release_cmd_kref+0x7a/0x7c [target_core_mod]
[  257.421712]  [&lt;ffffffffa01d69bc&gt;] target_put_sess_cmd+0x5f/0x7f [target_core_mod]
[  257.430071]  [&lt;ffffffffa01d6d6d&gt;] transport_release_cmd+0x59/0x6f [target_core_mod]
[  257.438625]  [&lt;ffffffffa01d6eb4&gt;] transport_put_cmd+0x131/0x140 [target_core_mod]
[  257.446985]  [&lt;ffffffffa01d6192&gt;] ? transport_wait_for_tasks+0xfa/0x1d5 [target_core_mod]
[  257.456121]  [&lt;ffffffffa01d6f11&gt;] transport_generic_free_cmd+0x4e/0x52 [target_core_mod]
[  257.465159]  [&lt;ffffffff81050537&gt;] ? __migrate_task+0x110/0x110
[  257.471674]  [&lt;ffffffffa02904ba&gt;] iscsit_free_cmd+0x46/0x55 [iscsi_target_mod]
[  257.479741]  [&lt;ffffffffa0291edb&gt;] iscsit_immediate_queue+0x301/0x353 [iscsi_target_mod]
[  257.488683]  [&lt;ffffffffa0292f7e&gt;] iscsi_target_tx_thread+0x1c6/0x2a8 [iscsi_target_mod]
[  257.497623]  [&lt;ffffffff81047486&gt;] ? wake_up_bit+0x25/0x25
[  257.503652]  [&lt;ffffffffa0292db8&gt;] ? iscsit_ack_from_expstatsn+0xd5/0xd5 [iscsi_target_mod]
[  257.512882]  [&lt;ffffffff81046f89&gt;] kthread+0xb0/0xb8
[  257.518329]  [&lt;ffffffff81046ed9&gt;] ? kthread_freezable_should_stop+0x60/0x60
[  257.526105]  [&lt;ffffffff81396fec&gt;] ret_from_fork+0x7c/0xb0
[  257.532133]  [&lt;ffffffff81046ed9&gt;] ? kthread_freezable_should_stop+0x60/0x60
[  257.539906] ---[ end trace 5520397d0f2e0800 ]---

Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: fix heap buffer overflow on error</title>
<updated>2013-05-31T01:07:54+00:00</updated>
<author>
<name>Kees Cook</name>
<email>keescook@chromium.org</email>
</author>
<published>2013-05-23T17:32:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=cea4dcfdad926a27a18e188720efe0f2c9403456'/>
<id>cea4dcfdad926a27a18e188720efe0f2c9403456</id>
<content type='text'>
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.

Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.

CVE-2013-2850

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.

Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.

CVE-2013-2850

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: Fix typos in RDMAEXTENSIONS macro usage</title>
<updated>2013-05-11T23:25:51+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2013-05-11T23:24:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=af40bb0b2e9d7591a3e7c4e1a1800212aa004dff'/>
<id>af40bb0b2e9d7591a3e7c4e1a1800212aa004dff</id>
<content type='text'>
This patch fixes a handful of typos in 'RDMAEXTENTIONS' -&gt; 'RDMAEXTENSIONS'
macro usage.

Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a handful of typos in 'RDMAEXTENTIONS' -&gt; 'RDMAEXTENSIONS'
macro usage.

Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: Fix processing of OOO commands</title>
<updated>2013-05-07T23:51:58+00:00</updated>
<author>
<name>Shlomo Pongratz</name>
<email>shlomop@mellanox.com</email>
</author>
<published>2013-05-05T14:36:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3eccfdb01da58fbd0f789ae6ca61cee3769e26de'/>
<id>3eccfdb01da58fbd0f789ae6ca61cee3769e26de</id>
<content type='text'>
Fix two issues in OOO commands processing done at iscsit_attach_ooo_cmdsn.

Handle command serial numbers wrap around by using iscsi_sna_lt and not regular comparisson.

The routine iterates until it finds an entry whose serial number is greater than the serial number of
the new one, thus the new entry should be inserted before that entry and not after.

Signed-off-by: Shlomo Pongratz &lt;shlomop@mellanox.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix two issues in OOO commands processing done at iscsit_attach_ooo_cmdsn.

Handle command serial numbers wrap around by using iscsi_sna_lt and not regular comparisson.

The routine iterates until it finds an entry whose serial number is greater than the serial number of
the new one, thus the new entry should be inserted before that entry and not after.

Signed-off-by: Shlomo Pongratz &lt;shlomop@mellanox.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: Make buf param of iscsit_do_crypto_hash_buf() const void *</title>
<updated>2013-05-03T23:49:48+00:00</updated>
<author>
<name>Geert Uytterhoeven</name>
<email>geert@linux-m68k.org</email>
</author>
<published>2013-05-03T21:15:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=80690fdb959a652e02d4f40a684bd39586be9f32'/>
<id>80690fdb959a652e02d4f40a684bd39586be9f32</id>
<content type='text'>
Make the "buf" input param of iscsit_do_crypto_hash_buf() "const void *".
This allows to remove lots of casts in its callers.

Signed-off-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Make the "buf" input param of iscsit_do_crypto_hash_buf() "const void *".
This allows to remove lots of casts in its callers.

Signed-off-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: Fix NULL pointer dereference in iscsit_send_reject</title>
<updated>2013-05-03T23:46:41+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2013-05-03T23:46:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bfbdb31d41b3d868449de272da746d1c2d0b764e'/>
<id>bfbdb31d41b3d868449de272da746d1c2d0b764e</id>
<content type='text'>
Fix up a NULL pointer dereference regression in iscsit_send_reject()
introduced by from commit 2ec5a8c11.

Reported-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix up a NULL pointer dereference regression in iscsit_send_reject()
introduced by from commit 2ec5a8c11.

Reported-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iscsi-target: Add iser network portal attribute</title>
<updated>2013-04-25T08:05:28+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2013-03-07T06:20:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=72438cddd6d39b293dbc37836a4d3e691d26c356'/>
<id>72438cddd6d39b293dbc37836a4d3e691d26c356</id>
<content type='text'>
This patch adds a new network portal attribute for iser, that lives
under existing iscsi-target configfs layout at:

   /sys/kernel/config/target/iscsi/$TARGETNAME/$TPGT/np/$PORTAL/iser

When lio_target_np_store_iser() is enabled, iscsit_tpg_add_network_portal()
will attempt to start an rdma_cma network portal for iser-target, only if
the external ib_isert module transport has been loaded.

When disabled, iscsit_tpg_del_network_portal() will cease iser login service
on the network portal, and release any external ib_isert module reference.

v4 changes:

- Add request_module for ib_isert to lio_target_np_store_iser()

Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch adds a new network portal attribute for iser, that lives
under existing iscsi-target configfs layout at:

   /sys/kernel/config/target/iscsi/$TARGETNAME/$TPGT/np/$PORTAL/iser

When lio_target_np_store_iser() is enabled, iscsit_tpg_add_network_portal()
will attempt to start an rdma_cma network portal for iser-target, only if
the external ib_isert module transport has been loaded.

When disabled, iscsit_tpg_del_network_portal() will cease iser login service
on the network portal, and release any external ib_isert module reference.

v4 changes:

- Add request_module for ib_isert to lio_target_np_store_iser()

Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
