linux/drivers/target, branch v3.10.2

iscsi-target: Remove left over v3.10-rc debug printks

2013-06-20T23:47:41Z

Reported-by: Andy Grover Signed-off-by: Nicholas Bellinger

target/iscsi: Fix op=disable + error handling cases in np_store_iser

2013-06-20T23:47:32Z

Writing 0 when iser was not previously enabled, so succeed but do nothing so that user-space code doesn't need a try: catch block when ib_isert logic is not available. Also, return actual error from add_network_portal using PTR_ERR during op=enable failure. Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger

target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer()

2013-06-14T07:55:49Z

Here is a fun one. Bug seems to have been introduced by commit 140854cb, almost two years ago. I have no idea why we only started seeing it now, but we did. Rough callgraph: core_tpg_set_initiator_node_queue_depth() `-> spin_lock_irqsave(&tpg->session_lock, flags); `-> lio_tpg_shutdown_session() `-> iscsit_stop_time2retain_timer() `-> spin_unlock_bh(&se_tpg->session_lock); `-> spin_lock_bh(&se_tpg->session_lock); `-> spin_unlock_irqrestore(&tpg->session_lock, flags); core_tpg_set_initiator_node_queue_depth() used to call spin_lock_bh(), but 140854cb changed that to spin_lock_irqsave(). However, lio_tpg_shutdown_session() still claims to be called with spin_lock_bh() held, as does iscsit_stop_time2retain_timer(): * Called with spin_lock_bh(&struct se_portal_group->session_lock) held Stale documentation is mostly annoying, but in this case the dropping the lock with the _bh variant is plain wrong. It is also wrong to drop locks two functions below the lock-holder, but I will ignore that bit for now. After some more locking and unlocking we eventually hit this backtrace: ------------[ cut here ]------------ WARNING: at kernel/softirq.c:159 local_bh_enable_ip+0xe8/0x100() Pid: 24645, comm: lio_helper.py Tainted: G O 3.6.11+ Call Trace: [] warn_slowpath_common+0x7f/0xc0 [] ? iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod] [] warn_slowpath_null+0x1a/0x20 [] local_bh_enable_ip+0xe8/0x100 [] _raw_spin_unlock_bh+0x15/0x20 [] iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod] [] iscsit_stop_session+0xfa/0x1c0 [iscsi_target_mod] [] lio_tpg_shutdown_session+0x7b/0x90 [iscsi_target_mod] [] core_tpg_set_initiator_node_queue_depth+0xe4/0x290 [target_core_mod] [] iscsit_tpg_set_initiator_node_queue_depth+0x12/0x20 [iscsi_target_mod] [] lio_target_nacl_store_cmdsn_depth+0xa9/0x180 [iscsi_target_mod] [] target_fabric_nacl_base_attr_store+0x39/0x40 [target_core_mod] [] configfs_write_file+0xbd/0x120 [] vfs_write+0xc6/0x180 [] sys_write+0x51/0x90 [] system_call_fastpath+0x16/0x1b ---[ end trace 3747632b9b164652 ]--- As a pure band-aid, this patch drops the _bh. Signed-off-by: Joern Engel Cc: stable Signed-off-by: Nicholas Bellinger

iscsi-target: Fix iscsit_free_cmd() se_cmd->cmd_kref shutdown handling

2013-05-31T08:21:28Z

With the introduction of target_get_sess_cmd() referencing counting for ISCSI_OP_SCSI_CMD processing with iser-target, iscsit_free_cmd() usage in traditional iscsi-target driver code now needs to be aware of the active I/O shutdown case when a remaining se_cmd->cmd_kref reference may exist after transport_generic_free_cmd() completes, requiring a final target_put_sess_cmd() to release iscsi_cmd descriptor memory. This patch changes iscsit_free_cmd() to invoke __iscsit_free_cmd() before transport_generic_free_cmd() -> target_put_sess_cmd(), and also avoids aquiring the per-connection queue locks for typical fast-path calls during normal ISTATE_REMOVE operation. Also update iscsit_free_cmd() usage throughout iscsi-target to use the new 'bool shutdown' parameter. This patch fixes a regression bug introduced during v3.10-rc1 in commit 3e1c81a95, that was causing the following WARNING to appear: [ 257.235153] ------------[ cut here]------------ [ 257.240314] WARNING: at kernel/softirq.c:160 local_bh_enable_ip+0x3c/0x86() [ 257.248089] Modules linked in: vhost_scsi ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx tcm_loop tcm_fc libfc iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi loop acpi_cpufreq freq_table mperf kvm_intel kvm crc32c_intel button ehci_pci pcspkr joydev i2c_i801 microcode ext3 jbd raid10 raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq async_tx raid1 raid0 linear igb hwmon i2c_algo_bit i2c_core ptp ata_piix libata qla2xxx uhci_hcd ehci_hcd mlx4_core scsi_transport_fc scsi_tgt pps_core [ 257.308748] CPU: 1 PID: 3295 Comm: iscsi_ttx Not tainted 3.10.0-rc2+ #103 [ 257.316329] Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.00.0057.031020111721 03/10/2011 [ 257.327597] ffffffff814c24b7 ffff880458331b58 ffffffff8138eef2 ffff880458331b98 [ 257.335892] ffffffff8102c052 ffff880400000008 0000000000000000 ffff88085bdf0000 [ 257.344191] ffff88085bdf00d8 ffff88085bdf00e0 ffff88085bdf00f8 ffff880458331ba8 [ 257.352488] Call Trace: [ 257.355223] [] dump_stack+0x19/0x1f [ 257.360963] [] warn_slowpath_common+0x62/0x7b [ 257.367669] [] warn_slowpath_null+0x15/0x17 [ 257.374181] [] local_bh_enable_ip+0x3c/0x86 [ 257.380697] [] _raw_spin_unlock_bh+0x10/0x12 [ 257.387311] [] iscsit_free_r2ts_from_list+0x5e/0x67 [iscsi_target_mod] [ 257.396438] [] iscsit_release_cmd+0x20/0x223 [iscsi_target_mod] [ 257.404893] [] lio_release_cmd+0x3a/0x3e [iscsi_target_mod] [ 257.412964] [] target_release_cmd_kref+0x7a/0x7c [target_core_mod] [ 257.421712] [] target_put_sess_cmd+0x5f/0x7f [target_core_mod] [ 257.430071] [] transport_release_cmd+0x59/0x6f [target_core_mod] [ 257.438625] [] transport_put_cmd+0x131/0x140 [target_core_mod] [ 257.446985] [] ? transport_wait_for_tasks+0xfa/0x1d5 [target_core_mod] [ 257.456121] [] transport_generic_free_cmd+0x4e/0x52 [target_core_mod] [ 257.465159] [] ? __migrate_task+0x110/0x110 [ 257.471674] [] iscsit_free_cmd+0x46/0x55 [iscsi_target_mod] [ 257.479741] [] iscsit_immediate_queue+0x301/0x353 [iscsi_target_mod] [ 257.488683] [] iscsi_target_tx_thread+0x1c6/0x2a8 [iscsi_target_mod] [ 257.497623] [] ? wake_up_bit+0x25/0x25 [ 257.503652] [] ? iscsit_ack_from_expstatsn+0xd5/0xd5 [iscsi_target_mod] [ 257.512882] [] kthread+0xb0/0xb8 [ 257.518329] [] ? kthread_freezable_should_stop+0x60/0x60 [ 257.526105] [] ret_from_fork+0x7c/0xb0 [ 257.532133] [] ? kthread_freezable_should_stop+0x60/0x60 [ 257.539906] ---[ end trace 5520397d0f2e0800 ]--- Signed-off-by: Nicholas Bellinger

target: Propigate up ->cmd_kref put return via transport_generic_free_cmd

2013-05-31T08:21:23Z

Go ahead and propigate up the ->cmd_kref put return value from target_put_sess_cmd() -> transport_release_cmd() -> transport_put_cmd() -> transport_generic_free_cmd(). This is useful for certain fabrics when determining the active I/O shutdown case with SCF_ACK_KREF where a final target_put_sess_cmd() is still required by the caller. Signed-off-by: Nicholas Bellinger

iscsi-target: fix heap buffer overflow on error

2013-05-31T01:07:54Z

If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger

target/file: Fix off-by-one READ_CAPACITY bug for !S_ISBLK export

2013-05-31T00:46:27Z

This patch fixes a bug where FILEIO was incorrectly reporting the number of logical blocks (+ 1) when using non struct block_device export mode. It changes fd_get_blocks() to follow all other backend ->get_blocks() cases, and reduces the calculated dev_size by one dev->dev_attrib.block_size number of bytes, and also fixes initial fd_block_size assignment at fd_configure_device() time introduced in commit 0fd97ccf4. Reported-by: Wenchao Xia Reported-by: Badari Pulavarty Tested-by: Badari Pulavarty Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger

target: Re-instate sess_wait_list for target_wait_for_sess_cmds

2013-05-30T04:30:33Z

Switch back to pre commit 1c7b13fe652 list splicing logic for active I/O shutdown with tcm_qla2xxx + ib_srpt fabrics. The original commit was done under the incorrect assumption that it's safe to walk se_sess->sess_cmd_list unprotected in target_wait_for_sess_cmds() after sess->sess_tearing_down = 1 has been set by target_sess_cmd_list_set_waiting() during session shutdown. So instead of adding sess->sess_cmd_lock protection around sess->sess_cmd_list during target_wait_for_sess_cmds(), switch back to sess->sess_wait_list to allow wait_for_completion() + TFO->release_cmd() to occur without having to walk ->sess_cmd_list after the list_splice. Also add a check to exit if target_sess_cmd_list_set_waiting() has already been called, and add a WARN_ON to check for any fabric bug where new se_cmds are added to sess->sess_cmd_list after sess->sess_tearing_down = 1 has already been set. Cc: Joern Engel Cc: Roland Dreier Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger

target: Remove unused wait_for_tasks bit in target_wait_for_sess_cmds

2013-05-21T04:44:10Z

Drop unused transport_wait_for_tasks() check in target_wait_for_sess_cmds shutdown code, and convert tcm_qla2xxx + ib_srpt fabric drivers. Cc: Joern Engel Cc: Roland Dreier Signed-off-by: Nicholas Bellinger

Merge branch 'queue' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending

2013-05-16T14:55:07Z

Pull target fixes from Nicholas Bellinger: "A handful of fixes + minor changes this time around, along with one important >= v3.9 regression fix for IBLOCK backends. The highlights include: - Use FD_MAX_SECTORS in FILEIO for block_device as well as files (agrover) - Fix processing of out-of-order CmdSNs with iSBD driver (shlomo) - Close long-standing target_put_sess_cmd() vs. core_tmr_abort_task() race with the addition of kref_put_spinlock_irqsave() (joern + greg-kh) - Fix IBLOCK WCE=1 + DPOFUA=1 backend WRITE regression in >= v3.9 (nab + bootc) Note these four patches are CC'ed to stable. Also, there is still some work left to be done on the active I/O shutdown path in target_wait_for_sess_cmds() used by tcm_qla2xxx + ib_isert fabrics that is still being discussed on the list, and will hopefully be resolved soon." * 'queue' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: target: close target_put_sess_cmd() vs. core_tmr_abort_task() race target: removed unused transport_state flag target/iblock: Fix WCE=1 + DPOFUA=1 backend WRITE regression MAINTAINERS: Update target git tree URL iscsi-target: Fix typos in RDMAEXTENSIONS macro usage target/rd: Add ramdisk bit for NULLIO operation iscsi-target: Fix processing of OOO commands iscsi-target: Make buf param of iscsit_do_crypto_hash_buf() const void * iscsi-target: Fix NULL pointer dereference in iscsit_send_reject target: Have dev/enable show if TCM device is configured target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio target: Remove unused struct members in se_dev_entry