linux/drivers/target, branch v3.4.48

iscsi-target: fix heap buffer overflow on error

2013-06-07T19:49:29Z

commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream. If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

iscsi-target: Fix processing of OOO commands

2013-05-19T17:54:49Z

commit 3eccfdb01da58fbd0f789ae6ca61cee3769e26de upstream. Fix two issues in OOO commands processing done at iscsit_attach_ooo_cmdsn. Handle command serial numbers wrap around by using iscsi_sna_lt and not regular comparisson. The routine iterates until it finds an entry whose serial number is greater than the serial number of the new one, thus the new entry should be inserted before that entry and not after. Signed-off-by: Shlomo Pongratz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target: Fix incorrect fallthrough of ALUA Standby/Offline/Transition CDBs

2013-04-17T04:27:26Z

commit 30f359a6f9da65a66de8cadf959f0f4a0d498bba upstream. This patch fixes a bug where a handful of informational / control CDBs that should be allowed during ALUA access state Standby/Offline/Transition where incorrectly returning CHECK_CONDITION + ASCQ_04H_ALUA_TG_PT_*. This includes INQUIRY + REPORT_LUNS, which would end up preventing LUN registration when LUN scanning occured during these ALUA access states. Signed-off-by: Nicholas Bellinger Cc: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman

target/iscsi: Fix mutual CHAP auth on big-endian arches

2013-03-28T19:12:13Z

commit 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 upstream. See https://bugzilla.redhat.com/show_bug.cgi?id=916290 Used a temp var since we take its address in sg_init_one. Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target/pscsi: Fix page increment

2013-03-14T18:29:42Z

commit 472b72f2db7831d7dbe22ffdff4adee3bd49b05d upstream. The page++ is wrong. It makes bio_add_pc_page() pointing to a wrong page address if the 'while (len > 0 && data_len > 0) { ... }' loop is executed more than one once. Signed-off-by: Asias He Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target: Add missing mapped_lun bounds checking during make_mappedlun setup

2013-03-03T22:06:39Z

commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream. This patch adds missing bounds checking for the configfs provided mapped_lun value during target_fabric_make_mappedlun() setup ahead of se_lun_acl initialization. This addresses a potential OOPs when using a mapped_lun value that exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within se_node_acl->device_list[]. Reported-by: Jan Engelhardt Cc: Jan Engelhardt Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target: Fix lookup of dynamic NodeACLs during cached demo-mode operation

2013-03-03T22:06:39Z

commit fcf29481fb8e106daad6688f2e898226ee928992 upstream. This patch fixes a bug in core_tpg_check_initiator_node_acl() -> core_tpg_get_initiator_node_acl() where a dynamically created se_node_acl generated during session login would be skipped during subsequent lookup due to the '!acl->dynamic_node_acl' check, causing a new se_node_acl to be created with a duplicate ->initiatorname. This would occur when a fabric endpoint was configured with TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1 preventing the release of an existing se_node_acl during se_session shutdown. Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl() within core_dev_init_initiator_node_lun_acl() that originally required the extra '!acl->dynamic_node_acl' check, and just pass the configfs provided se_node_acl pointer instead. Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target: Fix divide by zero bug in fabric_max_sectors for unconfigured devices

2013-02-28T14:59:03Z

commit 7a3cf6ca1ab2a2f7161c6dec5a787fc7a5de864e upstream This patch fixes a possible divide by zero bug when the fabric_max_sectors device attribute is written and backend se_device failed to be successfully configured -> enabled. Go ahead and use block_size=512 within se_dev_set_fabric_max_sectors() in the event of a target_configure_device() failure case, as no valid dev->dev_attrib.block_size value will have been setup yet. Signed-off-by: Nicholas Bellinger Cc: Herton Ronaldo Krzesinski Signed-off-by: Greg Kroah-Hartman

target: fix regression with dev_link_magic in target_fabric_port_link

2013-02-04T00:24:42Z

This is to fix a regression that only affect the stable (not for the mainline) that the stable commit fdf9d86 was incorrectly placed dev->dev_link_magic check before the *dev assignment in target_fabric_port_link() due to fuzzy automatically context adjustment during the back-porting. Reported-by: Chris Boot Signed-off-by: Nicholas Bellinger Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman

target: Add link_magic for fabric allow_link destination target_items

2013-01-21T19:45:24Z

commit 0ff8754981261a80f4b77db2536dfea92c2d4539 upstream. This patch adds [dev,lun]_link_magic value assignment + checks within generic target_fabric_port_link() and target_fabric_mappedlun_link() code to ensure destination config_item *target_item sent from configfs_symlink() -> config_item_operations->allow_link() is the underlying se_device->dev_group and se_lun->lun_group that we expect to symlink. Reported-by: Sebastian Andrzej Siewior Cc: Sebastian Andrzej Siewior Signed-off-by: Nicholas Bellinger Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman