1. 06 Mar, 2016 4 commits
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active I/O handling for ACK_KREF · 3286a2fe
      Nicholas Bellinger authored
      commit febe562c upstream.
      
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active se_cmd
      I/O, that can be triggered during se_cmd descriptor
      shutdown + release via core_tmr_drain_state_list() code.
      
      To address this bug, add common __target_check_io_state()
      helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
      checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
      both cases ahead of last target_put_sess_cmd() after
      TFO->aborted_task() -> transport_cmd_finish_abort()
      callback has completed.
      
      It also introduces SCF_ACK_KREF to determine when
      transport_cmd_finish_abort() needs to drop the second
      extra reference, ahead of calling target_put_sess_cmd()
      for the final kref_put(&se_cmd->cmd_kref).
      
      It also updates transport_cmd_check_stop() to avoid
      holding se_cmd->t_state_lock while dropping se_cmd
      device state via target_remove_from_state_list(), now
      that core_tmr_drain_state_list() is holding the
      se_device lock while checking se_cmd state from
      within TMR logic.
      
      Finally, move transport_put_cmd() release of SGL +
      TMR + extended CDB memory into target_free_cmd_mem()
      in order to avoid potential resource leaks in TMR
      ABORT_TASK + LUN_RESET code-paths.  Also update
      target_release_cmd_kref() accordingly.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3286a2fe
    • Jan Engelhardt's avatar
      target: fix COMPARE_AND_WRITE non zero SGL offset data corruption · 7a290324
      Jan Engelhardt authored
      [ Upstream commit d94e5a61 ]
      
      target_core_sbc's compare_and_write functionality suffers from taking
      data at the wrong memory location when writing a CAW request to disk
      when a SGL offset is non-zero.
      
      This can happen with loopback and vhost-scsi fabric drivers when
      SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is used to map existing user-space
      SGL memory into COMPARE_AND_WRITE READ/WRITE payload buffers.
      
      Given the following sample LIO subtopology,
      
      % targetcli ls /loopback/
      o- loopback ................................. [1 Target]
        o- naa.6001405ebb8df14a ....... [naa.60014059143ed2b3]
          o- luns ................................... [2 LUNs]
            o- lun0 ................ [iblock/ram0 (/dev/ram0)]
            o- lun1 ................ [iblock/ram1 (/dev/ram1)]
      % lsscsi -g
      [3:0:1:0]    disk    LIO-ORG  IBLOCK           4.0   /dev/sdc   /dev/sg3
      [3:0:1:1]    disk    LIO-ORG  IBLOCK           4.0   /dev/sdd   /dev/sg4
      
      the following bug can be observed in Linux 4.3 and 4.4~rc1:
      
      % perl -e 'print chr$_ for 0..255,reverse 0..255' >rand
      % perl -e 'print "\0" x 512' >zero
      % cat rand >/dev/sdd
      % sg_compare_and_write -i rand -D zero --lba 0 /dev/sdd
      % sg_compare_and_write -i zero -D rand --lba 0 /dev/sdd
      Miscompare reported
      % hexdump -Cn 512 /dev/sdd
      00000000  0f 0e 0d 0c 0b 0a 09 08  07 06 05 04 03 02 01 00
      00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
      *
      00000200
      
      Rather than writing all-zeroes as instructed with the -D file, it
      corrupts the data in the sector by splicing some of the original
      bytes in. The page of the first entry of cmd->t_data_sg includes the
      CDB, and sg->offset is set to a position past the CDB. I presume that
      sg->offset is also the right choice to use for subsequent sglist
      members.
      Signed-off-by: default avatarJan Engelhardt <jengelh@netitwork.de>
      Tested-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7a290324
    • Nicholas Bellinger's avatar
      target: Fix race for SCF_COMPARE_AND_WRITE_POST checking · 5dd73bb3
      Nicholas Bellinger authored
      [ Upstream commit 057085e5 ]
      
      This patch addresses a race + use after free where the first
      stage of COMPARE_AND_WRITE in compare_and_write_callback()
      is rescheduled after the backend sends the secondary WRITE,
      resulting in second stage compare_and_write_post() callback
      completing in target_complete_ok_work() before the first
      can return.
      
      Because current code depends on checking se_cmd->se_cmd_flags
      after return from se_cmd->transport_complete_callback(),
      this results in first stage having SCF_COMPARE_AND_WRITE_POST
      set, which incorrectly falls through into second stage CAW
      processing code, eventually triggering a NULL pointer
      dereference due to use after free.
      
      To address this bug, pass in a new *post_ret parameter into
      se_cmd->transport_complete_callback(), and depend upon this
      value instead of ->se_cmd_flags to determine when to return
      or fall through into ->queue_status() code for CAW.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5dd73bb3
    • Nicholas Bellinger's avatar
      iscsi-target: Fix rx_login_comp hang after login failure · 4b4bc57a
      Nicholas Bellinger authored
      [ Upstream commit ca82c2bd ]
      
      This patch addresses a case where iscsi_target_do_tx_login_io()
      fails sending the last login response PDU, after the RX/TX
      threads have already been started.
      
      The case centers around iscsi_target_rx_thread() not invoking
      allow_signal(SIGINT) before the send_sig(SIGINT, ...) occurs
      from the failure path, resulting in RX thread hanging
      indefinately on iscsi_conn->rx_login_comp.
      
      Note this bug is a regression introduced by:
      
        commit e5419865
        Author: Nicholas Bellinger <nab@linux-iscsi.org>
        Date:   Wed Jul 22 23:14:19 2015 -0700
      
            iscsi-target: Fix iscsit_start_kthreads failure OOPs
      
      To address this bug, complete ->rx_login_complete for good
      measure in the failure path, and immediately return from
      RX thread context if connection state did not actually reach
      full feature phase (TARG_CONN_STATE_LOGGED_IN).
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: <stable@vger.kernel.org> # v3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4b4bc57a
  2. 04 Mar, 2016 36 commits