Skip to content

L
linux
Switch branch/tag
  1. 31 May, 2013 4 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iscsit_free_cmd() se_cmd->cmd_kref shutdown handling · aafc9d15
      Nicholas Bellinger authored 
      With the introduction of target_get_sess_cmd() referencing counting for
ISCSI_OP_SCSI_CMD processing with iser-target, iscsit_free_cmd() usage
in traditional iscsi-target driver code now needs to be aware of the
active I/O shutdown case when a remaining se_cmd->cmd_kref reference may
exist after transport_generic_free_cmd() completes, requiring a final
target_put_sess_cmd() to release iscsi_cmd descriptor memory.

This patch changes iscsit_free_cmd() to invoke __iscsit_free_cmd() before
transport_generic_free_cmd() -> target_put_sess_cmd(), and also avoids
aquiring the per-connection queue locks for typical fast-path calls
during normal ISTATE_REMOVE operation.

Also update iscsit_free_cmd() usage throughout iscsi-target to
use the new 'bool shutdown' parameter.

This patch fixes a regression bug introduced during v3.10-rc1 in
commit 3e1c81a9, that was causing the following WARNING to appear:

[  257.235153] ------------[ cut here]------------
[  257.240314] WARNING: at kernel/softirq.c:160 local_bh_enable_ip+0x3c/0x86()
[  257.248089] Modules linked in: vhost_scsi ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx tcm_loop
	tcm_fc libfc iscsi_target_mod target_core_pscsi target_core_file
	target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp
	libiscsi scsi_transport_iscsi loop acpi_cpufreq freq_table mperf
	kvm_intel kvm crc32c_intel button ehci_pci pcspkr joydev i2c_i801
	microcode ext3 jbd raid10 raid456 async_pq async_xor xor async_memcpy
	async_raid6_recov raid6_pq async_tx raid1 raid0 linear igb hwmon
	i2c_algo_bit i2c_core ptp ata_piix libata qla2xxx uhci_hcd ehci_hcd
	mlx4_core scsi_transport_fc scsi_tgt pps_core
[  257.308748] CPU: 1 PID: 3295 Comm: iscsi_ttx Not tainted 3.10.0-rc2+ #103
[  257.316329] Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.00.0057.031020111721 03/10/2011
[  257.327597]  ffffffff814c24b7 ffff880458331b58 ffffffff8138eef2 ffff880458331b98
[  257.335892]  ffffffff8102c052 ffff880400000008 0000000000000000 ffff88085bdf0000
[  257.344191]  ffff88085bdf00d8 ffff88085bdf00e0 ffff88085bdf00f8 ffff880458331ba8
[  257.352488] Call Trace:
[  257.355223]  [<ffffffff8138eef2>] dump_stack+0x19/0x1f
[  257.360963]  [<ffffffff8102c052>] warn_slowpath_common+0x62/0x7b
[  257.367669]  [<ffffffff8102c080>] warn_slowpath_null+0x15/0x17
[  257.374181]  [<ffffffff81032345>] local_bh_enable_ip+0x3c/0x86
[  257.380697]  [<ffffffff813917fd>] _raw_spin_unlock_bh+0x10/0x12
[  257.387311]  [<ffffffffa029069c>] iscsit_free_r2ts_from_list+0x5e/0x67 [iscsi_target_mod]
[  257.396438]  [<ffffffffa02906c5>] iscsit_release_cmd+0x20/0x223 [iscsi_target_mod]
[  257.404893]  [<ffffffffa02977a4>] lio_release_cmd+0x3a/0x3e [iscsi_target_mod]
[  257.412964]  [<ffffffffa01d59a1>] target_release_cmd_kref+0x7a/0x7c [target_core_mod]
[  257.421712]  [<ffffffffa01d69bc>] target_put_sess_cmd+0x5f/0x7f [target_core_mod]
[  257.430071]  [<ffffffffa01d6d6d>] transport_release_cmd+0x59/0x6f [target_core_mod]
[  257.438625]  [<ffffffffa01d6eb4>] transport_put_cmd+0x131/0x140 [target_core_mod]
[  257.446985]  [<ffffffffa01d6192>] ? transport_wait_for_tasks+0xfa/0x1d5 [target_core_mod]
[  257.456121]  [<ffffffffa01d6f11>] transport_generic_free_cmd+0x4e/0x52 [target_core_mod]
[  257.465159]  [<ffffffff81050537>] ? __migrate_task+0x110/0x110
[  257.471674]  [<ffffffffa02904ba>] iscsit_free_cmd+0x46/0x55 [iscsi_target_mod]
[  257.479741]  [<ffffffffa0291edb>] iscsit_immediate_queue+0x301/0x353 [iscsi_target_mod]
[  257.488683]  [<ffffffffa0292f7e>] iscsi_target_tx_thread+0x1c6/0x2a8 [iscsi_target_mod]
[  257.497623]  [<ffffffff81047486>] ? wake_up_bit+0x25/0x25
[  257.503652]  [<ffffffffa0292db8>] ? iscsit_ack_from_expstatsn+0xd5/0xd5 [iscsi_target_mod]
[  257.512882]  [<ffffffff81046f89>] kthread+0xb0/0xb8
[  257.518329]  [<ffffffff81046ed9>] ? kthread_freezable_should_stop+0x60/0x60
[  257.526105]  [<ffffffff81396fec>] ret_from_fork+0x7c/0xb0
[  257.532133]  [<ffffffff81046ed9>] ? kthread_freezable_should_stop+0x60/0x60
[  257.539906] ---[ end trace 5520397d0f2e0800 ]---
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      aafc9d15
    • Nicholas Bellinger's avatar
      target: Propigate up ->cmd_kref put return via transport_generic_free_cmd · d5ddad41
      Nicholas Bellinger authored 
      Go ahead and propigate up the ->cmd_kref put return value from
target_put_sess_cmd() -> transport_release_cmd() -> transport_put_cmd()
-> transport_generic_free_cmd().

This is useful for certain fabrics when determining the active I/O
shutdown case with SCF_ACK_KREF where a final target_put_sess_cmd()
is still required by the caller.
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      d5ddad41
    • Kees Cook's avatar
      iscsi-target: fix heap buffer overflow on error · cea4dcfd
      Kees Cook authored 
      If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.

Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.

CVE-2013-2850
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      cea4dcfd
    • Nicholas Bellinger's avatar
      target/file: Fix off-by-one READ_CAPACITY bug for !S_ISBLK export · 21363ca8
      Nicholas Bellinger authored 
      This patch fixes a bug where FILEIO was incorrectly reporting the number
of logical blocks (+ 1) when using non struct block_device export mode.

It changes fd_get_blocks() to follow all other backend ->get_blocks() cases,
and reduces the calculated dev_size by one dev->dev_attrib.block_size
number of bytes, and also fixes initial fd_block_size assignment at
fd_configure_device() time introduced in commit 0fd97ccf.
Reported-by: default avatarWenchao Xia <xiawenc@linux.vnet.ibm.com>
Reported-by: default avatarBadari Pulavarty <pbadari@us.ibm.com>
Tested-by: default avatarBadari Pulavarty <pbadari@us.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      21363ca8
  3. 30 May, 2013 2 commits
    • Nicholas Bellinger's avatar
      ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session · 1d19f780
      Nicholas Bellinger authored 
      Given that srpt_release_channel_work() calls target_wait_for_sess_cmds()
to allow outstanding se_cmd_t->cmd_kref a change to complete, the call
to perform target_sess_cmd_list_set_waiting() needs to happen in
srpt_shutdown_session()

Also, this patch adds an explicit call to srpt_shutdown_session() within
srpt_drain_channel() so that target_sess_cmd_list_set_waiting() will be
called in the cases where TFO->shutdown_session() is not triggered
directly by TCM.

Cc: Joern Engel <joern@logfs.org>
Cc: Roland Dreier <roland@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      1d19f780
    • Nicholas Bellinger's avatar
      target: Re-instate sess_wait_list for target_wait_for_sess_cmds · 9b31a328
      Nicholas Bellinger authored 
      Switch back to pre commit 1c7b13fe list splicing logic for active I/O
shutdown with tcm_qla2xxx + ib_srpt fabrics.

The original commit was done under the incorrect assumption that it's safe to
walk se_sess->sess_cmd_list unprotected in target_wait_for_sess_cmds() after
sess->sess_tearing_down = 1 has been set by target_sess_cmd_list_set_waiting()
during session shutdown.

So instead of adding sess->sess_cmd_lock protection around sess->sess_cmd_list
during target_wait_for_sess_cmds(), switch back to sess->sess_wait_list to
allow wait_for_completion() + TFO->release_cmd() to occur without having to
walk ->sess_cmd_list after the list_splice.

Also add a check to exit if target_sess_cmd_list_set_waiting() has already
been called, and add a WARN_ON to check for any fabric bug where new se_cmds
are added to sess->sess_cmd_list after sess->sess_tearing_down = 1 has already
been set.

Cc: Joern Engel <joern@logfs.org>
Cc: Roland Dreier <roland@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      9b31a328
  5. 21 May, 2013 1 commit
  7. 20 May, 2013 10 commits
  9. 19 May, 2013 3 commits
  11. 18 May, 2013 20 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7