Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2026-02-11T12:40:23+00:00 2026-02-11T12:40:23+00:00 Maurizio Lombardi mlombard@redhat.com 2026-01-12T16:53:51+00:00 urn:sha1:48fe983e92de2c59d143fe38362ad17ba23ec7f3 [ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete(). Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reported-by: Zhaojuan Guo <zguo@redhat.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-02-11T12:40:23+00:00 Maurizio Lombardi mlombard@redhat.com 2026-01-12T16:53:52+00:00 urn:sha1:41b86a9ec037bd3435d68dd3692f0891a207e7e7 [ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reported-by: Zhaojuan Guo <zguo@redhat.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-05-29T09:01:58+00:00 Dmitry Bogdanov d.bogdanov@yadro.com 2024-12-24T10:17:57+00:00 urn:sha1:87389bff743c55b6b85282de91109391f43e0814 [ Upstream commit 7f533cc5ee4c4436cee51dc58e81dfd9c3384418 ] NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started. Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> Link: https://lore.kernel.org/r/20241224101757.32300-1-d.bogdanov@yadro.com Reviewed-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-10-02T21:23:23+00:00 Al Viro viro@zeniv.linux.org.uk 2024-10-01T19:35:57+00:00 urn:sha1:5f60d5f6bbc12e782fac78110b0ee62698f3b576 asm/unaligned.h is always an include of asm-generic/unaligned.h; might as well move that thing to linux/unaligned.h and include that - there's nothing arch-specific in that header. auto-generated by the following: for i in `git grep -l -w asm/unaligned.h`; do sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i done for i in `git grep -l -w asm-generic/unaligned.h`; do sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i done git mv include/asm-generic/unaligned.h include/linux/unaligned.h git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h 2024-08-23T01:15:21+00:00 Yue Haibing yuehaibing@huawei.com 2024-08-10T09:34:37+00:00 urn:sha1:3c9265ed191d34349889ee426ed4a2394ba4a77b Commit 13247018d68f ("scsi: target: iscsi: Fix hang in the iSCSI login code") removed iscsi_handle_login_thread_timeout() but left declaration. Commit 3e1c81a95f0d ("iscsi-target: Refactor RX PDU logic + export request PDU handling") left iscsi_target_get_initial_payload() declaration. Commit d703ce2f7f4d ("iscsi/iser-target: Convert to command priv_size usage") remove iscsit_alloc_cmd() but left declaration. And finally, a few other declarations were never implenmented since introduction in commit e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1"). Signed-off-by: Yue Haibing <yuehaibing@huawei.com> Link: https://lore.kernel.org/r/20240810093437.2586476-1-yuehaibing@huawei.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2024-03-10T22:01:34+00:00 Colin Ian King colin.i.king@gmail.com 2024-03-07T10:45:53+00:00 urn:sha1:99cfb212ef4d04515efcd88fd05cd9cdff4f9542 The variable 'xfer_len' is being initialized and incremented but it is never actually referenced in any other way. The variable is redundant and can be removed. Cleans up clang scan build warning: drivers/target/iscsi/iscsi_target_erl1.c:586:45: warning: variable 'xfer_len' set but not used [-Wunused-but-set-variable] Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Link: https://lore.kernel.org/r/20240307104553.1980860-1-colin.i.king@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2023-10-13T19:56:37+00:00 Martin K. Petersen martin.petersen@oracle.com 2023-10-13T19:56:37+00:00 urn:sha1:1caddfc5816e4bf55cf7962775e6ed509ddfdf9b Mike Christie <michael.christie@oracle.com> says: The following patches were made over Linus's tree but apply over Martin's branches. They allow userspace to configure how fabric drivers submit cmds to backend drivers. Right now loop and vhost use a worker thread, and the other drivers submit from the contexts they receive/process the cmd from. For multiple LUN cases where the target can queue more cmds than the backend can handle then deferring to a worker thread is safest because the backend driver can block when doing things like waiting for a free request/tag. Deferring also helps when the target has to handle transport level requests from the recv context. For cases where the backend devices can queue everything the target sends, then there is no need to defer to a workqueue and you can see a perf boost of up to 26% for small IO workloads. For a nvme device and vhost-scsi I can see with 4K IOs: fio jobs 1 2 4 8 10 -------------------------------------------------- workqueue submit 94K 190K 394K 770K 890K direct submit 128K 252K 488K 950K - Link: https://lore.kernel.org/r/1b1f7a5c-0988-45f9-b103-dfed2c0405b1@oracle.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2023-10-13T19:53:58+00:00 Mike Christie michael.christie@oracle.com 2023-09-28T02:09:04+00:00 urn:sha1:428926796e7f3b2eb57b1d4886334d2f5abb35fa Move the code from transport_handle_cdb_direct() to target_submit() and have iSCSI call target_submit(). Signed-off-by: Mike Christie <michael.christie@oracle.com> Link: https://lore.kernel.org/r/20230928020907.5730-5-michael.christie@oracle.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2023-10-13T19:53:57+00:00 Mike Christie michael.christie@oracle.com 2023-09-28T02:09:02+00:00 urn:sha1:ee48345e1ccaaa7a9f0a8b34c694a68286ac78fa Move core_alua_check_nonop_delay() to transport_handle_cdb_direct() so the iSCSI target driver doesn't have to call as many core functions directly. We will eventually merge transport_handle_cdb_direct and target_submit so iSCSI and the other drivers call a common function. It will also be helpful as preparation for future changes which allow the iSCSI target to defer command submission to the LIO submission workqueue, because we will have a common submission function for that which will be based on transport_handle_cdb_direct()/target_submit(). Signed-off-by: Mike Christie <michael.christie@oracle.com> Link: https://lore.kernel.org/r/20230928020907.5730-3-michael.christie@oracle.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2023-10-13T19:53:57+00:00 Mike Christie michael.christie@oracle.com 2023-09-28T02:09:01+00:00 urn:sha1:194605d45dcb511983caca699d81855693b25fe0 In some cases, like with multiple LUN targets or where the target has to respond to transport level requests from the receiving context it can be better to defer cmd submission to a helper thread. If the backend driver blocks on something like request/tag allocation it can block the entire target submission path and other LUs and transport IO on that session. In other cases like single LUN targets with storage that can support all the commands that the target can queue, then it's best to submit the cmd to the backend from the target's cmd receiving context. Subsequent commits will allow the user to config what they prefer, but drivers like loop can't directly submit because they can be called from a context that can't sleep. And, drivers like vhost-scsi can support direct submission, but need to keep their default behavior of deferring execution to avoid possible regressions where the backend can block. Make the drivers tell LIO core if they support direct submissions and their current default, so we can prevent users from misconfiguring the system and initialize devices correctly. Signed-off-by: Mike Christie <michael.christie@oracle.com> Link: https://lore.kernel.org/r/20230928020907.5730-2-michael.christie@oracle.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>