kernel/linux.git/drivers/target, branch v3.15.2

iscsi-target: Reject mutual authentication with reflected CHAP_C

2014-06-26T19:17:32+00:00

commit 1d2b60a5545942b1376cb48c1d55843d71e3a08f upstream. This patch adds an explicit check in chap_server_compute_md5() to ensure the CHAP_C value received from the initiator during mutual authentication does not match the original CHAP_C provided by the target. This is in line with RFC-3720, section 8.2.1: Originators MUST NOT reuse the CHAP challenge sent by the Responder for the other direction of a bidirectional authentication. Responders MUST check for this condition and close the iSCSI TCP connection if it occurs. Reported-by: Tejas Vaykole Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd

2014-06-26T19:17:32+00:00

commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream. This patch fixes a NULL pointer dereference regression bug that was introduced with: commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c Author: Mikulas Patocka Date: Sat May 17 06:49:22 2014 -0400 target: fix memory leak on XCOPY Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is called with a valid se_cmd->cmd_kref, a NULL pointer dereference is triggered because the XCOPY passthrough commands don't have an associated se_session pointer. To address this bug, go ahead and checking for a NULL se_sess pointer within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd() to release the XCOPY's xcopy_pt_cmd memory. Reported-by: Thomas Glanzmann Cc: Thomas Glanzmann Cc: Mikulas Patocka Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman

target: Fix alua_access_state attribute OOPs for un-configured devices

2014-06-06T08:22:41+00:00

This patch fixes a OOPs where an attempt to write to the per-device alua_access_state configfs attribute at: /sys/kernel/config/target/core/$HBA/$DEV/alua/$TG_PT_GP/alua_access_state results in an NULL pointer dereference when the backend device has not yet been configured. This patch adds an explicit check for DF_CONFIGURED, and fails with -ENODEV to avoid this case. Reported-by: Chris Boot Reported-by: Philip Gaw Cc: Chris Boot Cc: Philip Gaw Cc: stable@vger.kernel.org # 3.8+ Signed-off-by: Nicholas Bellinger

target: Allow READ_CAPACITY opcode in ALUA Standby access state

2014-06-06T08:21:12+00:00

This patch allows READ_CAPACITY + SAI_READ_CAPACITY_16 opcode processing to occur while the associated ALUA group is in Standby access state. This is required to avoid host side LUN probe failures during the initial scan if an ALUA group has already implicitly changed into Standby access state. This addresses a bug reported by Chris + Philip using dm-multipath + ESX hosts configured with ALUA multipath. Reported-by: Chris Boot Reported-by: Philip Gaw Cc: Chris Boot Cc: Philip Gaw Cc: Hannes Reinecke Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger

iser-target: Fix multi network portal shutdown regression

2014-06-04T02:17:32+00:00

This patch fixes a iser-target specific regression introduced in v3.15-rc6 with: commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a Author: Sagi Grimberg Date: Tue Apr 29 13:13:47 2014 +0300 Target/iscsi,iser: Avoid accepting transport connections during stop stage where the change to set iscsi_np->enabled = false within iscsit_clear_tpg_np_login_thread() meant that a iscsi_np with two iscsi_tpg_np exports would have it's parent iscsi_np set to a disabled state, even if other iscsi_tpg_np exports still existed. This patch changes iscsit_clear_tpg_np_login_thread() to only set iscsi_np->enabled = false when shutdown = true, and also changes iscsit_del_np() to set iscsi_np->enabled = true when iscsi_np->np_exports is non zero. Cc: Sagi Grimberg Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger

iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value()

2014-06-04T02:17:31+00:00

In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls iscsi_change_param_value() with the buffer it uses to hold the login PDU, not a temporary buffer. This leads to the login header getting corrupted and login failing for non-leading connections in MC/S. Fix this by adding a wrapper iscsi_change_param_sprintf() that handles the temporary buffer itself to avoid confusion. Also handle sending a reject in case of failure in the wrapper, which lets the calling code get quite a bit smaller and easier to read. Finally, bump the size of the temporary buffer from 32 to 64 bytes to be safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't the default but we don't need to run right at the ragged edge here) Reported-by: Santosh Kulkarni Signed-off-by: Roland Dreier Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger

target: fix memory leak on XCOPY

2014-05-17T22:49:40+00:00

On each processed XCOPY command, two "kmalloc-512" memory objects are leaked. These represent two allocations of struct xcopy_pt_cmd in target_core_xcopy.c. The reason for the memory leak is that the cmd_kref field is not initialized (thus, it is zero because the allocations were done with kzalloc). When we decrement zero kref in target_put_sess_cmd, the result is not zero, thus target_release_cmd_kref is not called. This patch fixes the bug by moving kref initialization from target_get_sess_cmd to transport_init_se_cmd (this function is called from target_core_xcopy.c, so it will correctly initialize cmd_kref). It can be easily verified that all code that calls target_get_sess_cmd also calls transport_init_se_cmd earlier, thus moving kref_init shouldn't introduce any new problems. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Nicholas Bellinger

target: Don't allow setting WC emulation if device doesn't support

2014-05-16T00:09:17+00:00

Just like for pSCSI, if the transport sets get_write_cache, then it is not valid to enable write cache emulation for it. Return an error. see https://bugzilla.redhat.com/show_bug.cgi?id=1082675 Reviewed-by: Chris Leech Signed-off-by: Andy Grover Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger

iscsi-target: Disable Immediate + Unsolicited Data with ISER Protection

2014-05-16T00:09:12+00:00

This patch explicitly disables Immediate + Unsolicited Data for ISER connections during login in iscsi_login_zero_tsih_s2() when protection has been enabled for the session by the underlying hardware. This is currently required because protection / signature memory regions (MRs) expect T10 PI to occur on RDMA READs + RDMA WRITEs transfers, and not on a immediate data payload associated with ISCSI_OP_SCSI_CMD, or unsolicited data-out associated with a ISCSI_OP_SCSI_DATA_OUT. v2 changes: - Add TARGET_PROT_DOUT_INSERT check (Sagi) - Add pr_debug noisemaker (Sagi) - Add goto to avoid early return from MRDSL check (nab) Cc: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger

tcm_fc: Fix free-after-use regression in ft_free_cmd

2014-05-16T00:09:12+00:00

This patch fixes a free-after-use regression in ft_free_cmd(), where ft_sess_put() is called with cmd->sess after percpu_ida_free() has already released the tag. Fix this bug by saving the ft_sess pointer ahead of percpu_ida_free(), and pass it directly to ft_sess_put(). The regression was originally introduced in v3.13-rc1 commit: commit 5f544cfac956971099e906f94568bc3fd1a7108a Author: Nicholas Bellinger Date: Mon Sep 23 12:12:42 2013 -0700 tcm_fc: Convert to per-cpu command map pre-allocation of ft_cmd Reported-by: Jun Wu Cc: Mark Rustad Cc: Robert Love Cc: #3.13+ Signed-off-by: Nicholas Bellinger