summaryrefslogtreecommitdiff
path: root/drivers/target/iscsi
AgeCommit message (Collapse)AuthorFilesLines
2015-01-10iscsi-target: Fix typos in enum cmd_flags_tableAndy Grover2-8/+8
Everything else starts with ICF so the last two should as well. Fix places they are used to match. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-21Merge tag 'scsi-for-linus' of ↵Linus Torvalds1-7/+7
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI update from James Bottomley: "This is a much shorter set of patches that were on the go but didn't make it in to the early pull request for the merge window. It's really a set of bug fixes plus some final cleanup work on the new tag queue API" * tag 'scsi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: storvsc: ring buffer failures may result in I/O freeze ipr: set scsi_level correctly for disk arrays ipr: add support for async scanning to speed up boot scsi_debug: fix missing "break;" in SDEBUG_UA_CAPACITY_CHANGED case scsi_debug: take sdebug_host_list_lock when changing capacity scsi_debug: improve driver description in Kconfig scsi_debug: fix compare and write errors qla2xxx: fix race in handling rport deletion during recovery causes panic scsi: blacklist RSOC for Microsoft iSCSI target devices scsi: fix random memory corruption with scsi-mq + T10 PI Revert "[SCSI] mpt3sas: Remove phys on topology change" Revert "[SCSI] mpt2sas: Remove phys on topology change." esas2r: Correct typos of "validate" in a comment fc: FCP_PTA_SIMPLE is 0 ibmvfc: remove unused tag variable scsi: remove MSG_*_TAG defines scsi: remove scsi_set_tag_type scsi: remove scsi_get_tag_type scsi: never drop to untagged mode during queue ramp down scsi: remove ->change_queue_type method
2014-12-20Merge branch 'for-next' of ↵Linus Torvalds6-22/+21
git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending Pull SCSI target fixes from Nicholas Bellinger: "The highlights this merge window include: - Allow target fabric drivers to function as built-in. (Roland) - Fix tcm_loop multi-TPG endpoint nexus bug. (Hannes) - Move per device config_item_type into se_subsystem_api, allowing configfs attributes to be defined at module_init time. (Jerome + nab) - Convert existing IBLOCK/FILEIO/RAMDISK/PSCSI/TCMU drivers to use external configfs attributes. (nab) - A number of iser-target fixes related to active session + network portal shutdown stability during extended stress testing. (Sagi + Slava) - Dynamic allocation of T10-PI contexts for iser-target, fixing a potentially bogus iscsi_np->tpg_np pointer reference in >= v3.14 code. (Sagi) - iser-target performance + scalability improvements. (Sagi) - Fixes for SPC-4 Persistent Reservation AllRegistrants spec compliance. (Ilias + James + nab) - Avoid potential short kern_sendmsg() in iscsi-target for now until Al's conversion to use msghdr iteration is merged post -rc1. (Viro) Also, Sagi has requested a number of iser-target patches (9) that address stability issues he's encountered during extended stress testing be considered for v3.10.y + v3.14.y code. Given the amount of LOC involved, it will certainly require extra backporting effort. Apologies in advance to Greg-KH & Co on this. Sagi and I will be working post-merge to ensure they each get applied correctly" * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (53 commits) target: Allow AllRegistrants to re-RESERVE existing reservation uapi/linux/target_core_user.h: fix headers_install.sh badness iscsi-target: Fail connection on short sendmsg writes iscsi-target: nullify session in failed login sequence target: Avoid dropping AllRegistrants reservation during unregister target: Fix R_HOLDER bit usage for AllRegistrants iscsi-target: Drop left-over bogus iscsi_np->tpg_np iser-target: Fix wc->wr_id cast warning iser-target: Remove code duplication iser-target: Adjust log levels and prettify some prints iser-target: Use debug_level parameter to control logging level iser-target: Fix logout sequence iser-target: Don't wait for session commands from completion context iser-target: Reduce CQ lock contention by batch polling iser-target: Introduce isert_poll_budget iser-target: Remove an atomic operation from the IO path iser-target: Remove redundant call to isert_conn_terminate iser-target: Use single CQ for TX and RX iser-target: Centralize completion elements to a context iser-target: Cast wr_id with uintptr_t instead of unsinged long ...
2014-12-18Merge remote-tracking branch 'scsi-queue/drivers-for-3.19' into for-linusJames Bottomley1-7/+7
2014-12-16iscsi-target: Fail connection on short sendmsg writesNicholas Bellinger1-15/+11
This patch changes iscsit_do_tx_data() to fail on short writes when kernel_sendmsg() returns a value different than requested transfer length, returning -EPIPE and thus causing a connection reset to occur. This avoids a potential bug in the original code where a short write would result in kernel_sendmsg() being called again with the original iovec base + length. In practice this has not been an issue because iscsit_do_tx_data() is only used for transferring 48 byte headers + 4 byte digests, along with seldom used control payloads from NOPIN + TEXT_RSP + REJECT with less than 32k of data. So following Al's audit of iovec consumers, go ahead and fail the connection on short writes for now, and remove the bogus logic ahead of his proper upstream fix. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: David S. Miller <davem@davemloft.net> Cc: <stable@vger.kernel.org> # v3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-16iscsi-target: nullify session in failed login sequenceSagi Grimberg1-0/+1
In case login sequence failed, make sure conn->sess is NULL before calling wait_conn as some transports (iser) may rely on that (waiting for session commands). Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-13iscsi-target: Drop left-over bogus iscsi_np->tpg_npNicholas Bellinger2-2/+0
This patch drops the left-over iscsi_np->tpg_np pointer, now that iser-target PI is able to dynamically allocate PI contexts per I/O, instead of needing to determine support using a TPG attribute with this bogus reference. Cc: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-13iscsi,iser-target: Expose supported protection ops according to t10_piSagi Grimberg1-3/+4
iSER will report supported protection operations based on the tpg attribute t10_pi settings and HCA PI offload capabilities. If the HCA does not support PI offload or tpg attribute t10_pi is not set, we fall to SW PI mode. In order to do that, we move iscsit_get_sup_prot_ops after connection tpg assignment. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Cc: <stable@vger.kernel.org> # v3.14+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-13iscsi,iser-target: Initiate termination only onceSagi Grimberg1-0/+3
Since commit 0fc4ea701fcf ("Target/iser: Don't put isert_conn inside disconnected handler") we put the conn kref in isert_wait_conn, so we need .wait_conn to be invoked also in the error path. Introduce call to isert_conn_terminate (called under lock) which transitions the connection state to TERMINATING and calls rdma_disconnect. If the state is already teminating, just bail out back (temination started). Also, make sure to destroy the connection when getting a connect error event if didn't get to connected (state UP). Same for the handling of REJECTED and UNREACHABLE cma events. Squashed: iscsi-target: Add call to wait_conn in establishment error flow Reported-by: Slava Shwartsman <valyushash@gmail.com> Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Cc: <stable@vger.kernel.org> # v3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-10switch memcpy_to_msg() and skb_copy{,_and_csum}_datagram_msg() to primitivesAl Viro1-7/+5
... making both non-draining. That means that tcp_recvmsg() becomes non-draining. And _that_ would break iscsit_do_rx_data() unless we a) make sure tcp_recvmsg() is uniformly non-draining (it is) b) make sure it copes with arbitrary (including shifted) iov_iter (it does, all it uses is iov_iter primitives) c) make iscsit_do_rx_data() initialize ->msg_iter only once. Fortunately, (c) is doable with minimal work and we are rid of one the two places where kernel send/recvmsg users would be unhappy with non-draining behaviour. Actually, that makes all but one of ->recvmsg() instances iov_iter-clean. The exception is skcipher_recvmsg() and it also isn't hard to convert to primitives (iov_iter_get_pages() is needed there). That'll wait a bit - there's some interplay with ->sendmsg() path for that one. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-12-04scsi: remove MSG_*_TAG definesChristoph Hellwig1-7/+7
For SPI drivers use the message definitions from scsi.h, and for target drivers introduce a new TCM_*_TAG namespace. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com
2014-12-02iscsi-target: fix error path in iscsi_target_init_module()Lino Sanfilippo1-0/+1
In iscsi_target_init_module() unwind transport protocol registration in case that iscsit_load_discovery_tpg() failed. Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-12-02target: Deletion of unnecessary checks before the function call "module_put"Markus Elfring1-2/+1
The module_put() function tests whether its argument is NULL and then returns immediately. Thus the test around the call is not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-10-28iscsi-target: return the correct port in SendTargetsSteven Allen1-1/+1
The fact that a target is published on the any address has no bearing on which port(s) it is published. SendTargets should always send the portal's port, not the port used for discovery. Signed-off-by: Steven Allen <steven.allen@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-10-22Merge branch 'for-next' of ↵Linus Torvalds5-24/+11
git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending Pull SCSI target updates from Nicholas Bellinger: "Here are the target updates for v3.18-rc2 code. These where originally destined for -rc1, but due to the combination of travel last week for KVM Forum and my mistake of taking the three week merge window literally, the pull request slipped.. Apologies for that. Things where reasonably quiet this round. The highlights include: - New userspace backend driver (target_core_user.ko) by Shaohua Li and Andy Grover - A number of cleanups in target, iscsi-taret and qla_target code from Joern Engel - Fix an OOPs related to queue full handling with CHECK_CONDITION status from Quinn Tran - Fix to disable TX completion interrupt coalescing in iser-target, that was causing problems on some hardware - Fix for PR APTPL metadata handling with demo-mode ACLs I'm most excited about the new backend driver that uses UIO + shared memory ring to dispatch I/O and control commands into user-space. This was probably the most requested feature by users over the last couple of years, and opens up a new area of development + porting of existing user-space storage applications to LIO. Thanks to Shaohua + Andy for making this happen. Also another honorable mention, a new Xen PV SCSI driver was merged via the xen/tip.git tree recently, which puts us now at 10 target drivers in upstream! Thanks to David Vrabel + Juergen Gross for their work to get this code merged" * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (40 commits) target/file: fix inclusive vfs_fsync_range() end iser-target: Disable TX completion interrupt coalescing target: Add force_pr_aptpl device attribute target: Fix APTPL metadata handling for dynamic MappedLUNs qla_target: don't delete changed nacls target/user: Recalculate pad size inside is_ring_space_avail() tcm_loop: Fixup tag handling iser-target: Fix smatch warning target/user: Fix up smatch warnings in tcmu_netlink_event target: Add a user-passthrough backstore target: Add documentation on the target userspace pass-through driver uio: Export definition of struct uio_device target: Remove unneeded check in sbc_parse_cdb target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE qla_target: rearrange struct qla_tgt_prm qla_target: improve qlt_unmap_sg() qla_target: make some global functions static qla_target: remove unused parameter target: simplify core_tmr_abort_task target: encapsulate smp_mb__after_atomic() ...
2014-09-18iscsi-target: use strlcpy in iscsit_collect_login_statsJoern Engel1-2/+3
last_intr_fail_name is a fixed-size array and could theoretically overflow. In reality intrname->value doesn't seem to depend on untrusted input or be anywhere near 224 characters, so the overflow is pretty theoretical. But strlcpy is cheap enough. Found by coverity. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: avoid NULL pointer in iscsi_copy_param_list failureJoern Engel1-1/+1
In iscsi_copy_param_list() a failed iscsi_param_list memory allocation currently invokes iscsi_release_param_list() to cleanup, and will promptly trigger a NULL pointer dereference. Instead, go ahead and return for the first iscsi_copy_param_list() failure case. Found by coverity. Signed-off-by: Joern Engel <joern@logfs.org> Cc: <stable@vger.kernel.org> # v3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcidNicholas Bellinger1-1/+3
This patch fixes a bug in iscsit_logout_post_handler_diffcid() where a pointer used as storage for list_for_each_entry() was incorrectly being used to determine if no matching entry had been found. This patch changes iscsit_logout_post_handler_diffcid() to key off bool conn_found to determine if the function needs to exit early. Reported-by: Joern Engel <joern@logfs.org> Cc: <stable@vger.kernel.org> # v3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: remove unnecessary check in iscsit_setup_np error pathJoern Engel1-2/+1
Found by coverity. At this point sock is non-NULL, so the check to unnecessary. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: Drop duplicate __iscsi_target_login_thread checkNicholas Bellinger1-2/+0
This patch drops the now duplicate + unnecessary check for -ENODEV from iscsi_transport->iscsit_accept_np() for jumping to out:, or immediately returning 1 in __iscsi_target_login_thread() code. Since commit 81a9c5e72b the jump to out: and returning 1 have the same effect, and end up hitting the ISCSI_NP_THREAD_SHUTDOWN check regardless at the top of __iscsi_target_login_thread() during next loop iteration. So that said, it's safe to go ahead and remove this duplicate check. Reported-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: simplify return statementJoern Engel1-5/+1
The return statement cannot be reached without either recovery or dump being set to 1. Therefore the condition always evaluates to true and recovery and dump are useless variables. Found by Coverity. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: remove always-true conditionsJoern Engel1-6/+4
Found by coverity. InitiatorName and InitiatorAlias are static arrays and therefore always non-NULL. At some point in the past they may have been dynamically allocated, but for current code the condition is useless. If the intent was to check InitiatorName[0] instead, I cannot find a use for that either. Let's get rid of it. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-18iscsi-target: remove unused debug codeJoern Engel2-7/+2
Last user of buf was removed with c6037cc546ca. While at it, free_cpumask_var() handles a NULL argument just fine, so remove the conditionals. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-09-16iscsi-target: Ignore ICF_GOT_LAST_DATAOUT during Data-Out ITT lookupNicholas Bellinger1-0/+2
This patch adds a explicit check in iscsit_find_cmd_from_itt_or_dump() to ignore commands with ICF_GOT_LAST_DATAOUT set. This is done to address the case where an ITT is being reused for DataOUT, but the previous command with the same ITT has not yet been acknowledged by ExpStatSN and removed from the per connection command list. This issue was originally manifesting itself by referencing the previous command during ITT lookup, and subsequently hitting the check in iscsit_check_dataout_hdr() for ICF_GOT_LAST_DATAOUT, that resulted in the DataOUT PDU + associated payload being silently dumped. Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Tested-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-28iscsi-target: fix iscsit_del_np deadlock on unloadMikulas Patocka1-6/+7
On uniprocessor preemptible kernel, target core deadlocks on unload. The following events happen: * iscsit_del_np is called * it calls send_sig(SIGINT, np->np_thread, 1); * the scheduler switches to the np_thread * the np_thread is woken up, it sees that kthread_should_stop() returns false, so it doesn't terminate * the np_thread clears signals with flush_signals(current); and goes back to sleep in iscsit_accept_np * the scheduler switches back to iscsit_del_np * iscsit_del_np calls kthread_stop(np->np_thread); * the np_thread is waiting in iscsit_accept_np and it doesn't respond to kthread_stop The deadlock could be resolved if the administrator sends SIGINT signal to the np_thread with killall -INT iscsi_np The reproducible deadlock was introduced in commit db6077fd0b7dd41dc6ff18329cec979379071f87, but the thread-stopping code was racy even before. This patch fixes the problem. Using kthread_should_stop to stop the np_thread is unreliable, so we test np_thread_state instead. If np_thread_state equals ISCSI_NP_THREAD_SHUTDOWN, the thread exits. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-27iscsi-target: Avoid rejecting incorrect ITT for Data-OutNicholas Bellinger1-1/+1
This patch changes iscsit_check_dataout_hdr() to dump the incoming Data-Out payload when the received ITT is not associated with a WRITE, instead of calling iscsit_reject_cmd() for the non WRITE ITT descriptor. This addresses a bug where an initiator sending an Data-Out for an ITT associated with a READ would end up generating a reject for the READ, eventually resulting in list corruption. Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com> Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-27iscsi-target: Explicily clear login response PDU in exception pathNicholas Bellinger1-0/+2
This patch adds a explicit memset to the login response PDU exception path in iscsit_tx_login_rsp(). This addresses a regression bug introduced in commit baa4d64b where the initiator would end up not receiving the login response and associated status class + detail, before closing the login connection. Reported-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr> Tested-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-27iscsi-target; Enforce 1024 byte maximum for CHAP_C key valueNicholas Bellinger1-0/+4
This patch adds a check in chap_server_compute_md5() to enforce a 1024 byte maximum for the CHAP_C key value following the requirement in RFC-3720 Section 11.1.4: "..., C and R are large-binary-values and their binary length (not the length of the character string that represents them in encoded form) MUST not exceed 1024 bytes." Reported-by: rahul.rane <rahul.rane@calsoftinc.com> Tested-by: rahul.rane <rahul.rane@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-27iscsi-target: Convert chap_server_compute_md5 to use kstrtoulNicholas Bellinger1-3/+7
This patch converts chap_server_compute_md5() from simple_strtoul() to kstrtoul usage(). This addresses the case where a empty 'CHAP_I=' key value received during mutual authentication would be converted to a '0' by simple_strtoul(), instead of failing the login attempt. Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com> Tested-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-13Merge branch 'for-next' of ↵Linus Torvalds8-43/+98
git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending Pull SCSI target updates from Nicholas Bellinger: "The highlights this round include: - Add support for T10 PI pass-through between vhost-scsi + virtio-scsi (MST + Paolo + MKP + nab) - Add support for T10 PI in qla2xxx target mode (Quinn + MKP + hch + nab, merged through scsi.git) - Add support for percpu-ida pre-allocation in qla2xxx target code (Quinn + nab) - A number of iser-target fixes related to hardening the network portal shutdown path (Sagi + Slava) - Fix response length residual handling for a number of control CDBs (Roland + Christophe V.) - Various iscsi RFC conformance fixes in the CHAP authentication path (Tejas and Calsoft folks + nab) - Return TASK_SET_FULL status for tcm_fc(FCoE) DataIn + Response failures (Vasu + Jun + nab) - Fix long-standing ABORT_TASK + session reset hang (nab) - Convert iser-initiator + iser-target to include T10 bytes into EDTL (Sagi + Or + MKP + Mike Christie) - Fix NULL pointer dereference regression related to XCOPY introduced in v3.15 + CC'ed to v3.12.y (nab)" * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (34 commits) target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd vhost-scsi: Include prot_bytes into expected data transfer length TARGET/sbc,loopback: Adjust command data length in case pi exists on the wire libiscsi, iser: Adjust data_length to include protection information scsi_cmnd: Introduce scsi_transfer_length helper target: Report correct response length for some commands target/sbc: Check that the LBA and number of blocks are correct in VERIFY target/sbc: Remove sbc_check_valid_sectors() Target/iscsi: Fix sendtargets response pdu for iser transport Target/iser: Fix a wrong dereference in case discovery session is over iser iscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory leak target: Use complete_all for se_cmd->t_transport_stop_comp target: Set CMD_T_ACTIVE bit for Task Management Requests target: cleanup some boolean tests target/spc: Simplify INQUIRY EVPD=0x80 tcm_fc: Generate TASK_SET_FULL status for response failures tcm_fc: Generate TASK_SET_FULL status for DataIN failures iscsi-target: Reject mutual authentication with reflected CHAP_C iscsi-target: Remove no-op from iscsit_tpg_del_portal_group iscsi-target: Fix CHAP_A parameter list handling ...
2014-06-11Target/iscsi: Fix sendtargets response pdu for iser transportSagi Grimberg1-4/+10
In case the transport is iser we should not include the iscsi target info in the sendtargets text response pdu. This causes sendtargets response to include the target info twice. Modify iscsit_build_sendtargets_response to filter transport types that don't match. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Reported-by: Slava Shwartsman <valyushash@gmail.com> Cc: stable@vger.kernel.org # 3.11+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-10iscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory leakNicholas Bellinger1-2/+1
This patch fixes a iscsi_queue_req memory leak when ABORT_TASK response has been queued by TFO->queue_tm_rsp() -> lio_queue_tm_rsp() after a long standing I/O completes, but the connection has already reset and waiting for cleanup to complete in iscsit_release_commands_from_conn() -> transport_generic_free_cmd() -> transport_wait_for_tasks() code. It moves iscsit_free_queue_reqs_for_conn() after the per-connection command list has been released, so that the associated se_cmd tag can be completed + released by target-core before freeing any remaining iscsi_queue_req memory for the connection generated by lio_queue_tm_rsp(). Cc: Thomas Glanzmann <thomas@glanzmann.de> Cc: Charalampos Pournaris <charpour@gmail.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-07target: cleanup some boolean testsChristophe Vu-Brugier5-19/+17
Convert "x == true" to "x" and "x == false" to "!x". Signed-off-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-06iscsi-target: Reject mutual authentication with reflected CHAP_CNicholas Bellinger1-0/+10
This patch adds an explicit check in chap_server_compute_md5() to ensure the CHAP_C value received from the initiator during mutual authentication does not match the original CHAP_C provided by the target. This is in line with RFC-3720, section 8.2.1: Originators MUST NOT reuse the CHAP challenge sent by the Responder for the other direction of a bidirectional authentication. Responders MUST check for this condition and close the iSCSI TCP connection if it occurs. Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com> Cc: stable@vger.kernel.org # 3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-06iscsi-target: Remove no-op from iscsit_tpg_del_portal_groupNicholas Bellinger2-4/+1
This patch removes a no-op iscsit_clear_tpg_np_login_threads() call in iscsit_tpg_del_portal_group(), which is unnecessary because iscsit_tpg_del_portal_group() can only ever be removed from configfs once all of the child network portals have been released. Also, go ahed and make iscsit_clear_tpg_np_login_threads() declared as static. Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-06iscsi-target: Fix CHAP_A parameter list handlingTejas Vaykole2-13/+52
The target is failing to handle list of CHAP_A key-value pair form initiator.The target is expecting CHAP_A=5 always. In other cases, where initiator sends list (for example) CHAP_A=6,5 target is failing the security negotiation. Which is incorrect. This patch handles the case (RFC 3720 section 11.1.4). where in the initiator may send list of CHAP_A values and target replies with appropriate CHAP_A value in response (Drop whitespaces + rename to chap_check_algorithm + save original pointer + add explicit check for CHAP_A key - nab) Signed-off-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-04iscsi-target: Put length of failed allocation in error messageRoland Dreier1-1/+1
If the message "Unable to allocate…" pops up, it's useful to know whether the problem is that the system is genuinely out of memory, or that some bug has led to a crazy allocation length. In particular this helped debug a corruption of login headers in iscsi_login_non_zero_tsih_s1(). Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-04iscsi-target: Reject zero-length payloads during SecurityNegotiationNicholas Bellinger1-0/+6
This patch changes iscsi_target_handle_csg_zero() to explicitly reject login requests in SecurityNegotiation with a zero-length payload, following the language in RFC-3720 Section 8.2: Whenever an iSCSI target gets a response whose keys, or their values, are not according to the step definition, it MUST answer with a Login reject with the "Initiator Error" or "Missing Parameter" status. Previously when a zero-length login request in CSG=0 was received, the target would send a login response with CSG=0 + T_BIT=0 asking the initiator to complete authentication, and not fail the login until MAX_LOGIN_PDUS was reached. This change will now immediately fail the login attempt with ISCSI_STATUS_CLS_INITIATOR_ERR status. Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-04iser-target: Fix multi network portal shutdown regressionNicholas Bellinger2-1/+3
This patch fixes a iser-target specific regression introduced in v3.15-rc6 with: commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a Author: Sagi Grimberg <sagig@mellanox.com> Date: Tue Apr 29 13:13:47 2014 +0300 Target/iscsi,iser: Avoid accepting transport connections during stop stage where the change to set iscsi_np->enabled = false within iscsit_clear_tpg_np_login_thread() meant that a iscsi_np with two iscsi_tpg_np exports would have it's parent iscsi_np set to a disabled state, even if other iscsi_tpg_np exports still existed. This patch changes iscsit_clear_tpg_np_login_thread() to only set iscsi_np->enabled = false when shutdown = true, and also changes iscsit_del_np() to set iscsi_np->enabled = true when iscsi_np->np_exports is non zero. Cc: Sagi Grimberg <sagig@dev.mellanox.co.il> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-04iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value()Roland Dreier1-39/+31
In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls iscsi_change_param_value() with the buffer it uses to hold the login PDU, not a temporary buffer. This leads to the login header getting corrupted and login failing for non-leading connections in MC/S. Fix this by adding a wrapper iscsi_change_param_sprintf() that handles the temporary buffer itself to avoid confusion. Also handle sending a reject in case of failure in the wrapper, which lets the calling code get quite a bit smaller and easier to read. Finally, bump the size of the temporary buffer from 32 to 64 bytes to be safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't the default but we don't need to run right at the ragged edge here) Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-16iscsi-target: Disable Immediate + Unsolicited Data with ISER ProtectionNicholas Bellinger1-1/+26
This patch explicitly disables Immediate + Unsolicited Data for ISER connections during login in iscsi_login_zero_tsih_s2() when protection has been enabled for the session by the underlying hardware. This is currently required because protection / signature memory regions (MRs) expect T10 PI to occur on RDMA READs + RDMA WRITEs transfers, and not on a immediate data payload associated with ISCSI_OP_SCSI_CMD, or unsolicited data-out associated with a ISCSI_OP_SCSI_DATA_OUT. v2 changes: - Add TARGET_PROT_DOUT_INSERT check (Sagi) - Add pr_debug noisemaker (Sagi) - Add goto to avoid early return from MRDSL check (nab) Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-16iscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_outNicholas Bellinger1-1/+3
This patch changes an incorrect use of BUG_ON to instead generate a REJECT + PROTOCOL_ERROR in iscsit_process_nop_out() code. This case can occur with traditional TCP where a flood of zeros in the data stream can reach this block for what is presumed to be a NOP-OUT with a solicited reply, but without a valid iscsi_cmd pointer. This incorrect BUG_ON was introduced during the v3.11-rc timeframe with the following commit: commit 778de368964c5b7e8100cde9f549992d521e9c89 Author: Nicholas Bellinger <nab@linux-iscsi.org> Date: Fri Jun 14 16:07:47 2013 -0700 iscsi/isert-target: Refactor ISCSI_OP_NOOP RX handling Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Cc: stable@vger.kernel.org # 3.11+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-16Target/iscsi,iser: Avoid accepting transport connections during stop stageSagi Grimberg3-0/+3
When the target is in stop stage, iSER transport initiates RDMA disconnects. The iSER initiator may wish to establish a new connection over the still existing network portal. In this case iSER transport should not accept and resume new RDMA connections. In order to learn that, iscsi_np is added with enabled flag so the iSER transport can check when deciding weather to accept and resume a new connection request. The iscsi_np is enabled after successful transport setup, and disabled before iscsi_np login threads are cleaned up. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-13Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds2-2/+2
Pull yet more networking updates from David Miller: 1) Various fixes to the new Redpine Signals wireless driver, from Fariya Fatima. 2) L2TP PPP connect code takes PMTU from the wrong socket, fix from Dmitry Petukhov. 3) UFO and TSO packets differ in whether they include the protocol header in gso_size, account for that in skb_gso_transport_seglen(). From Florian Westphal. 4) If VLAN untagging fails, we double free the SKB in the bridging output path. From Toshiaki Makita. 5) Several call sites of sk->sk_data_ready() were referencing an SKB just added to the socket receive queue in order to calculate the second argument via skb->len. This is dangerous because the moment the skb is added to the receive queue it can be consumed in another context and freed up. It turns out also that none of the sk->sk_data_ready() implementations even care about this second argument. So just kill it off and thus fix all these use-after-free bugs as a side effect. 6) Fix inverted test in tcp_v6_send_response(), from Lorenzo Colitti. 7) pktgen needs to do locking properly for LLTX devices, from Daniel Borkmann. 8) xen-netfront driver initializes TX array entries in RX loop :-) From Vincenzo Maffione. 9) After refactoring, some tunnel drivers allow a tunnel to be configured on top itself. Fix from Nicolas Dichtel. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits) vti: don't allow to add the same tunnel twice gre: don't allow to add the same tunnel twice drivers: net: xen-netfront: fix array initialization bug pktgen: be friendly to LLTX devices r8152: check RTL8152_UNPLUG net: sun4i-emac: add promiscuous support net/apne: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO net: ipv6: Fix oif in TCP SYN+ACK route lookup. drivers: net: cpsw: enable interrupts after napi enable and clearing previous interrupts drivers: net: cpsw: discard all packets received when interface is down net: Fix use after free by removing length arg from sk_data_ready callbacks. Drivers: net: hyperv: Address UDP checksum issues Drivers: net: hyperv: Negotiate suitable ndis version for offload support Drivers: net: hyperv: Allocate memory for all possible per-pecket information bridge: Fix double free and memory leak around br_allowed_ingress bonding: Remove debug_fs files when module init fails i40evf: program RSS LUT correctly i40evf: remove open-coded skb_cow_head ixgb: remove open-coded skb_cow_head igbvf: remove open-coded skb_cow_head ...
2014-04-12net: Fix use after free by removing length arg from sk_data_ready callbacks.David S. Miller2-2/+2
Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-07target: Pass in transport supported PI at session initializationNicholas Bellinger2-1/+9
In order to support local WRITE_INSERT + READ_STRIP operations for non PI enabled fabrics, the fabric driver needs to be able signal what protection offload operations are supported. This is done at session initialization time so the modes can be signaled by individual se_wwn + se_portal_group endpoints, as well as optionally across different transports on the same endpoint. For iser-target, set TARGET_PROT_ALL if the underlying ib_device has already signaled PI offload support, and allow this to be exposed via a new iscsit_transport->iscsit_get_sup_prot_ops() callback. For loopback, set TARGET_PROT_ALL to signal SCSI initiator mode operation. For all other drivers, set TARGET_PROT_NORMAL to disable fabric level PI. Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bugNicholas Bellinger1-1/+3
This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message() where during ERL=2 connection recovery, a bogus conn_p pointer could end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION notifying the initiator that cmd->logout_cid has failed. The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with a bogus conn_p pointer in iscsit_build_conn_drop_async_message(). Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Reported-by: santosh kulkarni <santosh.kulkarni@calsoftinc.com> Cc: <stable@vger.kernel.org> #3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target: Add TFO->abort_task for aborted task resources releaseNicholas Bellinger4-2/+24
Now that TASK_ABORTED status is not generated for all cases by TMR ABORT_TASK + LUN_RESET, a new TFO->abort_task() caller is necessary in order to give fabric drivers a chance to unmap hardware / software resources before the se_cmd descriptor is released via the normal TFO->release_cmd() codepath. This patch adds TFO->aborted_task() in core_tmr_abort_task() in place of the original transport_send_task_abort(), and also updates all fabric drivers to implement this caller. The fabric drivers that include changes to perform cleanup via ->aborted_task() are: - iscsi-target - iser-target - srpt - tcm_qla2xxx The fabric drivers that currently set ->aborted_task() to NOPs are: - loopback - tcm_fc - usb-gadget - sbp-target - vhost-scsi For the latter five, there appears to be no additional cleanup required before invoking TFO->release_cmd() to release the se_cmd descriptor. v2 changes: - Move ->aborted_task() call into transport_cmd_finish_abort (Alex) Cc: Alex Leung <amleung21@yahoo.com> Cc: Mark Rustad <mark.d.rustad@intel.com> Cc: Roland Dreier <roland@kernel.org> Cc: Vu Pham <vu@mellanox.com> Cc: Chris Boot <bootc@bootc.net> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Cc: Saurav Kashyap <saurav.kashyap@qlogic.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07iscsi-target: Add missing NopOUT->flag (LMB) sanity checkArshad Hussain1-0/+10
This patch adds check for NopOUT->flag (LMB) which is a mandatory as per RFC 3720 Section 10.18. (Fix up context changes for v3.14-rc code - nab) Signed-off-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/configfs: Expose iSCSI network portal group T10-PI supportSagi Grimberg3-0/+26
User may enable T10-PI support per network portal group. any connection established on top of it, will be required to serve protected transactions. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>