1. 21 Jan, 2020 1 commit
  2. 20 Nov, 2019 1 commit
    • Bart Van Assche's avatar
      scsi: target: iscsi: Wait for all commands to finish before freeing a session · e9d3009c
      Bart Van Assche authored
      The iSCSI target driver is the only target driver that does not wait for
      ongoing commands to finish before freeing a session. Make the iSCSI target
      driver wait for ongoing commands to finish before freeing a session. This
      patch fixes the following KASAN complaint:
      
      BUG: KASAN: use-after-free in __lock_acquire+0xb1a/0x2710
      Read of size 8 at addr ffff8881154eca70 by task kworker/0:2/247
      
      CPU: 0 PID: 247 Comm: kworker/0:2 Not tainted 5.4.0-rc1-dbg+ #6
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
      Workqueue: target_completion target_complete_ok_work [target_core_mod]
      Call Trace:
       dump_stack+0x8a/0xd6
       print_address_description.constprop.0+0x40/0x60
       __kasan_report.cold+0x1b/0x33
       kasan_report+0x16/0x20
       __asan_load8+0x58/0x90
       __lock_acquire+0xb1a/0x2710
       lock_acquire+0xd3/0x200
       _raw_spin_lock_irqsave+0x43/0x60
       target_release_cmd_kref+0x162/0x7f0 [target_core_mod]
       target_put_sess_cmd+0x2e/0x40 [target_core_mod]
       lio_check_stop_free+0x12/0x20 [iscsi_target_mod]
       transport_cmd_check_stop_to_fabric+0xd8/0xe0 [target_core_mod]
       target_complete_ok_work+0x1b0/0x790 [target_core_mod]
       process_one_work+0x549/0xa40
       worker_thread+0x7a/0x5d0
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      Allocated by task 889:
       save_stack+0x23/0x90
       __kasan_kmalloc.constprop.0+0xcf/0xe0
       kasan_slab_alloc+0x12/0x20
       kmem_cache_alloc+0xf6/0x360
       transport_alloc_session+0x29/0x80 [target_core_mod]
       iscsi_target_login_thread+0xcd6/0x18f0 [iscsi_target_mod]
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      Freed by task 1025:
       save_stack+0x23/0x90
       __kasan_slab_free+0x13a/0x190
       kasan_slab_free+0x12/0x20
       kmem_cache_free+0x146/0x400
       transport_free_session+0x179/0x2f0 [target_core_mod]
       transport_deregister_session+0x130/0x180 [target_core_mod]
       iscsit_close_session+0x12c/0x350 [iscsi_target_mod]
       iscsit_logout_post_handler+0x136/0x380 [iscsi_target_mod]
       iscsit_response_queue+0x8de/0xbe0 [iscsi_target_mod]
       iscsi_target_tx_thread+0x27f/0x370 [iscsi_target_mod]
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      The buggy address belongs to the object at ffff8881154ec9c0
       which belongs to the cache se_sess_cache of size 352
      The buggy address is located 176 bytes inside of
       352-byte region [ffff8881154ec9c0, ffff8881154ecb20)
      The buggy address belongs to the page:
      page:ffffea0004553b00 refcount:1 mapcount:0 mapping:ffff888101755400 index:0x0 compound_mapcount: 0
      flags: 0x2fff000000010200(slab|head)
      raw: 2fff000000010200 dead000000000100 dead000000000122 ffff888101755400
      raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8881154ec900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8881154ec980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      >ffff8881154eca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                   ^
       ffff8881154eca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8881154ecb00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
      
      Cc: Mike Christie <mchristi@redhat.com>
      Link: https://lore.kernel.org/r/20191113220508.198257-3-bvanassche@acm.org
      
      Reviewed-by: default avatarRoman Bolshakov <r.bolshakov@yadro.com>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      e9d3009c
  3. 23 Oct, 2019 1 commit
  4. 30 May, 2019 1 commit
    • Thomas Gleixner's avatar
      treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 · c942fddf
      Thomas Gleixner authored
      Based on 3 normalized pattern(s):
      
        this program is free software you can redistribute it and or modify
        it under the terms of the gnu general public license as published by
        the free software foundation either version 2 of the license or at
        your option any later version this program is distributed in the
        hope that it will be useful but without any warranty without even
        the implied warranty of merchantability or fitness for a particular
        purpose see the gnu general public license for more details
      
        this program is free software you can redistribute it and or modify
        it under the terms of the gnu general public license as published by
        the free software foundation either version 2 of the license or at
        your option any later version [author] [kishon] [vijay] [abraham]
        [i] [kishon]@[ti] [com] this program is distributed in the hope that
        it will be useful but without any warranty without even the implied
        warranty of merchan...
      c942fddf
  5. 13 Apr, 2019 4 commits
    • Bart Van Assche's avatar
      scsi: target/iscsi: Make sure PDU processing continues if parsing a command fails · 4b3766ec
      Bart Van Assche authored
      
      
      Currently the iSCSI target driver sends a CHECK CONDITION code back to the
      initiator if the immediate data buffer is too large but it does not discard
      that immediate data buffer. The result is that the iSCSI target driver
      attempts to parse the immediate data itself as iSCSI PDUs and that all
      further iSCSI communication fails. Fix this by receiving and discarding too
      large immediate data buffers.
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      4b3766ec
    • Bart Van Assche's avatar
      scsi: target/iscsi: Make iscsit_map_iovec() more robust · 2e39f1c9
      Bart Van Assche authored
      
      
      Make the code for mapping an iovec more robust by checking the bounds of
      the allocated iovec. This patch avoids that the following crash occurs if a
      map attempt is made that exceeds the bounds of the iovec that is being
      mapped:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000
      00000014
      RIP: 0010:iscsit_map_iovec+0x120/0x190 [iscsi_target_mod]
      Call Trace:
       iscsit_get_rx_pdu+0x8a2/0xe00 [iscsi_target_mod]
       iscsi_target_rx_thread+0x6e/0xa0 [iscsi_target_mod]
       kthread+0x109/0x140
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      2e39f1c9
    • Bart Van Assche's avatar
      scsi: target/iscsi: Handle too large immediate data buffers correctly · 0ca650c1
      Bart Van Assche authored
      
      
      Since target_alloc_sgl() and iscsit_allocate_iovecs() allocate buffer space
      for se_cmd.data_length bytes and since that number can be smaller than the
      iSCSI Expected Data Transfer Length (EDTL), ensure that the iSCSI target
      driver does not attempt to receive more bytes than what fits in the receive
      buffer. Always receive the full immediate data buffer such that the iSCSI
      target driver does not attempt to parse immediate data as an iSCSI PDU.
      
      Note: the current code base only calls iscsit_get_dataout() if the size of
      the immediate data buffer does not exceed the buffer size derived from the
      SCSI CDB. See also target_cmd_size_check().
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      0ca650c1
    • Bart Van Assche's avatar
      scsi: target/iscsi: Only send R2T if needed · 96e8e26d
      Bart Van Assche authored
      
      
      If an initiator submits more immediate data than the size derived from the
      SCSI CDB, do not send any R2T to the initiator. This scenario is triggered
      by the libiscsi test ALL.iSCSIResiduals.WriteVerify16Residuals if the iSCSI
      target driver is modified to discard too large immediate data buffers
      instead of trying to parse these as an iSCSI PDU. This patch avoids that a
      negative xfer_len value is passed to iscsit_add_r2t_to_list() if too large
      immediate data buffers are handled correctly.
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      96e8e26d
  6. 05 Feb, 2019 4 commits
    • Bart Van Assche's avatar
      scsi: target/iscsi: Simplify iscsit_handle_text_cmd() · 47eefded
      Bart Van Assche authored
      
      
      Treat text_in and padding as a single buffer instead of two buffers.
      
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      47eefded
    • Bart Van Assche's avatar
      scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock · 32e36bfb
      Bart Van Assche authored
      When using SCSI passthrough in combination with the iSCSI target driver
      then cmd->t_state_lock may be obtained from interrupt context. Hence, all
      code that obtains cmd->t_state_lock from thread context must disable
      interrupts first. This patch avoids that lockdep reports the following:
      
      WARNING: inconsistent lock state
      4.18.0-dbg+ #1 Not tainted
      --------------------------------
      inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
      iscsi_ttx/1800 [HC1[1]:SC0[2]:HE0:SE0] takes:
      000000006e7b0ceb (&(&cmd->t_state_lock)->rlock){?...}, at: target_complete_cmd+0x47/0x2c0 [target_core_mod]
      {HARDIRQ-ON-W} state was registered at:
       lock_acquire+0xd2/0x260
       _raw_spin_lock+0x32/0x50
       iscsit_close_connection+0x97e/0x1020 [iscsi_target_mod]
       iscsit_take_action_for_connection_exit+0x108/0x200 [iscsi_target_mod]
       iscsi_target_rx_thread+0x180/0x190 [iscsi_target_mod]
       kthread+0x1cf/0x1f0
       ret_from_fork+0x24/0x30
      irq event stamp: 1281
      hardirqs last  enabled at (1279): [<ffffffff970ade79>] __local_bh_enable_ip+0xa9/0x160
      hardirqs last disabled at (1281): [<ffffffff97a008a5>] interrupt_entry+0xb5/0xd0
      softirqs last  enabled at (1278): [<ffffffff977cd9a1>] lock_sock_nested+0x51/0xc0
      softirqs last disabled at (1280): [<ffffffffc07a6e04>] ip6_finish_output2+0x124/0xe40 [ipv6]
      
      other info that might help us debug this:
      Possible unsafe locking scenario:
      
            CPU0
            ----
       lock(&(&cmd->t_state_lock)->rlock);
       <Interrupt>
         lock(&(&cmd->t_state_lock)->rlock);
      
      *** DEADLOCK ***
      
      3 locks held by iscsi_ttx/1800:
      *0: 00000000c3b711b7 (sk_lock-AF_INET6){+.+.}, at: tcp_sendmsg+0x1e/0x50
      *1: 00000000fa81046f (rcu_read_lock){....}, at: inet6_csk_xmit+0xc7/0x2e0 [ipv6]
      *2: 00000000c091d70d (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x124/0xe40 [ipv6]
      
      stack backtrace:
      CPU: 0 PID: 1800 Comm: iscsi_ttx Not tainted 4.18.0-dbg+ #1
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
      <IRQ>
      dump_stack+0xa4/0xf5
      print_usage_bug+0x25b/0x27b
      mark_lock+0x70f/0x7b0
      __lock_acquire+0xbc2/0x1b50
      lock_acquire+0xd2/0x260
      _raw_spin_lock_irqsave+0x4a/0x60
      target_complete_cmd+0x47/0x2c0 [target_core_mod]
      target_complete_cmd_with_length+0x70/0xa0 [target_core_mod]
      pscsi_req_done+0x335/0x530 [target_core_pscsi]
      __blk_mq_end_request+0xa5/0x140
      scsi_end_request+0x112/0x320 [scsi_mod]
      scsi_io_completion+0x183/0xa30 [scsi_mod]
      scsi_finish_command+0x1c0/0x280 [scsi_mod]
      scsi_softirq_done+0x19a/0x230 [scsi_mod]
      __blk_mq_complete_request_remote+0x2f/0x40
      flush_smp_call_function_queue+0x12a/0x220
      generic_smp_call_function_single_interrupt+0x13/0x30
      smp_call_function_single_interrupt+0x7a/0x350
      call_function_single_interrupt+0xf/0x20
      </IRQ>
      RIP: 0010:__asan_load4+0x1e/0x80
      debug_lockdep_rcu_enabled+0x26/0x40
      ip6_finish_output2+0x15a/0xe40 [ipv6]
      ip6_finish_output+0x308/0x440 [ipv6]
      ip6_output+0x11d/0x3b0 [ipv6]
      ip6_xmit+0x639/0xc50 [ipv6]
      inet6_csk_xmit+0x198/0x2e0 [ipv6]
      __tcp_transmit_skb+0xc1b/0x15b0
      tcp_write_xmit+0x42e/0x1f20
      __tcp_push_pending_frames+0x59/0x150
      tcp_push+0x189/0x270
      tcp_sendmsg_locked+0x7b9/0x1680
      tcp_sendmsg+0x2c/0x50
      inet_sendmsg+0x71/0x250
      sock_sendmsg+0x4c/0x60
      tx_data+0x12b/0x1f0 [iscsi_target_mod]
      iscsit_send_tx_data+0x77/0xe0 [iscsi_target_mod]
      iscsit_xmit_pdu+0x2c5/0x740 [iscsi_target_mod]
      iscsit_response_queue+0x941/0xd40 [iscsi_target_mod]
      iscsi_target_tx_thread+0x23b/0x350 [iscsi_target_mod]
      kthread+0x1cf/0x1f0
      ret_from_fork+0x24/0x30
      
      Fixes: 064cdd2d
      
       ("target: Fix race between iscsi-target connection shutdown + ABORT_TASK")
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      32e36bfb
    • Bart Van Assche's avatar
      scsi: target/iscsi: Fix spelling of "unsolicited" · 0300b114
      Bart Van Assche authored
      
      
      Change "unsoliticed" into "unsolicited".
      
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      0300b114
    • Bart Van Assche's avatar
      scsi: target/iscsi: Convert comments about locking into runtime checks · 618baaf7
      Bart Van Assche authored
      
      
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      618baaf7
  7. 09 Jan, 2019 1 commit
  8. 08 Dec, 2018 1 commit
    • Bart Van Assche's avatar
      scsi: target/core: Fix TAS handling for aborted commands · aaa00cc9
      Bart Van Assche authored
      
      
      The TASK ABORTED STATUS (TAS) bit is defined as follows in SAM:
      "TASK_ABORTED: this status shall be returned if a command is aborted by a
      command or task management function on another I_T nexus and the control
      mode page TAS bit is set to one". TAS handling is spread over the target
      core and the iSCSI target driver. If a LUN RESET is received, the target
      core will send the TASK_ABORTED response for all commands for which such a
      response has to be sent. If an ABORT TASK is received, only the iSCSI
      target driver will send the TASK_ABORTED response for the commands for
      which that response has to be sent.  That is a bug since all target drivers
      have to honor the TAS bit. Fix this by moving the code that handles TAS
      from the iSCSI target driver into the target core. Additionally, if a
      command has been aborted, instead of sending the TASK_ABORTED status from
      the context that processes the SCSI command send it from the context of the
      ABORT TMF.  The core_tmr_abort_task() change in this patch causes the
      CMD_T_TAS flag to be set if a TASK_ABORTED status has to be sent back to
      the initiator that submitted the command. If that flag has been set
      transport_cmd_finish_abort() will send the TASK_ABORTED response.
      
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: David Disseldorp <ddiss@suse.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      aaa00cc9
  9. 17 Sep, 2018 1 commit
  10. 12 Sep, 2018 1 commit
    • Laura Abbott's avatar
      scsi: iscsi: target: Don't use stack buffer for scatterlist · 679fcae4
      Laura Abbott authored
      
      
      Fedora got a bug report of a crash with iSCSI:
      
      kernel BUG at include/linux/scatterlist.h:143!
      ...
      RIP: 0010:iscsit_do_crypto_hash_buf+0x154/0x180 [iscsi_target_mod]
      ...
       Call Trace:
        ? iscsi_target_tx_thread+0x200/0x200 [iscsi_target_mod]
        iscsit_get_rx_pdu+0x4cd/0xa90 [iscsi_target_mod]
        ? native_sched_clock+0x3e/0xa0
        ? iscsi_target_tx_thread+0x200/0x200 [iscsi_target_mod]
        iscsi_target_rx_thread+0x81/0xf0 [iscsi_target_mod]
        kthread+0x120/0x140
        ? kthread_create_worker_on_cpu+0x70/0x70
        ret_from_fork+0x3a/0x50
      
      This is a BUG_ON for using a stack buffer with a scatterlist.  There
      are two cases that trigger this bug. Switch to using a dynamically
      allocated buffer for one case and do not assign a NULL buffer in
      another case.
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Reviewed-by: default avatarMike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      679fcae4
  11. 30 Aug, 2018 1 commit
    • Mike Christie's avatar
      scsi: iscsi: target: Fix conn_ops double free · 05a86e78
      Mike Christie authored
      
      
      If iscsi_login_init_conn fails it can free conn_ops.
      __iscsi_target_login_thread will then call iscsi_target_login_sess_out
      which will also free it.
      
      This fixes the problem by organizing conn allocation/setup into parts that
      are needed through the life of the conn and parts that are only needed for
      the login. The free functions then release what was allocated in the alloc
      functions.
      
      With this patch we have:
      
      iscsit_alloc_conn/iscsit_free_conn - allocs/frees the conn we need for the
      entire life of the conn.
      
      iscsi_login_init_conn/iscsi_target_nego_release - allocs/frees the parts
      of the conn that are only needed during login.
      Signed-off-by: default avatarMike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      05a86e78
  12. 22 Aug, 2018 1 commit
  13. 31 Jul, 2018 1 commit
  14. 02 Jul, 2018 1 commit
  15. 26 Mar, 2018 1 commit
  16. 08 Nov, 2017 2 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Fix non-immediate TMR reference leak · 3fc9fb13
      Nicholas Bellinger authored
      
      
      This patch fixes a se_cmd->cmd_kref reference leak that can
      occur when a non immediate TMR is proceeded our of command
      sequence number order, and CMDSN_LOWER_THAN_EXP is returned
      by iscsit_sequence_cmd().
      
      To address this bug, call target_put_sess_cmd() during this
      special case following what iscsit_process_scsi_cmd() does
      upon CMDSN_LOWER_THAN_EXP.
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      3fc9fb13
    • Nicholas Bellinger's avatar
      iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref · ae072726
      Nicholas Bellinger authored
      Since commit 59b6986d
      
       fixed a potential NULL pointer dereference
      by allocating a se_tmr_req for ISCSI_TM_FUNC_TASK_REASSIGN, the
      se_tmr_req is currently leaked by iscsit_free_cmd() because no
      iscsi_cmd->se_cmd.se_tfo was associated.
      
      To address this, treat ISCSI_TM_FUNC_TASK_REASSIGN like any other
      TMR and call transport_init_se_cmd() + target_get_sess_cmd() to
      setup iscsi_cmd->se_cmd.se_tfo with se_cmd->cmd_kref of 2.
      
      This will ensure normal release operation once se_cmd->cmd_kref
      reaches zero and target_release_cmd_kref() is invoked, se_tmr_req
      will be released via existing target_free_cmd_mem() and
      core_tmr_release_req() code.
      Reported-by: default avatarDonald White <dew@datera.io>
      Cc: Donald White <dew@datera.io>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      ae072726
  17. 04 Nov, 2017 3 commits
  18. 01 Nov, 2017 2 commits
  19. 06 Aug, 2017 1 commit
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iscsi_np reset hung task during parallel delete · 978d13d6
      Nicholas Bellinger authored
      
      
      This patch fixes a bug associated with iscsit_reset_np_thread()
      that can occur during parallel configfs rmdir of a single iscsi_np
      used across multiple iscsi-target instances, that would result in
      hung task(s) similar to below where configfs rmdir process context
      was blocked indefinately waiting for iscsi_np->np_restart_comp
      to finish:
      
      [ 6726.112076] INFO: task dcp_proxy_node_:15550 blocked for more than 120 seconds.
      [ 6726.119440]       Tainted: G        W  O     4.1.26-3321 #2
      [ 6726.125045] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [ 6726.132927] dcp_proxy_node_ D ffff8803f202bc88     0 15550      1 0x00000000
      [ 6726.140058]  ffff8803f202bc88 ffff88085c64d960 ffff88083b3b1ad0 ffff88087fffeb08
      [ 6726.147593]  ffff8803f202c000 7fffffffffffffff ffff88083f459c28 ffff88083b3b1ad0
      [ 6726.155132]  ffff88035373c100 ffff8803f202bca8 ffffffff8168ced2 ffff8803f202bcb8
      [ 6726.162667] Call Trace:
      [ 6726.165150]  [<ffffffff8168ced2>] schedule+0x32/0x80
      [ 6726.170156]  [<ffffffff8168f5b4>] schedule_timeout+0x214/0x290
      [ 6726.176030]  [<ffffffff810caef2>] ? __send_signal+0x52/0x4a0
      [ 6726.181728]  [<ffffffff8168d7d6>] wait_for_completion+0x96/0x100
      [ 6726.187774]  [<ffffffff810e7c80>] ? wake_up_state+0x10/0x10
      [ 6726.193395]  [<ffffffffa035d6e2>] iscsit_reset_np_thread+0x62/0xe0 [iscsi_target_mod]
      [ 6726.201278]  [<ffffffffa0355d86>] iscsit_tpg_disable_portal_group+0x96/0x190 [iscsi_target_mod]
      [ 6726.210033]  [<ffffffffa0363f7f>] lio_target_tpg_store_enable+0x4f/0xc0 [iscsi_target_mod]
      [ 6726.218351]  [<ffffffff81260c5a>] configfs_write_file+0xaa/0x110
      [ 6726.224392]  [<ffffffff811ea364>] vfs_write+0xa4/0x1b0
      [ 6726.229576]  [<ffffffff811eb111>] SyS_write+0x41/0xb0
      [ 6726.234659]  [<ffffffff8169042e>] system_call_fastpath+0x12/0x71
      
      It would happen because each iscsit_reset_np_thread() sets state
      to ISCSI_NP_THREAD_RESET, sends SIGINT, and then blocks waiting
      for completion on iscsi_np->np_restart_comp.
      
      However, if iscsi_np was active processing a login request and
      more than a single iscsit_reset_np_thread() caller to the same
      iscsi_np was blocked on iscsi_np->np_restart_comp, iscsi_np
      kthread process context in __iscsi_target_login_thread() would
      flush pending signals and only perform a single completion of
      np->np_restart_comp before going back to sleep within transport
      specific iscsit_transport->iscsi_accept_np code.
      
      To address this bug, add a iscsi_np->np_reset_count and update
      __iscsi_target_login_thread() to keep completing np->np_restart_comp
      until ->np_reset_count has reached zero.
      Reported-by: default avatarGary Guo <ghg@datera.io>
      Tested-by: default avatarGary Guo <ghg@datera.io>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      978d13d6
  20. 30 Jul, 2017 2 commits
    • Varun Prakash's avatar
      iscsi-target: fix invalid flags in text response · 310d40a9
      Varun Prakash authored
      
      
      In case of multiple text responses iscsi-target
      sets both 'F' and 'C' bit for the final text response
      pdu, this issue happens because hdr->flags is not
      zeroed out before ORing with 'F' bit.
      
      This patch removes the | operator to fix this issue.
      Signed-off-by: default avatarVarun Prakash <varun@chelsio.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      310d40a9
    • Varun Prakash's avatar
      iscsi-target: fix memory leak in iscsit_setup_text_cmd() · ea8dc5b4
      Varun Prakash authored
      
      
      On receiving text request iscsi-target allocates buffer for
      payload in iscsit_handle_text_cmd() and assigns buffer pointer
      to cmd->text_in_ptr, this buffer is currently freed in
      iscsit_release_cmd(), if iscsi-target sets 'C' bit in text
      response then it will receive another text request from the
      initiator with ttt != 0xffffffff in this case iscsi-target
      will find cmd using itt and call iscsit_setup_text_cmd()
      which will set cmd->text_in_ptr to NULL without freeing
      previously allocated buffer.
      
      This patch fixes this issue by calling kfree(cmd->text_in_ptr)
      in iscsit_setup_text_cmd() before assigning NULL to it.
      
      For the first text request cmd->text_in_ptr is NULL as
      cmd is memset to 0 in iscsit_allocate_cmd().
      Signed-off-by: default avatarVarun Prakash <varun@chelsio.com>
      Cc: <stable@vger.kernel.org> # 4.0+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      ea8dc5b4
  21. 07 Jul, 2017 2 commits
  22. 09 Jun, 2017 2 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Reject immediate data underflow larger than SCSI transfer length · abb85a9b
      Nicholas Bellinger authored
      When iscsi WRITE underflow occurs there are two different scenarios
      that can happen.
      
      Normally in practice, when an EDTL vs. SCSI CDB TRANSFER LENGTH
      underflow is detected, the iscsi immediate data payload is the
      smaller SCSI CDB TRANSFER LENGTH.
      
      That is, when a host fabric LLD is using a fixed size EDTL for
      a specific control CDB, the SCSI CDB TRANSFER LENGTH and actual
      SCSI payload ends up being smaller than EDTL.  In iscsi, this
      means the received iscsi immediate data payload matches the
      smaller SCSI CDB TRANSFER LENGTH, because there is no more
      SCSI payload to accept beyond SCSI CDB TRANSFER LENGTH.
      
      However, it's possible for a malicous host to send a WRITE
      underflow where EDTL is larger than SCSI CDB TRANSFER LENGTH,
      but incoming iscsi immediate data actually matches EDTL.
      
      In the wild, we've never had a iscsi host environment actually
      try to do this.
      
      For this special case, it's wrong to truncate part of the
      control CDB payload and continue to process the command during
      underflow when immediate data payload received was larger than
      SCSI CDB TRANSFER LENGTH, so go ahead and reject and drop the
      bogus payload as a defensive action.
      
      Note this potential bug was originally relaxed by the following
      for allowing WRITE underflow in MSFT FCP host environments:
      
         commit c72c5250
      
      
         Author: Roland Dreier <roland@purestorage.com>
         Date:   Wed Jul 22 15:08:18 2015 -0700
      
            target: allow underflow/overflow for PR OUT etc. commands
      
      Cc: Roland Dreier <roland@purestorage.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: <stable@vger.kernel.org> # v4.3+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      abb85a9b
    • Nicholas Bellinger's avatar
      iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP · 105fa2f4
      Nicholas Bellinger authored
      
      
      This patch fixes a BUG() in iscsit_close_session() that could be
      triggered when iscsit_logout_post_handler() execution from within
      tx thread context was not run for more than SECONDS_FOR_LOGOUT_COMP
      (15 seconds), and the TCP connection didn't already close before
      then forcing tx thread context to automatically exit.
      
      This would manifest itself during explicit logout as:
      
      [33206.974254] 1 connection(s) still exist for iSCSI session to iqn.1993-08.org.debian:01:3f5523242179
      [33206.980184] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 2100.772 msecs
      [33209.078643] ------------[ cut here ]------------
      [33209.078646] kernel BUG at drivers/target/iscsi/iscsi_target.c:4346!
      
      Normally when explicit logout attempt fails, the tx thread context
      exits and iscsit_close_connection() from rx thread context does the
      extra cleanup once it detects conn->conn_logout_remove has not been
      cleared by the logout type specific post handlers.
      
      To address this special case, if the logout post handler in tx thread
      context detects conn->tx_thread_active has already been cleared, simply
      return and exit in order for existing iscsit_close_connection()
      logic from rx thread context do failed logout cleanup.
      Reported-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Tested-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: stable@vger.kernel.org # 3.14+
      Tested-by: default avatarGary Guo <ghg@datera.io>
      Tested-by: default avatarChu Yuan Lin <cyl@datera.io>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      105fa2f4
  23. 31 May, 2017 1 commit
    • Jiang Yi's avatar
      iscsi-target: Always wait for kthread_should_stop() before kthread exit · 5e0cf5e6
      Jiang Yi authored
      
      
      There are three timing problems in the kthread usages of iscsi_target_mod:
      
       - np_thread of struct iscsi_np
       - rx_thread and tx_thread of struct iscsi_conn
      
      In iscsit_close_connection(), it calls
      
       send_sig(SIGINT, conn->tx_thread, 1);
       kthread_stop(conn->tx_thread);
      
      In conn->tx_thread, which is iscsi_target_tx_thread(), when it receive
      SIGINT the kthread will exit without checking the return value of
      kthread_should_stop().
      
      So if iscsi_target_tx_thread() exit right between send_sig(SIGINT...)
      and kthread_stop(...), the kthread_stop() will try to stop an already
      stopped kthread.
      
      This is invalid according to the documentation of kthread_stop().
      
      (Fix -ECONNRESET logout handling in iscsi_target_tx_thread and
       early iscsi_target_rx_thread failure case - nab)
      Signed-off-by: default avatarJiang Yi <jiangyilism@gmail.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      5e0cf5e6
  24. 05 May, 2017 1 commit
    • Nicholas Bellinger's avatar
      iscsi-target: Set session_fall_back_to_erl0 when forcing reinstatement · 197b806a
      Nicholas Bellinger authored
      While testing modification of per se_node_acl queue_depth forcing
      session reinstatement via lio_target_nacl_cmdsn_depth_store() ->
      core_tpg_set_initiator_node_queue_depth(), a hung task bug triggered
      when changing cmdsn_depth invoked session reinstatement while an iscsi
      login was already waiting for session reinstatement to complete.
      
      This can happen when an outstanding se_cmd descriptor is taking a
      long time to complete, and session reinstatement from iscsi login
      or cmdsn_depth change occurs concurrently.
      
      To address this bug, explicitly set session_fall_back_to_erl0 = 1
      when forcing session reinstatement, so session reinstatement is
      not attempted if an active session is already being shutdown.
      
      This patch has been tested with two scenarios.  The first when
      iscsi login is blocked waiting for iscsi session reinstatement
      to complete followed by queue_depth change via configfs, and
      second when queue_depth change via configfs us blocked followed
      by a iscsi login driven session reinstatement.
      
      Note this patch depends on commit d36ad77f
      
       to handle multiple
      sessions per se_node_acl when changing cmdsn_depth, and for
      pre v4.5 kernels will need to be included for stable as well.
      Reported-by: default avatarGary Guo <ghg@datera.io>
      Tested-by: default avatarGary Guo <ghg@datera.io>
      Cc: Gary Guo <ghg@datera.io>
      Cc: <stable@vger.kernel.org> # v4.1+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      197b806a
  25. 02 May, 2017 3 commits