--- /dev/null
+From 97c99b47ac58bacb7c09e1f47d5d184434f6b06a Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 20 Jun 2014 10:59:57 -0700
+Subject: iscsi-target: Avoid rejecting incorrect ITT for Data-Out
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 97c99b47ac58bacb7c09e1f47d5d184434f6b06a upstream.
+
+This patch changes iscsit_check_dataout_hdr() to dump the incoming
+Data-Out payload when the received ITT is not associated with a
+WRITE, instead of calling iscsit_reject_cmd() for the non WRITE
+ITT descriptor.
+
+This addresses a bug where an initiator sending an Data-Out for
+an ITT associated with a READ would end up generating a reject
+for the READ, eventually resulting in list corruption.
+
+Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com>
+Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1309,7 +1309,7 @@ iscsit_check_dataout_hdr(struct iscsi_co
+ if (cmd->data_direction != DMA_TO_DEVICE) {
+ pr_err("Command ITT: 0x%08x received DataOUT for a"
+ " NON-WRITE command.\n", cmd->init_task_tag);
+- return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, buf);
++ return iscsit_dump_data_payload(conn, payload_length, 1);
+ }
+ se_cmd = &cmd->se_cmd;
+ iscsit_mod_dataout_timer(cmd);
--- /dev/null
+From 683497566d48f86e04d026de1ee658dd74fc1077 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Tue, 17 Jun 2014 21:54:38 +0000
+Subject: iscsi-target: Explicily clear login response PDU in exception path
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 683497566d48f86e04d026de1ee658dd74fc1077 upstream.
+
+This patch adds a explicit memset to the login response PDU
+exception path in iscsit_tx_login_rsp().
+
+This addresses a regression bug introduced in commit baa4d64b
+where the initiator would end up not receiving the login
+response and associated status class + detail, before closing
+the login connection.
+
+Reported-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
+Tested-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -1295,6 +1295,8 @@ int iscsit_tx_login_rsp(struct iscsi_con
+ login->login_failed = 1;
+ iscsit_collect_login_stats(conn, status_class, status_detail);
+
++ memset(&login->rsp[0], 0, ISCSI_HDR_LEN);
++
+ hdr = (struct iscsi_login_rsp *)&login->rsp[0];
+ hdr->opcode = ISCSI_OP_LOGIN_RSP;
+ hdr->status_class = status_class;
--- /dev/null
+From 81a9c5e72bdf7109a65102ca61d8cbd722cf4021 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 23 Jun 2014 13:42:37 -0400
+Subject: iscsi-target: fix iscsit_del_np deadlock on unload
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 81a9c5e72bdf7109a65102ca61d8cbd722cf4021 upstream.
+
+On uniprocessor preemptible kernel, target core deadlocks on unload. The
+following events happen:
+* iscsit_del_np is called
+* it calls send_sig(SIGINT, np->np_thread, 1);
+* the scheduler switches to the np_thread
+* the np_thread is woken up, it sees that kthread_should_stop() returns
+ false, so it doesn't terminate
+* the np_thread clears signals with flush_signals(current); and goes back
+ to sleep in iscsit_accept_np
+* the scheduler switches back to iscsit_del_np
+* iscsit_del_np calls kthread_stop(np->np_thread);
+* the np_thread is waiting in iscsit_accept_np and it doesn't respond to
+ kthread_stop
+
+The deadlock could be resolved if the administrator sends SIGINT signal to
+the np_thread with killall -INT iscsi_np
+
+The reproducible deadlock was introduced in commit
+db6077fd0b7dd41dc6ff18329cec979379071f87, but the thread-stopping code was
+racy even before.
+
+This patch fixes the problem. Using kthread_should_stop to stop the
+np_thread is unreliable, so we test np_thread_state instead. If
+np_thread_state equals ISCSI_NP_THREAD_SHUTDOWN, the thread exits.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_login.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1216,7 +1216,7 @@ old_sess_out:
+ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ {
+ u8 *buffer, zero_tsih = 0;
+- int ret = 0, rc, stop;
++ int ret = 0, rc;
+ struct iscsi_conn *conn = NULL;
+ struct iscsi_login *login;
+ struct iscsi_portal_group *tpg = NULL;
+@@ -1230,6 +1230,9 @@ static int __iscsi_target_login_thread(s
+ if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+ np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ complete(&np->np_restart_comp);
++ } else if (np->np_thread_state == ISCSI_NP_THREAD_SHUTDOWN) {
++ spin_unlock_bh(&np->np_thread_lock);
++ goto exit;
+ } else {
+ np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ }
+@@ -1422,10 +1425,8 @@ old_sess_out:
+ }
+
+ out:
+- stop = kthread_should_stop();
+- /* Wait for another socket.. */
+- if (!stop)
+- return 1;
++ return 1;
++
+ exit:
+ iscsi_stop_login_thread_timer(np);
+ spin_lock_bh(&np->np_thread_lock);
+@@ -1442,7 +1443,7 @@ int iscsi_target_login_thread(void *arg)
+
+ allow_signal(SIGINT);
+
+- while (!kthread_should_stop()) {
++ while (1) {
+ ret = __iscsi_target_login_thread(np);
+ /*
+ * We break and exit here unless another sock_accept() call
--- /dev/null
+From 83ff42fcce070801a3aa1cd6a3269d7426271a8d Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 16 Jun 2014 20:25:54 +0000
+Subject: target: Fix left-over se_lun->lun_sep pointer OOPs
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 83ff42fcce070801a3aa1cd6a3269d7426271a8d upstream.
+
+This patch fixes a left-over se_lun->lun_sep pointer OOPs when one
+of the /sys/kernel/config/target/$FABRIC/$WWPN/$TPGT/lun/$LUN/alua*
+attributes is accessed after the $DEVICE symlink has been removed.
+
+To address this bug, go ahead and clear se_lun->lun_sep memory in
+core_dev_unexport(), so that the existing checks for show/store
+ALUA attributes in target_core_fabric_configfs.c work as expected.
+
+Reported-by: Sebastian Herbszt <herbszt@gmx.de>
+Tested-by: Sebastian Herbszt <herbszt@gmx.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -616,6 +616,7 @@ void core_dev_unexport(
+ dev->export_count--;
+ spin_unlock(&hba->device_lock);
+
++ lun->lun_sep = NULL;
+ lun->lun_se_dev = NULL;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
