--- /dev/null
+From 1d19f7800d643b270b28d0a969c5eca455d54397 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 15 May 2013 01:30:01 -0700
+Subject: ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1d19f7800d643b270b28d0a969c5eca455d54397 upstream.
+
+Given that srpt_release_channel_work() calls target_wait_for_sess_cmds()
+to allow outstanding se_cmd_t->cmd_kref a change to complete, the call
+to perform target_sess_cmd_list_set_waiting() needs to happen in
+srpt_shutdown_session()
+
+Also, this patch adds an explicit call to srpt_shutdown_session() within
+srpt_drain_channel() so that target_sess_cmd_list_set_waiting() will be
+called in the cases where TFO->shutdown_session() is not triggered
+directly by TCM.
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Cc: Joern Engel <joern@logfs.org>
+Cc: Roland Dreier <roland@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 32 ++++++++++++++++++++++++--------
+ drivers/infiniband/ulp/srpt/ib_srpt.h | 1 +
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2272,6 +2272,27 @@ static void srpt_close_ch(struct srpt_rd
+ }
+
+ /**
++ * srpt_shutdown_session() - Whether or not a session may be shut down.
++ */
++static int srpt_shutdown_session(struct se_session *se_sess)
++{
++ struct srpt_rdma_ch *ch = se_sess->fabric_sess_ptr;
++ unsigned long flags;
++
++ spin_lock_irqsave(&ch->spinlock, flags);
++ if (ch->in_shutdown) {
++ spin_unlock_irqrestore(&ch->spinlock, flags);
++ return true;
++ }
++
++ ch->in_shutdown = true;
++ target_sess_cmd_list_set_waiting(se_sess);
++ spin_unlock_irqrestore(&ch->spinlock, flags);
++
++ return true;
++}
++
++/**
+ * srpt_drain_channel() - Drain a channel by resetting the IB queue pair.
+ * @cm_id: Pointer to the CM ID of the channel to be drained.
+ *
+@@ -2309,6 +2330,9 @@ static void srpt_drain_channel(struct ib
+ spin_unlock_irq(&sdev->spinlock);
+
+ if (do_reset) {
++ if (ch->sess)
++ srpt_shutdown_session(ch->sess);
++
+ ret = srpt_ch_qp_err(ch);
+ if (ret < 0)
+ printk(KERN_ERR "Setting queue pair in error state"
+@@ -3489,14 +3513,6 @@ static void srpt_release_cmd(struct se_c
+ }
+
+ /**
+- * srpt_shutdown_session() - Whether or not a session may be shut down.
+- */
+-static int srpt_shutdown_session(struct se_session *se_sess)
+-{
+- return true;
+-}
+-
+-/**
+ * srpt_close_session() - Forcibly close a session.
+ *
+ * Callback function invoked by the TCM core to clean up sessions associated
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
+@@ -326,6 +326,7 @@ struct srpt_rdma_ch {
+ u8 sess_name[36];
+ struct work_struct release_work;
+ struct completion *release_done;
++ bool in_shutdown;
+ };
+
+ /**
--- /dev/null
+From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 23 May 2013 10:32:17 -0700
+Subject: iscsi-target: fix heap buffer overflow on error
+
+From: Kees Cook <keescook@chromium.org>
+
+commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+CVE-2013-2850
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_respo
+ }
+ INIT_LIST_HEAD(&extra_response->er_list);
+
+- strncpy(extra_response->key, key, strlen(key) + 1);
+- strncpy(extra_response->value, NOTUNDERSTOOD,
+- strlen(NOTUNDERSTOOD) + 1);
++ strlcpy(extra_response->key, key, sizeof(extra_response->key));
++ strlcpy(extra_response->value, NOTUNDERSTOOD,
++ sizeof(extra_response->value));
+
+ list_add_tail(&extra_response->er_list,
+ ¶m_list->extra_response_list);
+@@ -1571,8 +1571,6 @@ int iscsi_decode_text_input(
+
+ if (phase & PHASE_SECURITY) {
+ if (iscsi_check_for_auth_key(key) > 0) {
+- char *tmpptr = key + strlen(key);
+- *tmpptr = '=';
+ kfree(tmpbuf);
+ return 1;
+ }
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+- char key[64];
++ char key[KEY_MAXLEN];
+ char value[32];
+ struct list_head er_list;
+ } ____cacheline_aligned;
--- /dev/null
+From f448badd34700ae728a32ba024249626d49c10e1 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 29 May 2013 15:36:40 -0400
+Subject: NFSv4: Fix a thinko in nfs4_try_open_cached
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit f448badd34700ae728a32ba024249626d49c10e1 upstream.
+
+We need to pass the full open mode flags to nfs_may_open() when doing
+a delegated open.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1053,7 +1053,7 @@ static struct nfs4_state *nfs4_try_open_
+ struct nfs4_state *state = opendata->state;
+ struct nfs_inode *nfsi = NFS_I(state->inode);
+ struct nfs_delegation *delegation;
+- int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC);
++ int open_mode = opendata->o_arg.open_flags;
+ fmode_t fmode = opendata->o_arg.fmode;
+ nfs4_stateid stateid;
+ int ret = -EAGAIN;
drivers-block-brd.c-fix-brd_lookup_page-race.patch
mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch
mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch
+iscsi-target-fix-heap-buffer-overflow-on-error.patch
+ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
+nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch
xfs-kill-suid-sgid-through-the-truncate-path.patch
drm-radeon-fix-card_posted-check-for-newer-asics.patch
cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
