3.10-stable patches

added patches:
	iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
	iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
	iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch

diff --git a/queue-3.10/iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch b/queue-3.10/iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
new file mode 100644 (file)
index 0000000..f039a0d
--- /dev/null
+++ b/queue-3.10/iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
@@ -0,0 +1,70 @@
+From 9d86a2befceb06ee83c1a588915e6d6e0abef797 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 22 Aug 2013 00:05:45 -0700
+Subject: iscsi-target: Fix ImmediateData=Yes failure regression in >= v3.10
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 9d86a2befceb06ee83c1a588915e6d6e0abef797 upstream.
+
+This patch addresses a regression bug within ImmediateData=Yes failure
+handling that ends up triggering an OOPs within >= v3.10 iscsi-target
+code.
+
+The problem occurs when iscsit_process_scsi_cmd() does the call to
+target_put_sess_cmd(), and once again in iscsit_get_immediate_data()
+that is triggered during two different cases:
+
+ - When iscsit_sequence_cmd() returns CMDSN_LOWER_THAN_EXP, for which
+   the descriptor state will already have been set to ISTATE_REMOVE
+   by iscsit_sequence_cmd(), and
+ - When iscsi_cmd->sense_reason is set, for which iscsit_execute_cmd()
+   will have already called transport_send_check_condition_and_sense()
+   to queue the exception response.
+
+It changes iscsit_process_scsi_cmd() to drop the early call, and makes
+iscsit_get_immediate_data() call target_put_sess_cmd() from a single
+location after dumping the immediate data for the failed command.
+
+The regression was initially introduced in commit:
+
+commit 561bf15892375597ee59d473a704a3e634c4f311
+Author: Nicholas Bellinger <nab@linux-iscsi.org>
+Date:   Wed Jul 3 03:58:58 2013 -0700
+
+    iscsi-target: Fix iscsit_sequence_cmd reject handling for iser
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c |    9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1086,7 +1086,6 @@ int iscsit_process_scsi_cmd(struct iscsi
+               if (cmd->reject_reason)
+                       return 0;
+ 
+-              target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
+               return 1;
+       }
+       /*
+@@ -1124,14 +1123,10 @@ after_immediate_data:
+                */
+               cmdsn_ret = iscsit_sequence_cmd(cmd->conn, cmd,
+                                       (unsigned char *)hdr, hdr->cmdsn);
+-              if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
++              if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
+                       return -1;
+-              } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
+-                      target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
+-                      return 0;
+-              }
+ 
+-              if (cmd->sense_reason) {
++              if (cmd->sense_reason || cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
+                       int rc;
+ 
+                       rc = iscsit_dump_data_payload(cmd->conn,

diff --git a/queue-3.10/iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch b/queue-3.10/iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
new file mode 100644 (file)
index 0000000..08ecc62
--- /dev/null
+++ b/queue-3.10/iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
@@ -0,0 +1,44 @@
+From c9a03c12464c851e691e8d5b6c9deba779c512e0 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 18 Aug 2013 15:07:44 -0700
+Subject: iscsi-target: Fix iscsit_transport reference leak during NP thread reset
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit c9a03c12464c851e691e8d5b6c9deba779c512e0 upstream.
+
+This patch fixes a bug in __iscsi_target_login_thread() where an explicit
+network portal thread reset ends up leaking the iscsit_transport module
+reference, along with the associated iscsi_conn allocation.
+
+This manifests itself with iser-target where a NP reset causes the extra
+iscsit_transport reference to be taken in iscsit_conn_set_transport()
+during the reset, which prevents the ib_isert module from being unloaded
+after the NP thread shutdown has finished.
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_login.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1163,12 +1163,11 @@ static int __iscsi_target_login_thread(s
+               if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+                       spin_unlock_bh(&np->np_thread_lock);
+                       complete(&np->np_restart_comp);
+-                      if (ret == -ENODEV) {
+-                              iscsit_put_transport(conn->conn_transport);
+-                              kfree(conn);
+-                              conn = NULL;
++                      iscsit_put_transport(conn->conn_transport);
++                      kfree(conn);
++                      conn = NULL;
++                      if (ret == -ENODEV)
+                               goto out;
+-                      }
+                       /* Get another socket */
+                       return 1;
+               }

diff --git a/queue-3.10/iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch b/queue-3.10/iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch
new file mode 100644 (file)
index 0000000..3291b3d
--- /dev/null
+++ b/queue-3.10/iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch
@@ -0,0 +1,56 @@
+From 28aaa950320fc7b8df3f6d2d34fa7833391a9b72 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 23 Aug 2013 22:28:56 -0700
+Subject: iscsi-target: Fix potential NULL pointer in solicited NOPOUT reject
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 28aaa950320fc7b8df3f6d2d34fa7833391a9b72 upstream.
+
+This patch addresses a potential NULL pointer dereference regression in
+iscsit_setup_nop_out() code, specifically for two cases when a solicited
+NOPOUT triggers a ISCSI_REASON_PROTOCOL_ERROR reject to be generated.
+
+This is because iscsi_cmd is expected to be NULL for solicited NOPOUT
+case before iscsit_process_nop_out() locates the descriptor via TTT
+using iscsit_find_cmd_from_ttt().
+
+This regression was originally introduced in:
+
+commit ba159914086f06532079fc15141f46ffe7e04a41
+Author: Nicholas Bellinger <nab@linux-iscsi.org>
+Date:   Wed Jul 3 03:48:24 2013 -0700
+
+    iscsi-target: Fix iscsit_add_reject* usage for iser
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1536,6 +1536,10 @@ int iscsit_handle_nop_out(struct iscsi_c
+       if (hdr->itt == RESERVED_ITT && !(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
+               pr_err("NOPOUT ITT is reserved, but Immediate Bit is"
+                       " not set, protocol error.\n");
++              if (!cmd)
++                      return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
++                                               (unsigned char *)hdr);
++
+               return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR,
+                                        (unsigned char *)hdr);
+       }
+@@ -1545,6 +1549,10 @@ int iscsit_handle_nop_out(struct iscsi_c
+                       " greater than MaxXmitDataSegmentLength: %u, protocol"
+                       " error.\n", payload_length,
+                       conn->conn_ops->MaxXmitDataSegmentLength);
++              if (!cmd)
++                      return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
++                                               (unsigned char *)hdr);
++
+               return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR,
+                                        (unsigned char *)hdr);
+       }

diff --git a/queue-3.10/series b/queue-3.10/series
index a3d71ac4abddcbdc7655b3a28b8c492a901af963..35cbb0de1f4a44775ae2d1da26aac8f66c02c55a 100644 (file)
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -23,3 +23,6 @@ mac80211-add-missing-channel-context-release.patch
 mac80211-add-a-flag-to-indicate-cck-support-for-ht-clients.patch
 iwl4965-fix-rfkill-set-state-regression.patch
 target-fix-trailing-ascii-space-usage-in-inquiry-vendor-model.patch
+iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
+iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
+iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch