--- /dev/null
+From 007d038bdf95ccfe2491d0078be54040d110fd06 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 23 Jul 2015 22:30:31 +0000
+Subject: iscsi-target: Fix iser explicit logout TX kthread leak
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 007d038bdf95ccfe2491d0078be54040d110fd06 upstream.
+
+This patch fixes a regression introduced with the following commit
+in v4.0-rc1 code, where an explicit iser-target logout would result
+in ->tx_thread_active being incorrectly cleared by the logout post
+handler, and subsequent TX kthread leak:
+
+ commit 88dcd2dab5c23b1c9cfc396246d8f476c872f0ca
+ Author: Nicholas Bellinger <nab@linux-iscsi.org>
+ Date: Thu Feb 26 22:19:15 2015 -0800
+
+ iscsi-target: Convert iscsi_thread_set usage to kthread.h
+
+To address this bug, change iscsit_logout_post_handler_closesession()
+and iscsit_logout_post_handler_samecid() to only cmpxchg() on
+->tx_thread_active for traditional iscsi/tcp connections.
+
+This is required because iscsi/tcp connections are invoking logout
+post handler logic directly from TX kthread context, while iser
+connections are invoking logout post handler logic from a seperate
+workqueue context.
+
+Cc: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4416,7 +4416,18 @@ static void iscsit_logout_post_handler_c
+ struct iscsi_conn *conn)
+ {
+ struct iscsi_session *sess = conn->sess;
+- int sleep = cmpxchg(&conn->tx_thread_active, true, false);
++ int sleep = 1;
++ /*
++ * Traditional iscsi/tcp will invoke this logic from TX thread
++ * context during session logout, so clear tx_thread_active and
++ * sleep if iscsit_close_connection() has not already occured.
++ *
++ * Since iser-target invokes this logic from it's own workqueue,
++ * always sleep waiting for RX/TX thread shutdown to complete
++ * within iscsit_close_connection().
++ */
++ if (conn->conn_transport->transport_type == ISCSI_TCP)
++ sleep = cmpxchg(&conn->tx_thread_active, true, false);
+
+ atomic_set(&conn->conn_logout_remove, 0);
+ complete(&conn->conn_logout_comp);
+@@ -4430,7 +4441,10 @@ static void iscsit_logout_post_handler_c
+ static void iscsit_logout_post_handler_samecid(
+ struct iscsi_conn *conn)
+ {
+- int sleep = cmpxchg(&conn->tx_thread_active, true, false);
++ int sleep = 1;
++
++ if (conn->conn_transport->transport_type == ISCSI_TCP)
++ sleep = cmpxchg(&conn->tx_thread_active, true, false);
+
+ atomic_set(&conn->conn_logout_remove, 0);
+ complete(&conn->conn_logout_comp);
--- /dev/null
+From 417c20a9bdd1e876384127cf096d8ae8b559066c Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 22 Jul 2015 00:24:09 -0700
+Subject: iscsi-target: Fix use-after-free during TPG session shutdown
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 417c20a9bdd1e876384127cf096d8ae8b559066c upstream.
+
+This patch fixes a use-after-free bug in iscsit_release_sessions_for_tpg()
+where se_portal_group->session_lock was incorrectly released/re-acquired
+while walking the active se_portal_group->tpg_sess_list.
+
+The can result in a NULL pointer dereference when iscsit_close_session()
+shutdown happens in the normal path asynchronously to this code, causing
+a bogus dereference of an already freed list entry to occur.
+
+To address this bug, walk the session list checking for the same state
+as before, but move entries to a local list to avoid dropping the lock
+while walking the active list.
+
+As before, signal using iscsi_session->session_restatement=1 for those
+list entries to be released locally by iscsit_free_session() code.
+
+Reported-by: Sunilkumar Nadumuttlu <sjn@datera.io>
+Cc: Sunilkumar Nadumuttlu <sjn@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4649,6 +4649,7 @@ int iscsit_release_sessions_for_tpg(stru
+ struct iscsi_session *sess;
+ struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
+ struct se_session *se_sess, *se_sess_tmp;
++ LIST_HEAD(free_list);
+ int session_count = 0;
+
+ spin_lock_bh(&se_tpg->session_lock);
+@@ -4670,14 +4671,17 @@ int iscsit_release_sessions_for_tpg(stru
+ }
+ atomic_set(&sess->session_reinstatement, 1);
+ spin_unlock(&sess->conn_lock);
+- spin_unlock_bh(&se_tpg->session_lock);
+
+- iscsit_free_session(sess);
+- spin_lock_bh(&se_tpg->session_lock);
++ list_move_tail(&se_sess->sess_list, &free_list);
++ }
++ spin_unlock_bh(&se_tpg->session_lock);
+
++ list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) {
++ sess = (struct iscsi_session *)se_sess->fabric_sess_ptr;
++
++ iscsit_free_session(sess);
+ session_count++;
+ }
+- spin_unlock_bh(&se_tpg->session_lock);
+
+ pr_debug("Released %d iSCSI Session(s) from Target Portal"
+ " Group: %hu\n", session_count, tpg->tpgt);
--- /dev/null
+From 4fabb59449aa44a585b3603ffdadd4c5f4d0c033 Mon Sep 17 00:00:00 2001
+From: Wengang Wang <wen.gang.wang@oracle.com>
+Date: Mon, 6 Jul 2015 14:35:11 +0800
+Subject: rds: rds_ib_device.refcount overflow
+
+From: Wengang Wang <wen.gang.wang@oracle.com>
+
+commit 4fabb59449aa44a585b3603ffdadd4c5f4d0c033 upstream.
+
+Fixes: 3e0249f9c05c ("RDS/IB: add refcount tracking to struct rds_ib_device")
+
+There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
+failed(mr pool running out). this lead to the refcount overflow.
+
+A complain in line 117(see following) is seen. From vmcore:
+s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev->refcount is -2147475448.
+That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
+to return ERR_PTR(-EAGAIN).
+
+115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
+116 {
+117 BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
+118 if (atomic_dec_and_test(&rds_ibdev->refcount))
+119 queue_work(rds_wq, &rds_ibdev->free_work);
+120 }
+
+fix is to drop refcount when rds_ib_alloc_fmr failed.
+
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Reviewed-by: Haggai Eran <haggaie@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/ib_rdma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/rds/ib_rdma.c
++++ b/net/rds/ib_rdma.c
+@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *
+ }
+
+ ibmr = rds_ib_alloc_fmr(rds_ibdev);
+- if (IS_ERR(ibmr))
++ if (IS_ERR(ibmr)) {
++ rds_ib_dev_put(rds_ibdev);
+ return ibmr;
++ }
+
+ ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents);
+ if (ret == 0)
xhci-calculate-old-endpoints-correctly-on-device-reset.patch
xhci-report-u3-when-link-is-in-resume-state.patch
xhci-prevent-bus_suspend-if-ss-port-resuming-in-phase-1.patch
+rds-rds_ib_device.refcount-overflow.patch
+vhost-actually-track-log-eventfd-file.patch
+iscsi-target-fix-use-after-free-during-tpg-session-shutdown.patch
+iscsi-target-fix-iser-explicit-logout-tx-kthread-leak.patch
--- /dev/null
+From 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 17 Jul 2015 15:32:03 +0200
+Subject: vhost: actually track log eventfd file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+
+commit 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 upstream.
+
+While reviewing vhost log code, I found out that log_file is never
+set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -855,6 +855,7 @@ long vhost_dev_ioctl(struct vhost_dev *d
+ }
+ if (eventfp != d->log_file) {
+ filep = d->log_file;
++ d->log_file = eventfp;
+ ctx = d->log_ctx;
+ d->log_ctx = eventfp ?
+ eventfd_ctx_fileget(eventfp) : NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
