From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 4 Sep 2013 16:09:54 +0000 (-0700)
Subject: 3.11-stable patches
X-Git-Tag: v3.0.95~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=351df3e4ec7a9abad24fc7b6cf6e90875c227117;p=thirdparty%2Fkernel%2Fstable-queue.git

3.11-stable patches

added patches:
	iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
	iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
	iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch
	target-fix-se_cmd-state_list-leak-regression-during-write-failure.patch
---

diff --git a/queue-3.11/iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch b/queue-3.11/iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
new file mode 100644
index 00000000000..f039a0dc382
--- /dev/null
+++ b/queue-3.11/iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
@@ -0,0 +1,70 @@
+From 9d86a2befceb06ee83c1a588915e6d6e0abef797 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 22 Aug 2013 00:05:45 -0700
+Subject: iscsi-target: Fix ImmediateData=Yes failure regression in >= v3.10
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 9d86a2befceb06ee83c1a588915e6d6e0abef797 upstream.
+
+This patch addresses a regression bug within ImmediateData=Yes failure
+handling that ends up triggering an OOPs within >= v3.10 iscsi-target
+code.
+
+The problem occurs when iscsit_process_scsi_cmd() does the call to
+target_put_sess_cmd(), and once again in iscsit_get_immediate_data()
+that is triggered during two different cases:
+
+ - When iscsit_sequence_cmd() returns CMDSN_LOWER_THAN_EXP, for which
+   the descriptor state will already have been set to ISTATE_REMOVE
+   by iscsit_sequence_cmd(), and
+ - When iscsi_cmd->sense_reason is set, for which iscsit_execute_cmd()
+   will have already called transport_send_check_condition_and_sense()
+   to queue the exception response.
+
+It changes iscsit_process_scsi_cmd() to drop the early call, and makes
+iscsit_get_immediate_data() call target_put_sess_cmd() from a single
+location after dumping the immediate data for the failed command.
+
+The regression was initially introduced in commit:
+
+commit 561bf15892375597ee59d473a704a3e634c4f311
+Author: Nicholas Bellinger <nab@linux-iscsi.org>
+Date:   Wed Jul 3 03:58:58 2013 -0700
+
+    iscsi-target: Fix iscsit_sequence_cmd reject handling for iser
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c |    9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1086,7 +1086,6 @@ int iscsit_process_scsi_cmd(struct iscsi
+ 		if (cmd->reject_reason)
+ 			return 0;
+ 
+-		target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
+ 		return 1;
+ 	}
+ 	/*
+@@ -1124,14 +1123,10 @@ after_immediate_data:
+ 		 */
+ 		cmdsn_ret = iscsit_sequence_cmd(cmd->conn, cmd,
+ 					(unsigned char *)hdr, hdr->cmdsn);
+-		if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
++		if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
+ 			return -1;
+-		} else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
+-			target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
+-			return 0;
+-		}
+ 
+-		if (cmd->sense_reason) {
++		if (cmd->sense_reason || cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
+ 			int rc;
+ 
+ 			rc = iscsit_dump_data_payload(cmd->conn,
diff --git a/queue-3.11/iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch b/queue-3.11/iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
new file mode 100644
index 00000000000..08ecc620133
--- /dev/null
+++ b/queue-3.11/iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
@@ -0,0 +1,44 @@
+From c9a03c12464c851e691e8d5b6c9deba779c512e0 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 18 Aug 2013 15:07:44 -0700
+Subject: iscsi-target: Fix iscsit_transport reference leak during NP thread reset
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit c9a03c12464c851e691e8d5b6c9deba779c512e0 upstream.
+
+This patch fixes a bug in __iscsi_target_login_thread() where an explicit
+network portal thread reset ends up leaking the iscsit_transport module
+reference, along with the associated iscsi_conn allocation.
+
+This manifests itself with iser-target where a NP reset causes the extra
+iscsit_transport reference to be taken in iscsit_conn_set_transport()
+during the reset, which prevents the ib_isert module from being unloaded
+after the NP thread shutdown has finished.
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_login.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1163,12 +1163,11 @@ static int __iscsi_target_login_thread(s
+ 		if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+ 			spin_unlock_bh(&np->np_thread_lock);
+ 			complete(&np->np_restart_comp);
+-			if (ret == -ENODEV) {
+-				iscsit_put_transport(conn->conn_transport);
+-				kfree(conn);
+-				conn = NULL;
++			iscsit_put_transport(conn->conn_transport);
++			kfree(conn);
++			conn = NULL;
++			if (ret == -ENODEV)
+ 				goto out;
+-			}
+ 			/* Get another socket */
+ 			return 1;
+ 		}
diff --git a/queue-3.11/iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch b/queue-3.11/iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch
new file mode 100644
index 00000000000..ee6d6888c01
--- /dev/null
+++ b/queue-3.11/iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch
@@ -0,0 +1,56 @@
+From 28aaa950320fc7b8df3f6d2d34fa7833391a9b72 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 23 Aug 2013 22:28:56 -0700
+Subject: iscsi-target: Fix potential NULL pointer in solicited NOPOUT reject
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 28aaa950320fc7b8df3f6d2d34fa7833391a9b72 upstream.
+
+This patch addresses a potential NULL pointer dereference regression in
+iscsit_setup_nop_out() code, specifically for two cases when a solicited
+NOPOUT triggers a ISCSI_REASON_PROTOCOL_ERROR reject to be generated.
+
+This is because iscsi_cmd is expected to be NULL for solicited NOPOUT
+case before iscsit_process_nop_out() locates the descriptor via TTT
+using iscsit_find_cmd_from_ttt().
+
+This regression was originally introduced in:
+
+commit ba159914086f06532079fc15141f46ffe7e04a41
+Author: Nicholas Bellinger <nab@linux-iscsi.org>
+Date:   Wed Jul 3 03:48:24 2013 -0700
+
+    iscsi-target: Fix iscsit_add_reject* usage for iser
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1522,6 +1522,10 @@ int iscsit_setup_nop_out(struct iscsi_co
+ 	if (hdr->itt == RESERVED_ITT && !(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
+ 		pr_err("NOPOUT ITT is reserved, but Immediate Bit is"
+ 			" not set, protocol error.\n");
++		if (!cmd)
++			return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
++						 (unsigned char *)hdr);
++
+ 		return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR,
+ 					 (unsigned char *)hdr);
+ 	}
+@@ -1531,6 +1535,10 @@ int iscsit_setup_nop_out(struct iscsi_co
+ 			" greater than MaxXmitDataSegmentLength: %u, protocol"
+ 			" error.\n", payload_length,
+ 			conn->conn_ops->MaxXmitDataSegmentLength);
++		if (!cmd)
++			return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
++						 (unsigned char *)hdr);
++
+ 		return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR,
+ 					 (unsigned char *)hdr);
+ 	}
diff --git a/queue-3.11/series b/queue-3.11/series
index 9cec4cb9b4b..a0d054625f2 100644
--- a/queue-3.11/series
+++ b/queue-3.11/series
@@ -1 +1,5 @@
 target-fix-trailing-ascii-space-usage-in-inquiry-vendor-model.patch
+iscsi-target-fix-immediatedata-yes-failure-regression-in-v3.10.patch
+iscsi-target-fix-iscsit_transport-reference-leak-during-np-thread-reset.patch
+iscsi-target-fix-potential-null-pointer-in-solicited-nopout-reject.patch
+target-fix-se_cmd-state_list-leak-regression-during-write-failure.patch
diff --git a/queue-3.11/target-fix-se_cmd-state_list-leak-regression-during-write-failure.patch b/queue-3.11/target-fix-se_cmd-state_list-leak-regression-during-write-failure.patch
new file mode 100644
index 00000000000..553a034f97c
--- /dev/null
+++ b/queue-3.11/target-fix-se_cmd-state_list-leak-regression-during-write-failure.patch
@@ -0,0 +1,60 @@
+From c130480b129fbfd7932ad7af3f4ffcea630b027f Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 31 Aug 2013 15:12:01 -0700
+Subject: target: Fix se_cmd->state_list leak regression during WRITE failure
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit c130480b129fbfd7932ad7af3f4ffcea630b027f upstream.
+
+This patch addresses a v3.11 specific regression where se_cmd->state_list
+was being leaked during a fabric WRITE failure, when the fabric releases
+an associated se_cmd descriptor before I/O submission occurs, and normal
+fast path callbacks have a chance to call target_remove_from_state_list().
+
+It was manifesting with Poison overwritten messages with iscsi-target
+once an ImmediateData payload CRC32C failure occured.
+
+This bug was originally introduced during v3.11-rc1 with the following
+commit:
+
+commit 0b66818ac6de67a6125ae203272fb76e79b3a20f
+Author: Nicholas Bellinger <nab@linux-iscsi.org>
+Date:   Thu Jun 6 01:36:41 2013 -0700
+
+    target: Drop unnecessary CMD_T_DEV_ACTIVE check from transport_lun_remove_cmd
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2134,6 +2134,7 @@ static void transport_write_pending_qf(s
+ 
+ int transport_generic_free_cmd(struct se_cmd *cmd, int wait_for_tasks)
+ {
++	unsigned long flags;
+ 	int ret = 0;
+ 
+ 	if (!(cmd->se_cmd_flags & SCF_SE_LUN_CMD)) {
+@@ -2144,6 +2145,16 @@ int transport_generic_free_cmd(struct se
+ 	} else {
+ 		if (wait_for_tasks)
+ 			transport_wait_for_tasks(cmd);
++		/*
++		 * Handle WRITE failure case where transport_generic_new_cmd()
++		 * has already added se_cmd to state_list, but fabric has
++		 * failed command before I/O submission.
++		 */
++		if (cmd->state_active) {
++			spin_lock_irqsave(&cmd->t_state_lock, flags);
++			target_remove_from_state_list(cmd);
++			spin_unlock_irqrestore(&cmd->t_state_lock, flags);
++		}
+ 
+ 		if (cmd->se_lun)
+ 			transport_lun_remove_cmd(cmd);