From 1e589618660cb8a5d768b04c454d91ca64e45eab Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 1 Jun 2013 14:55:37 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
	iscsi-target-fix-heap-buffer-overflow-on-error.patch
	nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch
---
 ..._set_waiting-during-shutdown_session.patch | 94 +++++++++++++++++++
 ...et-fix-heap-buffer-overflow-on-error.patch | 66 +++++++++++++
 ...fix-a-thinko-in-nfs4_try_open_cached.patch | 30 ++++++
 queue-3.4/series                              |  3 +
 4 files changed, 193 insertions(+)
 create mode 100644 queue-3.4/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
 create mode 100644 queue-3.4/iscsi-target-fix-heap-buffer-overflow-on-error.patch
 create mode 100644 queue-3.4/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch

diff --git a/queue-3.4/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch b/queue-3.4/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
new file mode 100644
index 00000000000..16ff20ff388
--- /dev/null
+++ b/queue-3.4/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
@@ -0,0 +1,94 @@
+From 1d19f7800d643b270b28d0a969c5eca455d54397 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 15 May 2013 01:30:01 -0700
+Subject: ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1d19f7800d643b270b28d0a969c5eca455d54397 upstream.
+
+Given that srpt_release_channel_work() calls target_wait_for_sess_cmds()
+to allow outstanding se_cmd_t->cmd_kref a change to complete, the call
+to perform target_sess_cmd_list_set_waiting() needs to happen in
+srpt_shutdown_session()
+
+Also, this patch adds an explicit call to srpt_shutdown_session() within
+srpt_drain_channel() so that target_sess_cmd_list_set_waiting() will be
+called in the cases where TFO->shutdown_session() is not triggered
+directly by TCM.
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Cc: Joern Engel <joern@logfs.org>
+Cc: Roland Dreier <roland@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c |   32 ++++++++++++++++++++++++--------
+ drivers/infiniband/ulp/srpt/ib_srpt.h |    1 +
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2272,6 +2272,27 @@ static void srpt_close_ch(struct srpt_rd
+ }
+ 
+ /**
++ * srpt_shutdown_session() - Whether or not a session may be shut down.
++ */
++static int srpt_shutdown_session(struct se_session *se_sess)
++{
++	struct srpt_rdma_ch *ch = se_sess->fabric_sess_ptr;
++	unsigned long flags;
++
++	spin_lock_irqsave(&ch->spinlock, flags);
++	if (ch->in_shutdown) {
++		spin_unlock_irqrestore(&ch->spinlock, flags);
++		return true;
++	}
++
++	ch->in_shutdown = true;
++	target_sess_cmd_list_set_waiting(se_sess);
++	spin_unlock_irqrestore(&ch->spinlock, flags);
++
++	return true;
++}
++
++/**
+  * srpt_drain_channel() - Drain a channel by resetting the IB queue pair.
+  * @cm_id: Pointer to the CM ID of the channel to be drained.
+  *
+@@ -2309,6 +2330,9 @@ static void srpt_drain_channel(struct ib
+ 	spin_unlock_irq(&sdev->spinlock);
+ 
+ 	if (do_reset) {
++		if (ch->sess)
++			srpt_shutdown_session(ch->sess);
++
+ 		ret = srpt_ch_qp_err(ch);
+ 		if (ret < 0)
+ 			printk(KERN_ERR "Setting queue pair in error state"
+@@ -3489,14 +3513,6 @@ static void srpt_release_cmd(struct se_c
+ }
+ 
+ /**
+- * srpt_shutdown_session() - Whether or not a session may be shut down.
+- */
+-static int srpt_shutdown_session(struct se_session *se_sess)
+-{
+-	return true;
+-}
+-
+-/**
+  * srpt_close_session() - Forcibly close a session.
+  *
+  * Callback function invoked by the TCM core to clean up sessions associated
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
+@@ -326,6 +326,7 @@ struct srpt_rdma_ch {
+ 	u8			sess_name[36];
+ 	struct work_struct	release_work;
+ 	struct completion	*release_done;
++	bool			in_shutdown;
+ };
+ 
+ /**
diff --git a/queue-3.4/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/queue-3.4/iscsi-target-fix-heap-buffer-overflow-on-error.patch
new file mode 100644
index 00000000000..af3e8928906
--- /dev/null
+++ b/queue-3.4/iscsi-target-fix-heap-buffer-overflow-on-error.patch
@@ -0,0 +1,66 @@
+From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 23 May 2013 10:32:17 -0700
+Subject: iscsi-target: fix heap buffer overflow on error
+
+From: Kees Cook <keescook@chromium.org>
+
+commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+CVE-2013-2850
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_parameters.c |    8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h |    4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_respo
+ 	}
+ 	INIT_LIST_HEAD(&extra_response->er_list);
+ 
+-	strncpy(extra_response->key, key, strlen(key) + 1);
+-	strncpy(extra_response->value, NOTUNDERSTOOD,
+-			strlen(NOTUNDERSTOOD) + 1);
++	strlcpy(extra_response->key, key, sizeof(extra_response->key));
++	strlcpy(extra_response->value, NOTUNDERSTOOD,
++		sizeof(extra_response->value));
+ 
+ 	list_add_tail(&extra_response->er_list,
+ 			&param_list->extra_response_list);
+@@ -1571,8 +1571,6 @@ int iscsi_decode_text_input(
+ 
+ 		if (phase & PHASE_SECURITY) {
+ 			if (iscsi_check_for_auth_key(key) > 0) {
+-				char *tmpptr = key + strlen(key);
+-				*tmpptr = '=';
+ 				kfree(tmpbuf);
+ 				return 1;
+ 			}
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+ 
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+-	char key[64];
++	char key[KEY_MAXLEN];
+ 	char value[32];
+ 	struct list_head er_list;
+ } ____cacheline_aligned;
diff --git a/queue-3.4/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch b/queue-3.4/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch
new file mode 100644
index 00000000000..f44926d8a82
--- /dev/null
+++ b/queue-3.4/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch
@@ -0,0 +1,30 @@
+From f448badd34700ae728a32ba024249626d49c10e1 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 29 May 2013 15:36:40 -0400
+Subject: NFSv4: Fix a thinko in nfs4_try_open_cached
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit f448badd34700ae728a32ba024249626d49c10e1 upstream.
+
+We need to pass the full open mode flags to nfs_may_open() when doing
+a delegated open.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1053,7 +1053,7 @@ static struct nfs4_state *nfs4_try_open_
+ 	struct nfs4_state *state = opendata->state;
+ 	struct nfs_inode *nfsi = NFS_I(state->inode);
+ 	struct nfs_delegation *delegation;
+-	int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC);
++	int open_mode = opendata->o_arg.open_flags;
+ 	fmode_t fmode = opendata->o_arg.fmode;
+ 	nfs4_stateid stateid;
+ 	int ret = -EAGAIN;
diff --git a/queue-3.4/series b/queue-3.4/series
index 41d5ea5b55d..fb16ae9db4e 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -25,6 +25,9 @@ mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch
 drivers-block-brd.c-fix-brd_lookup_page-race.patch
 mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch
 mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch
+iscsi-target-fix-heap-buffer-overflow-on-error.patch
+ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch
+nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch
 xfs-kill-suid-sgid-through-the-truncate-path.patch
 drm-radeon-fix-card_posted-check-for-newer-asics.patch
 cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch
-- 
2.47.3