From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 2 Jul 2014 20:45:00 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.4.97~40
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43093b4197ef7f45d1a81bb7aefb01d58dea15ec;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	iscsi-target-avoid-rejecting-incorrect-itt-for-data-out.patch
	iscsi-target-explicily-clear-login-response-pdu-in-exception-path.patch
	iscsi-target-fix-iscsit_del_np-deadlock-on-unload.patch
	target-fix-left-over-se_lun-lun_sep-pointer-oops.patch
---

diff --git a/queue-3.14/iscsi-target-avoid-rejecting-incorrect-itt-for-data-out.patch b/queue-3.14/iscsi-target-avoid-rejecting-incorrect-itt-for-data-out.patch
new file mode 100644
index 00000000000..831f8a381ca
--- /dev/null
+++ b/queue-3.14/iscsi-target-avoid-rejecting-incorrect-itt-for-data-out.patch
@@ -0,0 +1,38 @@
+From 97c99b47ac58bacb7c09e1f47d5d184434f6b06a Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 20 Jun 2014 10:59:57 -0700
+Subject: iscsi-target: Avoid rejecting incorrect ITT for Data-Out
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 97c99b47ac58bacb7c09e1f47d5d184434f6b06a upstream.
+
+This patch changes iscsit_check_dataout_hdr() to dump the incoming
+Data-Out payload when the received ITT is not associated with a
+WRITE, instead of calling iscsit_reject_cmd() for the non WRITE
+ITT descriptor.
+
+This addresses a bug where an initiator sending an Data-Out for
+an ITT associated with a READ would end up generating a reject
+for the READ, eventually resulting in list corruption.
+
+Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com>
+Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1290,7 +1290,7 @@ iscsit_check_dataout_hdr(struct iscsi_co
+ 	if (cmd->data_direction != DMA_TO_DEVICE) {
+ 		pr_err("Command ITT: 0x%08x received DataOUT for a"
+ 			" NON-WRITE command.\n", cmd->init_task_tag);
+-		return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR, buf);
++		return iscsit_dump_data_payload(conn, payload_length, 1);
+ 	}
+ 	se_cmd = &cmd->se_cmd;
+ 	iscsit_mod_dataout_timer(cmd);
diff --git a/queue-3.14/iscsi-target-explicily-clear-login-response-pdu-in-exception-path.patch b/queue-3.14/iscsi-target-explicily-clear-login-response-pdu-in-exception-path.patch
new file mode 100644
index 00000000000..bdfdf7f84bf
--- /dev/null
+++ b/queue-3.14/iscsi-target-explicily-clear-login-response-pdu-in-exception-path.patch
@@ -0,0 +1,37 @@
+From 683497566d48f86e04d026de1ee658dd74fc1077 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Tue, 17 Jun 2014 21:54:38 +0000
+Subject: iscsi-target: Explicily clear login response PDU in exception path
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 683497566d48f86e04d026de1ee658dd74fc1077 upstream.
+
+This patch adds a explicit memset to the login response PDU
+exception path in iscsit_tx_login_rsp().
+
+This addresses a regression bug introduced in commit baa4d64b
+where the initiator would end up not receiving the login
+response and associated status class + detail, before closing
+the login connection.
+
+Reported-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
+Tested-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_util.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -1295,6 +1295,8 @@ int iscsit_tx_login_rsp(struct iscsi_con
+ 	login->login_failed = 1;
+ 	iscsit_collect_login_stats(conn, status_class, status_detail);
+ 
++	memset(&login->rsp[0], 0, ISCSI_HDR_LEN);
++
+ 	hdr	= (struct iscsi_login_rsp *)&login->rsp[0];
+ 	hdr->opcode		= ISCSI_OP_LOGIN_RSP;
+ 	hdr->status_class	= status_class;
diff --git a/queue-3.14/iscsi-target-fix-iscsit_del_np-deadlock-on-unload.patch b/queue-3.14/iscsi-target-fix-iscsit_del_np-deadlock-on-unload.patch
new file mode 100644
index 00000000000..438eb4a9ce3
--- /dev/null
+++ b/queue-3.14/iscsi-target-fix-iscsit_del_np-deadlock-on-unload.patch
@@ -0,0 +1,85 @@
+From 81a9c5e72bdf7109a65102ca61d8cbd722cf4021 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 23 Jun 2014 13:42:37 -0400
+Subject: iscsi-target: fix iscsit_del_np deadlock on unload
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 81a9c5e72bdf7109a65102ca61d8cbd722cf4021 upstream.
+
+On uniprocessor preemptible kernel, target core deadlocks on unload. The
+following events happen:
+* iscsit_del_np is called
+* it calls send_sig(SIGINT, np->np_thread, 1);
+* the scheduler switches to the np_thread
+* the np_thread is woken up, it sees that kthread_should_stop() returns
+  false, so it doesn't terminate
+* the np_thread clears signals with flush_signals(current); and goes back
+  to sleep in iscsit_accept_np
+* the scheduler switches back to iscsit_del_np
+* iscsit_del_np calls kthread_stop(np->np_thread);
+* the np_thread is waiting in iscsit_accept_np and it doesn't respond to
+  kthread_stop
+
+The deadlock could be resolved if the administrator sends SIGINT signal to
+the np_thread with killall -INT iscsi_np
+
+The reproducible deadlock was introduced in commit
+db6077fd0b7dd41dc6ff18329cec979379071f87, but the thread-stopping code was
+racy even before.
+
+This patch fixes the problem. Using kthread_should_stop to stop the
+np_thread is unreliable, so we test np_thread_state instead. If
+np_thread_state equals ISCSI_NP_THREAD_SHUTDOWN, the thread exits.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_login.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1196,7 +1196,7 @@ old_sess_out:
+ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ {
+ 	u8 *buffer, zero_tsih = 0;
+-	int ret = 0, rc, stop;
++	int ret = 0, rc;
+ 	struct iscsi_conn *conn = NULL;
+ 	struct iscsi_login *login;
+ 	struct iscsi_portal_group *tpg = NULL;
+@@ -1210,6 +1210,9 @@ static int __iscsi_target_login_thread(s
+ 	if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+ 		np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ 		complete(&np->np_restart_comp);
++	} else if (np->np_thread_state == ISCSI_NP_THREAD_SHUTDOWN) {
++		spin_unlock_bh(&np->np_thread_lock);
++		goto exit;
+ 	} else {
+ 		np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ 	}
+@@ -1402,10 +1405,8 @@ old_sess_out:
+ 	}
+ 
+ out:
+-	stop = kthread_should_stop();
+-	/* Wait for another socket.. */
+-	if (!stop)
+-		return 1;
++	return 1;
++
+ exit:
+ 	iscsi_stop_login_thread_timer(np);
+ 	spin_lock_bh(&np->np_thread_lock);
+@@ -1422,7 +1423,7 @@ int iscsi_target_login_thread(void *arg)
+ 
+ 	allow_signal(SIGINT);
+ 
+-	while (!kthread_should_stop()) {
++	while (1) {
+ 		ret = __iscsi_target_login_thread(np);
+ 		/*
+ 		 * We break and exit here unless another sock_accept() call
diff --git a/queue-3.14/target-fix-left-over-se_lun-lun_sep-pointer-oops.patch b/queue-3.14/target-fix-left-over-se_lun-lun_sep-pointer-oops.patch
new file mode 100644
index 00000000000..7a26835d1bd
--- /dev/null
+++ b/queue-3.14/target-fix-left-over-se_lun-lun_sep-pointer-oops.patch
@@ -0,0 +1,36 @@
+From 83ff42fcce070801a3aa1cd6a3269d7426271a8d Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 16 Jun 2014 20:25:54 +0000
+Subject: target: Fix left-over se_lun->lun_sep pointer OOPs
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 83ff42fcce070801a3aa1cd6a3269d7426271a8d upstream.
+
+This patch fixes a left-over se_lun->lun_sep pointer OOPs when one
+of the /sys/kernel/config/target/$FABRIC/$WWPN/$TPGT/lun/$LUN/alua*
+attributes is accessed after the $DEVICE symlink has been removed.
+
+To address this bug, go ahead and clear se_lun->lun_sep memory in
+core_dev_unexport(), so that the existing checks for show/store
+ALUA attributes in target_core_fabric_configfs.c work as expected.
+
+Reported-by: Sebastian Herbszt <herbszt@gmx.de>
+Tested-by: Sebastian Herbszt <herbszt@gmx.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -616,6 +616,7 @@ void core_dev_unexport(
+ 	dev->export_count--;
+ 	spin_unlock(&hba->device_lock);
+ 
++	lun->lun_sep = NULL;
+ 	lun->lun_se_dev = NULL;
+ }
+