From: Greg Kroah-Hartman Date: Thu, 12 Jun 2014 22:40:42 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.4.94~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c8005758985f43f6219ede426024911506c470e2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: iscsi-target-fix-wrong-buffer-buffer-overrun-in-iscsi_change_param_value.patch iser-target-fix-multi-network-portal-shutdown-regression.patch target-allow-read_capacity-opcode-in-alua-standby-access-state.patch target-fix-alua_access_state-attribute-oops-for-un-configured-devices.patch target-iscsi-iser-avoid-accepting-transport-connections-during-stop-stage.patch --- diff --git a/queue-3.10/iscsi-target-fix-wrong-buffer-buffer-overrun-in-iscsi_change_param_value.patch b/queue-3.10/iscsi-target-fix-wrong-buffer-buffer-overrun-in-iscsi_change_param_value.patch new file mode 100644 index 00000000000..e53591ea024 --- /dev/null +++ b/queue-3.10/iscsi-target-fix-wrong-buffer-buffer-overrun-in-iscsi_change_param_value.patch @@ -0,0 +1,131 @@ +From 79d59d08082dd0a0a18f8ceb78c99f9f321d72aa Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Thu, 29 May 2014 13:32:30 -0700 +Subject: iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value() + +From: Roland Dreier + +commit 79d59d08082dd0a0a18f8ceb78c99f9f321d72aa upstream. + +In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls +iscsi_change_param_value() with the buffer it uses to hold the login +PDU, not a temporary buffer. This leads to the login header getting +corrupted and login failing for non-leading connections in MC/S. + +Fix this by adding a wrapper iscsi_change_param_sprintf() that handles +the temporary buffer itself to avoid confusion. Also handle sending a +reject in case of failure in the wrapper, which lets the calling code +get quite a bit smaller and easier to read. + +Finally, bump the size of the temporary buffer from 32 to 64 bytes to be +safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a +trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't +the default but we don't need to run right at the ragged edge here) + +(Fix up context changes for v3.10.y - nab) + +Reported-by: Santosh Kulkarni +Signed-off-by: Roland Dreier +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_login.c | 50 ++++++++++++++++-------------- + 1 file changed, 27 insertions(+), 23 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -250,6 +250,28 @@ static void iscsi_login_set_conn_values( + mutex_unlock(&auth_id_lock); + } + ++static __printf(2, 3) int iscsi_change_param_sprintf( ++ struct iscsi_conn *conn, ++ const char *fmt, ...) ++{ ++ va_list args; ++ unsigned char buf[64]; ++ ++ memset(buf, 0, sizeof buf); ++ ++ va_start(args, fmt); ++ vsnprintf(buf, sizeof buf, fmt, args); ++ va_end(args); ++ ++ if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) { ++ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, ++ ISCSI_LOGIN_STATUS_NO_RESOURCES); ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* + * This is the leading connection of a new session, + * or session reinstatement. +@@ -339,7 +361,6 @@ static int iscsi_login_zero_tsih_s2( + { + struct iscsi_node_attrib *na; + struct iscsi_session *sess = conn->sess; +- unsigned char buf[32]; + bool iser = false; + + sess->tpg = conn->tpg; +@@ -380,26 +401,16 @@ static int iscsi_login_zero_tsih_s2( + * + * In our case, we have already located the struct iscsi_tiqn at this point. + */ +- memset(buf, 0, 32); +- sprintf(buf, "TargetPortalGroupTag=%hu", ISCSI_TPG_S(sess)->tpgt); +- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) { +- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, +- ISCSI_LOGIN_STATUS_NO_RESOURCES); ++ if (iscsi_change_param_sprintf(conn, "TargetPortalGroupTag=%hu", sess->tpg->tpgt)) + return -1; +- } + + /* + * Workaround for Initiators that have broken connection recovery logic. + * + * "We would really like to get rid of this." Linux-iSCSI.org team + */ +- memset(buf, 0, 32); +- sprintf(buf, "ErrorRecoveryLevel=%d", na->default_erl); +- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) { +- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, +- ISCSI_LOGIN_STATUS_NO_RESOURCES); ++ if (iscsi_change_param_sprintf(conn, "ErrorRecoveryLevel=%d", na->default_erl)) + return -1; +- } + + if (iscsi_login_disable_FIM_keys(conn->param_list, conn) < 0) + return -1; +@@ -411,12 +422,9 @@ static int iscsi_login_zero_tsih_s2( + unsigned long mrdsl, off; + int rc; + +- sprintf(buf, "RDMAExtensions=Yes"); +- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) { +- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, +- ISCSI_LOGIN_STATUS_NO_RESOURCES); ++ if (iscsi_change_param_sprintf(conn, "RDMAExtensions=Yes")) + return -1; +- } ++ + /* + * Make MaxRecvDataSegmentLength PAGE_SIZE aligned for + * Immediate Data + Unsolicitied Data-OUT if necessary.. +@@ -446,12 +454,8 @@ static int iscsi_login_zero_tsih_s2( + pr_warn("Aligning ISER MaxRecvDataSegmentLength: %lu down" + " to PAGE_SIZE\n", mrdsl); + +- sprintf(buf, "MaxRecvDataSegmentLength=%lu\n", mrdsl); +- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) { +- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, +- ISCSI_LOGIN_STATUS_NO_RESOURCES); ++ if (iscsi_change_param_sprintf(conn, "MaxRecvDataSegmentLength=%lu\n", mrdsl)) + return -1; +- } + } + + return 0; diff --git a/queue-3.10/iser-target-fix-multi-network-portal-shutdown-regression.patch b/queue-3.10/iser-target-fix-multi-network-portal-shutdown-regression.patch new file mode 100644 index 00000000000..26f2955f7f1 --- /dev/null +++ b/queue-3.10/iser-target-fix-multi-network-portal-shutdown-regression.patch @@ -0,0 +1,88 @@ +From 2363d196686e44c0158929e7cf96c8589a24a81b Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 3 Jun 2014 18:27:52 -0700 +Subject: iser-target: Fix multi network portal shutdown regression + +From: Nicholas Bellinger + +commit 2363d196686e44c0158929e7cf96c8589a24a81b upstream. + +This patch fixes a iser-target specific regression introduced in +v3.15-rc6 with: + +commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a +Author: Sagi Grimberg +Date: Tue Apr 29 13:13:47 2014 +0300 + + Target/iscsi,iser: Avoid accepting transport connections during stop stage + +where the change to set iscsi_np->enabled = false within +iscsit_clear_tpg_np_login_thread() meant that a iscsi_np with +two iscsi_tpg_np exports would have it's parent iscsi_np set +to a disabled state, even if other iscsi_tpg_np exports still +existed. + +This patch changes iscsit_clear_tpg_np_login_thread() to only +set iscsi_np->enabled = false when shutdown = true, and also +changes iscsit_del_np() to set iscsi_np->enabled = true when +iscsi_np->np_exports is non zero. + +(Fix up context changes for v3.10.y - nab) + +Cc: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target.c | 1 + + drivers/target/iscsi/iscsi_target_tpg.c | 10 ++++++---- + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -460,6 +460,7 @@ int iscsit_del_np(struct iscsi_np *np) + spin_lock_bh(&np->np_thread_lock); + np->np_exports--; + if (np->np_exports) { ++ np->enabled = true; + spin_unlock_bh(&np->np_thread_lock); + return 0; + } +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -175,14 +175,16 @@ void iscsit_put_tpg(struct iscsi_portal_ + + static void iscsit_clear_tpg_np_login_thread( + struct iscsi_tpg_np *tpg_np, +- struct iscsi_portal_group *tpg) ++ struct iscsi_portal_group *tpg, ++ bool shutdown) + { + if (!tpg_np->tpg_np) { + pr_err("struct iscsi_tpg_np->tpg_np is NULL!\n"); + return; + } + +- tpg_np->tpg_np->enabled = false; ++ if (shutdown) ++ tpg_np->tpg_np->enabled = false; + iscsit_reset_np_thread(tpg_np->tpg_np, tpg_np, tpg); + } + +@@ -198,7 +200,7 @@ void iscsit_clear_tpg_np_login_threads( + continue; + } + spin_unlock(&tpg->tpg_np_lock); +- iscsit_clear_tpg_np_login_thread(tpg_np, tpg); ++ iscsit_clear_tpg_np_login_thread(tpg_np, tpg, false); + spin_lock(&tpg->tpg_np_lock); + } + spin_unlock(&tpg->tpg_np_lock); +@@ -521,7 +523,7 @@ static int iscsit_tpg_release_np( + struct iscsi_portal_group *tpg, + struct iscsi_np *np) + { +- iscsit_clear_tpg_np_login_thread(tpg_np, tpg); ++ iscsit_clear_tpg_np_login_thread(tpg_np, tpg, true); + + pr_debug("CORE[%s] - Removed Network Portal: %s:%hu,%hu on %s\n", + tpg->tpg_tiqn->tiqn, np->np_ip, np->np_port, tpg->tpgt, diff --git a/queue-3.10/series b/queue-3.10/series index cd64d895e83..fedb067e7eb 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -3,3 +3,8 @@ mlx4_en-don-t-use-napi_synchronize-inside-mlx4_en_netpoll.patch arm-mvebu-fix-nor-bus-width-in-armada-xp-gp-device-tree.patch arm-mvebu-fix-nor-bus-width-in-armada-xp-openblocks-ax3-device-tree.patch netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch +target-iscsi-iser-avoid-accepting-transport-connections-during-stop-stage.patch +iser-target-fix-multi-network-portal-shutdown-regression.patch +iscsi-target-fix-wrong-buffer-buffer-overrun-in-iscsi_change_param_value.patch +target-allow-read_capacity-opcode-in-alua-standby-access-state.patch +target-fix-alua_access_state-attribute-oops-for-un-configured-devices.patch diff --git a/queue-3.10/target-allow-read_capacity-opcode-in-alua-standby-access-state.patch b/queue-3.10/target-allow-read_capacity-opcode-in-alua-standby-access-state.patch new file mode 100644 index 00000000000..9f1d5c4e470 --- /dev/null +++ b/queue-3.10/target-allow-read_capacity-opcode-in-alua-standby-access-state.patch @@ -0,0 +1,52 @@ +From e7810c2d2c37fa8e58dda74b00790dab60fe6fba Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 5 Jun 2014 23:37:00 -0700 +Subject: target: Allow READ_CAPACITY opcode in ALUA Standby access state + +From: Nicholas Bellinger + +commit e7810c2d2c37fa8e58dda74b00790dab60fe6fba upstream. + +This patch allows READ_CAPACITY + SAI_READ_CAPACITY_16 opcode +processing to occur while the associated ALUA group is in Standby +access state. + +This is required to avoid host side LUN probe failures during the +initial scan if an ALUA group has already implicitly changed into +Standby access state. + +This addresses a bug reported by Chris + Philip using dm-multipath ++ ESX hosts configured with ALUA multipath. + +(Drop v3.15 specific set_ascq usage - nab) + +Reported-by: Chris Boot +Reported-by: Philip Gaw +Cc: Chris Boot +Cc: Philip Gaw +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_alua.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/target/target_core_alua.c ++++ b/drivers/target/target_core_alua.c +@@ -409,7 +409,16 @@ static inline int core_alua_state_standb + case REPORT_LUNS: + case RECEIVE_DIAGNOSTIC: + case SEND_DIAGNOSTIC: ++ case READ_CAPACITY: + return 0; ++ case SERVICE_ACTION_IN: ++ switch (cdb[1] & 0x1f) { ++ case SAI_READ_CAPACITY_16: ++ return 0; ++ default: ++ *alua_ascq = ASCQ_04H_ALUA_TG_PT_STANDBY; ++ return 1; ++ } + case MAINTENANCE_IN: + switch (cdb[1] & 0x1f) { + case MI_REPORT_TARGET_PGS: diff --git a/queue-3.10/target-fix-alua_access_state-attribute-oops-for-un-configured-devices.patch b/queue-3.10/target-fix-alua_access_state-attribute-oops-for-un-configured-devices.patch new file mode 100644 index 00000000000..0e00944e27e --- /dev/null +++ b/queue-3.10/target-fix-alua_access_state-attribute-oops-for-un-configured-devices.patch @@ -0,0 +1,44 @@ +From f1453773514bb8b0bba0716301e8c8f17f8d39c7 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 6 Jun 2014 00:52:57 -0700 +Subject: target: Fix alua_access_state attribute OOPs for un-configured devices + +From: Nicholas Bellinger + +commit f1453773514bb8b0bba0716301e8c8f17f8d39c7 upstream. + +This patch fixes a OOPs where an attempt to write to the per-device +alua_access_state configfs attribute at: + + /sys/kernel/config/target/core/$HBA/$DEV/alua/$TG_PT_GP/alua_access_state + +results in an NULL pointer dereference when the backend device has not +yet been configured. + +This patch adds an explicit check for DF_CONFIGURED, and fails with +-ENODEV to avoid this case. + +Reported-by: Chris Boot +Reported-by: Philip Gaw +Cc: Chris Boot +Cc: Philip Gaw +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_configfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -2034,6 +2034,11 @@ static ssize_t target_core_alua_tg_pt_gp + " tg_pt_gp ID: %hu\n", tg_pt_gp->tg_pt_gp_valid_id); + return -EINVAL; + } ++ if (!(dev->dev_flags & DF_CONFIGURED)) { ++ pr_err("Unable to set alua_access_state while device is" ++ " not configured\n"); ++ return -ENODEV; ++ } + + ret = strict_strtoul(page, 0, &tmp); + if (ret < 0) { diff --git a/queue-3.10/target-iscsi-iser-avoid-accepting-transport-connections-during-stop-stage.patch b/queue-3.10/target-iscsi-iser-avoid-accepting-transport-connections-during-stop-stage.patch new file mode 100644 index 00000000000..259b67e28d7 --- /dev/null +++ b/queue-3.10/target-iscsi-iser-avoid-accepting-transport-connections-during-stop-stage.patch @@ -0,0 +1,78 @@ +From 14f4b54fe38f3a8f8392a50b951c8aa43b63687a Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Tue, 29 Apr 2014 13:13:47 +0300 +Subject: Target/iscsi,iser: Avoid accepting transport connections during stop stage + +From: Sagi Grimberg + +commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a upstream. + +When the target is in stop stage, iSER transport initiates RDMA disconnects. +The iSER initiator may wish to establish a new connection over the +still existing network portal. In this case iSER transport should not +accept and resume new RDMA connections. In order to learn that, iscsi_np +is added with enabled flag so the iSER transport can check when deciding +weather to accept and resume a new connection request. + +The iscsi_np is enabled after successful transport setup, and disabled +before iscsi_np login threads are cleaned up. + +(Fix up context changes for v3.10.y - nab) + +Signed-off-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/isert/ib_isert.c | 8 ++++++++ + drivers/target/iscsi/iscsi_target_core.h | 1 + + drivers/target/iscsi/iscsi_target_login.c | 1 + + drivers/target/iscsi/iscsi_target_tpg.c | 1 + + 4 files changed, 11 insertions(+) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -382,6 +382,14 @@ isert_connect_request(struct rdma_cm_id + struct ib_device *ib_dev = cma_id->device; + int ret = 0; + ++ spin_lock_bh(&np->np_thread_lock); ++ if (!np->enabled) { ++ spin_unlock_bh(&np->np_thread_lock); ++ pr_debug("iscsi_np is not enabled, reject connect request\n"); ++ return rdma_reject(cma_id, NULL, 0); ++ } ++ spin_unlock_bh(&np->np_thread_lock); ++ + pr_debug("Entering isert_connect_request cma_id: %p, context: %p\n", + cma_id, cma_id->context); + +--- a/drivers/target/iscsi/iscsi_target_core.h ++++ b/drivers/target/iscsi/iscsi_target_core.h +@@ -760,6 +760,7 @@ struct iscsi_np { + int np_ip_proto; + int np_sock_type; + enum np_thread_state_table np_thread_state; ++ bool enabled; + enum iscsi_timer_flags_table np_login_timer_flags; + u32 np_exports; + enum np_flags_table np_flags; +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -984,6 +984,7 @@ int iscsi_target_setup_login_socket( + } + + np->np_transport = t; ++ np->enabled = true; + return 0; + } + +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -182,6 +182,7 @@ static void iscsit_clear_tpg_np_login_th + return; + } + ++ tpg_np->tpg_np->enabled = false; + iscsit_reset_np_thread(tpg_np->tpg_np, tpg_np, tpg); + } +