1. 12 Sep, 2018 1 commit
    • Laura Abbott's avatar
      scsi: iscsi: target: Don't use stack buffer for scatterlist · 679fcae4
      Laura Abbott authored
      Fedora got a bug report of a crash with iSCSI:
      kernel BUG at include/linux/scatterlist.h:143!
      RIP: 0010:iscsit_do_crypto_hash_buf+0x154/0x180 [iscsi_target_mod]
       Call Trace:
        ? iscsi_target_tx_thread+0x200/0x200 [iscsi_target_mod]
        iscsit_get_rx_pdu+0x4cd/0xa90 [iscsi_target_mod]
        ? native_sched_clock+0x3e/0xa0
        ? iscsi_target_tx_thread+0x200/0x200 [iscsi_target_mod]
        iscsi_target_rx_thread+0x81/0xf0 [iscsi_target_mod]
        ? kthread_create_worker_on_cpu+0x70/0x70
      This is a BUG_ON for using a stack buffer with a scatterlist.  There
      are two cases that trigger this bug. Switch to using a dynamically
      allocated buffer for one case and do not assign a NULL buffer in
      another case.
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Reviewed-by: default avatarMike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
  2. 30 Aug, 2018 1 commit
    • Mike Christie's avatar
      scsi: iscsi: target: Fix conn_ops double free · 05a86e78
      Mike Christie authored
      If iscsi_login_init_conn fails it can free conn_ops.
      __iscsi_target_login_thread will then call iscsi_target_login_sess_out
      which will also free it.
      This fixes the problem by organizing conn allocation/setup into parts that
      are needed through the life of the conn and parts that are only needed for
      the login. The free functions then release what was allocated in the alloc
      With this patch we have:
      iscsit_alloc_conn/iscsit_free_conn - allocs/frees the conn we need for the
      entire life of the conn.
      iscsi_login_init_conn/iscsi_target_nego_release - allocs/frees the parts
      of the conn that are only needed during login.
      Signed-off-by: default avatarMike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
  3. 22 Aug, 2018 1 commit
  4. 31 Jul, 2018 1 commit
  5. 02 Jul, 2018 1 commit
  6. 26 Mar, 2018 1 commit
  7. 08 Nov, 2017 2 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Fix non-immediate TMR reference leak · 3fc9fb13
      Nicholas Bellinger authored
      This patch fixes a se_cmd->cmd_kref reference leak that can
      occur when a non immediate TMR is proceeded our of command
      sequence number order, and CMDSN_LOWER_THAN_EXP is returned
      by iscsit_sequence_cmd().
      To address this bug, call target_put_sess_cmd() during this
      special case following what iscsit_process_scsi_cmd() does
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    • Nicholas Bellinger's avatar
      iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref · ae072726
      Nicholas Bellinger authored
      Since commit 59b6986d fixed a potential NULL pointer dereference
      by allocating a se_tmr_req for ISCSI_TM_FUNC_TASK_REASSIGN, the
      se_tmr_req is currently leaked by iscsit_free_cmd() because no
      iscsi_cmd->se_cmd.se_tfo was associated.
      To address this, treat ISCSI_TM_FUNC_TASK_REASSIGN like any other
      TMR and call transport_init_se_cmd() + target_get_sess_cmd() to
      setup iscsi_cmd->se_cmd.se_tfo with se_cmd->cmd_kref of 2.
      This will ensure normal release operation once se_cmd->cmd_kref
      reaches zero and target_release_cmd_kref() is invoked, se_tmr_req
      will be released via existing target_free_cmd_mem() and
      core_tmr_release_req() code.
      Reported-by: default avatarDonald White <dew@datera.io>
      Cc: Donald White <dew@datera.io>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  8. 04 Nov, 2017 3 commits
  9. 01 Nov, 2017 2 commits
  10. 06 Aug, 2017 1 commit
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iscsi_np reset hung task during parallel delete · 978d13d6
      Nicholas Bellinger authored
      This patch fixes a bug associated with iscsit_reset_np_thread()
      that can occur during parallel configfs rmdir of a single iscsi_np
      used across multiple iscsi-target instances, that would result in
      hung task(s) similar to below where configfs rmdir process context
      was blocked indefinately waiting for iscsi_np->np_restart_comp
      to finish:
      [ 6726.112076] INFO: task dcp_proxy_node_:15550 blocked for more than 120 seconds.
      [ 6726.119440]       Tainted: G        W  O     4.1.26-3321 #2
      [ 6726.125045] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [ 6726.132927] dcp_proxy_node_ D ffff8803f202bc88     0 15550      1 0x00000000
      [ 6726.140058]  ffff8803f202bc88 ffff88085c64d960 ffff88083b3b1ad0 ffff88087fffeb08
      [ 6726.147593]  ffff8803f202c000 7fffffffffffffff ffff88083f459c28 ffff88083b3b1ad0
      [ 6726.155132]  ffff88035373c100 ffff8803f202bca8 ffffffff8168ced2 ffff8803f202bcb8
      [ 6726.162667] Call Trace:
      [ 6726.165150]  [<ffffffff8168ced2>] schedule+0x32/0x80
      [ 6726.170156]  [<ffffffff8168f5b4>] schedule_timeout+0x214/0x290
      [ 6726.176030]  [<ffffffff810caef2>] ? __send_signal+0x52/0x4a0
      [ 6726.181728]  [<ffffffff8168d7d6>] wait_for_completion+0x96/0x100
      [ 6726.187774]  [<ffffffff810e7c80>] ? wake_up_state+0x10/0x10
      [ 6726.193395]  [<ffffffffa035d6e2>] iscsit_reset_np_thread+0x62/0xe0 [iscsi_target_mod]
      [ 6726.201278]  [<ffffffffa0355d86>] iscsit_tpg_disable_portal_group+0x96/0x190 [iscsi_target_mod]
      [ 6726.210033]  [<ffffffffa0363f7f>] lio_target_tpg_store_enable+0x4f/0xc0 [iscsi_target_mod]
      [ 6726.218351]  [<ffffffff81260c5a>] configfs_write_file+0xaa/0x110
      [ 6726.224392]  [<ffffffff811ea364>] vfs_write+0xa4/0x1b0
      [ 6726.229576]  [<ffffffff811eb111>] SyS_write+0x41/0xb0
      [ 6726.234659]  [<ffffffff8169042e>] system_call_fastpath+0x12/0x71
      It would happen because each iscsit_reset_np_thread() sets state
      to ISCSI_NP_THREAD_RESET, sends SIGINT, and then blocks waiting
      for completion on iscsi_np->np_restart_comp.
      However, if iscsi_np was active processing a login request and
      more than a single iscsit_reset_np_thread() caller to the same
      iscsi_np was blocked on iscsi_np->np_restart_comp, iscsi_np
      kthread process context in __iscsi_target_login_thread() would
      flush pending signals and only perform a single completion of
      np->np_restart_comp before going back to sleep within transport
      specific iscsit_transport->iscsi_accept_np code.
      To address this bug, add a iscsi_np->np_reset_count and update
      __iscsi_target_login_thread() to keep completing np->np_restart_comp
      until ->np_reset_count has reached zero.
      Reported-by: default avatarGary Guo <ghg@datera.io>
      Tested-by: default avatarGary Guo <ghg@datera.io>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  11. 30 Jul, 2017 2 commits
    • Varun Prakash's avatar
      iscsi-target: fix invalid flags in text response · 310d40a9
      Varun Prakash authored
      In case of multiple text responses iscsi-target
      sets both 'F' and 'C' bit for the final text response
      pdu, this issue happens because hdr->flags is not
      zeroed out before ORing with 'F' bit.
      This patch removes the | operator to fix this issue.
      Signed-off-by: default avatarVarun Prakash <varun@chelsio.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    • Varun Prakash's avatar
      iscsi-target: fix memory leak in iscsit_setup_text_cmd() · ea8dc5b4
      Varun Prakash authored
      On receiving text request iscsi-target allocates buffer for
      payload in iscsit_handle_text_cmd() and assigns buffer pointer
      to cmd->text_in_ptr, this buffer is currently freed in
      iscsit_release_cmd(), if iscsi-target sets 'C' bit in text
      response then it will receive another text request from the
      initiator with ttt != 0xffffffff in this case iscsi-target
      will find cmd using itt and call iscsit_setup_text_cmd()
      which will set cmd->text_in_ptr to NULL without freeing
      previously allocated buffer.
      This patch fixes this issue by calling kfree(cmd->text_in_ptr)
      in iscsit_setup_text_cmd() before assigning NULL to it.
      For the first text request cmd->text_in_ptr is NULL as
      cmd is memset to 0 in iscsit_allocate_cmd().
      Signed-off-by: default avatarVarun Prakash <varun@chelsio.com>
      Cc: <stable@vger.kernel.org> # 4.0+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  12. 07 Jul, 2017 2 commits
  13. 09 Jun, 2017 2 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Reject immediate data underflow larger than SCSI transfer length · abb85a9b
      Nicholas Bellinger authored
      When iscsi WRITE underflow occurs there are two different scenarios
      that can happen.
      Normally in practice, when an EDTL vs. SCSI CDB TRANSFER LENGTH
      underflow is detected, the iscsi immediate data payload is the
      That is, when a host fabric LLD is using a fixed size EDTL for
      a specific control CDB, the SCSI CDB TRANSFER LENGTH and actual
      SCSI payload ends up being smaller than EDTL.  In iscsi, this
      means the received iscsi immediate data payload matches the
      smaller SCSI CDB TRANSFER LENGTH, because there is no more
      SCSI payload to accept beyond SCSI CDB TRANSFER LENGTH.
      However, it's possible for a malicous host to send a WRITE
      underflow where EDTL is larger than SCSI CDB TRANSFER LENGTH,
      but incoming iscsi immediate data actually matches EDTL.
      In the wild, we've never had a iscsi host environment actually
      try to do this.
      For this special case, it's wrong to truncate part of the
      control CDB payload and continue to process the command during
      underflow when immediate data payload received was larger than
      SCSI CDB TRANSFER LENGTH, so go ahead and reject and drop the
      bogus payload as a defensive action.
      Note this potential bug was originally relaxed by the following
      for allowing WRITE underflow in MSFT FCP host environments:
         commit c72c5250
         Author: Roland Dreier <roland@purestorage.com>
         Date:   Wed Jul 22 15:08:18 2015 -0700
            target: allow underflow/overflow for PR OUT etc. commands
      Cc: Roland Dreier <roland@purestorage.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: <stable@vger.kernel.org> # v4.3+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    • Nicholas Bellinger's avatar
      iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP · 105fa2f4
      Nicholas Bellinger authored
      This patch fixes a BUG() in iscsit_close_session() that could be
      triggered when iscsit_logout_post_handler() execution from within
      tx thread context was not run for more than SECONDS_FOR_LOGOUT_COMP
      (15 seconds), and the TCP connection didn't already close before
      then forcing tx thread context to automatically exit.
      This would manifest itself during explicit logout as:
      [33206.974254] 1 connection(s) still exist for iSCSI session to iqn.1993-08.org.debian:01:3f5523242179
      [33206.980184] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 2100.772 msecs
      [33209.078643] ------------[ cut here ]------------
      [33209.078646] kernel BUG at drivers/target/iscsi/iscsi_target.c:4346!
      Normally when explicit logout attempt fails, the tx thread context
      exits and iscsit_close_connection() from rx thread context does the
      extra cleanup once it detects conn->conn_logout_remove has not been
      cleared by the logout type specific post handlers.
      To address this special case, if the logout post handler in tx thread
      context detects conn->tx_thread_active has already been cleared, simply
      return and exit in order for existing iscsit_close_connection()
      logic from rx thread context do failed logout cleanup.
      Reported-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Tested-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: stable@vger.kernel.org # 3.14+
      Tested-by: default avatarGary Guo <ghg@datera.io>
      Tested-by: default avatarChu Yuan Lin <cyl@datera.io>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  14. 31 May, 2017 1 commit
    • Jiang Yi's avatar
      iscsi-target: Always wait for kthread_should_stop() before kthread exit · 5e0cf5e6
      Jiang Yi authored
      There are three timing problems in the kthread usages of iscsi_target_mod:
       - np_thread of struct iscsi_np
       - rx_thread and tx_thread of struct iscsi_conn
      In iscsit_close_connection(), it calls
       send_sig(SIGINT, conn->tx_thread, 1);
      In conn->tx_thread, which is iscsi_target_tx_thread(), when it receive
      SIGINT the kthread will exit without checking the return value of
      So if iscsi_target_tx_thread() exit right between send_sig(SIGINT...)
      and kthread_stop(...), the kthread_stop() will try to stop an already
      stopped kthread.
      This is invalid according to the documentation of kthread_stop().
      (Fix -ECONNRESET logout handling in iscsi_target_tx_thread and
       early iscsi_target_rx_thread failure case - nab)
      Signed-off-by: default avatarJiang Yi <jiangyilism@gmail.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  15. 05 May, 2017 1 commit
    • Nicholas Bellinger's avatar
      iscsi-target: Set session_fall_back_to_erl0 when forcing reinstatement · 197b806a
      Nicholas Bellinger authored
      While testing modification of per se_node_acl queue_depth forcing
      session reinstatement via lio_target_nacl_cmdsn_depth_store() ->
      core_tpg_set_initiator_node_queue_depth(), a hung task bug triggered
      when changing cmdsn_depth invoked session reinstatement while an iscsi
      login was already waiting for session reinstatement to complete.
      This can happen when an outstanding se_cmd descriptor is taking a
      long time to complete, and session reinstatement from iscsi login
      or cmdsn_depth change occurs concurrently.
      To address this bug, explicitly set session_fall_back_to_erl0 = 1
      when forcing session reinstatement, so session reinstatement is
      not attempted if an active session is already being shutdown.
      This patch has been tested with two scenarios.  The first when
      iscsi login is blocked waiting for iscsi session reinstatement
      to complete followed by queue_depth change via configfs, and
      second when queue_depth change via configfs us blocked followed
      by a iscsi login driven session reinstatement.
      Note this patch depends on commit d36ad77f to handle multiple
      sessions per se_node_acl when changing cmdsn_depth, and for
      pre v4.5 kernels will need to be included for stable as well.
      Reported-by: default avatarGary Guo <ghg@datera.io>
      Tested-by: default avatarGary Guo <ghg@datera.io>
      Cc: Gary Guo <ghg@datera.io>
      Cc: <stable@vger.kernel.org> # v4.1+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  16. 02 May, 2017 3 commits
  17. 31 Mar, 2017 1 commit
  18. 02 Mar, 2017 1 commit
  19. 19 Feb, 2017 1 commit
    • Varun Prakash's avatar
      target/iscsi: split iscsit_check_dataout_hdr() · 9a584bf9
      Varun Prakash authored
      Split iscsit_check_dataout_hdr() into two functions
      1. __iscsit_check_dataout_hdr() - This function
         validates data out hdr.
      2. iscsit_check_dataout_hdr() - This function finds
         iSCSI cmd using iscsit_find_cmd_from_itt_or_dump(),
         then it calls __iscsit_check_dataout_hdr() to
         validate iSCSI hdr.
      This split is required to support Chelsio T6 iSCSI
      DDP completion feature. T6 adapters reduce number of
      completions to host by generating single completion
      for all directly placed(DDP) iSCSI pdus in a sequence,
      DDP completion contains iSCSI hdr of the last pdu in a
      On receiving DDP completion cxgbit driver will first
      find iSCSI cmd using iscsit_find_cmd_from_itt_or_dump()
      then updates cmd->write_data_done, cmd->next_burst_len,
      cmd->data_sn and calls  __iscsit_check_dataout_hdr()
      to validate iSCSI hdr.
      (Move XRDSL check ahead of itt lookup / dump - nab)
      Signed-off-by: default avatarVarun Prakash <varun@chelsio.com>
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  20. 09 Feb, 2017 4 commits
  21. 09 Dec, 2016 1 commit
    • Bart Van Assche's avatar
      target: Minimize #include directives · 8dcf07be
      Bart Van Assche authored
      Remove superfluous #include directives from the include/target/*.h
      files. Add missing #include directives to other *.h and *.c files.
      Use forward declarations for structures where possible. This
      change reduces the build time for make M=drivers/target on my
      laptop from 27.1s to 18.7s or by about 30%.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
  22. 20 Oct, 2016 2 commits
  23. 20 Jul, 2016 1 commit
    • Nicholas Bellinger's avatar
      target: Fix race between iscsi-target connection shutdown + ABORT_TASK · 064cdd2d
      Nicholas Bellinger authored
      This patch fixes a race in iscsit_release_commands_from_conn() ->
      iscsit_free_cmd() -> transport_generic_free_cmd() + wait_for_tasks=1,
      where CMD_T_FABRIC_STOP could end up being set after the final
      kref_put() is called from core_tmr_abort_task() context.
      This results in transport_generic_free_cmd() blocking indefinately
      on se_cmd->cmd_wait_comp, because the target_release_cmd_kref()
      check for CMD_T_FABRIC_STOP returns false.
      To address this bug, make iscsit_release_commands_from_conn()
      do list_splice and set CMD_T_FABRIC_STOP early while holding
      iscsi_conn->cmd_lock.  Also make iscsit_aborted_task() only
      remove iscsi_cmd_t if CMD_T_FABRIC_STOP has not already been
      Finally in target_release_cmd_kref(), only honor fabric_stop
      if CMD_T_ABORTED has been set.
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: stable@vger.kernel.org # 3.14+
      Tested-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  24. 17 May, 2016 1 commit
    • Nicholas Bellinger's avatar
      iscsi-target: Convert transport drivers to signal rdma_shutdown · bd027d85
      Nicholas Bellinger authored
      Instead of special casing the handful of callers that check for
      iser-target rdma verbs specific shutdown, use a simple flag at
      iscsit_transport->rdma_shutdown so each driver can signal this.
      Also, update iscsi-target/tcp + cxgbit to rdma_shutdown = false.
      Cc: Varun Prakash <varun@chelsio.com>
      Cc: Hariprasad Shenai <hariprasad@chelsio.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
  25. 10 May, 2016 3 commits