linux/drivers/target, branch v4.0

iscsi target: fix oops when adding reject pdu

2015-04-10T19:33:55Z

This fixes a oops due to a double list add when adding a reject PDU for iscsit_allocate_iovecs allocation failures. The cmd has already been added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call iscsit_reject_cmd. Note that for ERL0 the reject PDU is not actually sent, so this patch is not completely tested. Just verified we do not oops. The problem is the add reject functions return -1 which is returned all the way up to iscsi_target_rx_thread which for ERL0 will drop the connection. Signed-off-by: Mike Christie Cc: # v3.10+ Signed-off-by: Nicholas Bellinger

iscsi-target: TargetAddress in SendTargets should bracket ipv6 addresses

2015-04-08T00:41:54Z

"The domainname can be specified as either a DNS host name, a dotted-decimal IPv4 address, or a bracketed IPv6 address as specified in [RFC2732]." See https://bugzilla.redhat.com/show_bug.cgi?id=1206868 Reported-by: Kyle Brantley Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger

target: Allow userspace to write 1 to attrib/emulate_fua_write

2015-04-02T04:42:51Z

Before 4.0, reading attrib/emulate_fua_write has returned 1. Saved configs created on a pre-4.0 kernel will try to write that back when restoring LIO configuration. This should succeed with no effect, and issue a warning. See https://bugzilla.redhat.com/show_bug.cgi?id=1206184 Reported-by: Yanko Kaneti Reported-by: Juan Quintela Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger

target: do not reject FUA CDBs when write cache is enabled but emulate_write_cache is 0

2015-03-20T06:26:46Z

A check that rejects a CDB with FUA bit set if no write cache is emulated was added by the following commit: fde9f50 target: Add sanity checks for DPO/FUA bit usage The condition is as follows: if (!dev->dev_attrib.emulate_fua_write || !dev->dev_attrib.emulate_write_cache) However, this check is wrong if the backend device supports WCE but "emulate_write_cache" is disabled. This patch uses se_dev_check_wce() (previously named spc_check_dev_wce) to invoke transport->get_write_cache() if the device has a write cache or check the "emulate_write_cache" attribute otherwise. Reported-by: Christoph Hellwig Signed-off-by: Christophe Vu-Brugier Signed-off-by: Nicholas Bellinger

target: Fix virtual LUN=0 target_configure_device failure OOPs

2015-03-20T06:26:44Z

This patch fixes a NULL pointer dereference triggered by a late target_configure_device() -> alloc_workqueue() failure that results in target_free_device() being called with DF_CONFIGURED already set, which subsequently OOPses in destroy_workqueue() code. Currently this only happens at modprobe target_core_mod time when core_dev_setup_virtual_lun0() -> target_configure_device() fails, and the explicit target_free_device() gets called. To address this bug originally introduced by commit 0fd97ccf45, go ahead and move DF_CONFIGURED to end of target_configure_device() code to handle this special failure case. Reported-by: Claudio Fleiner Cc: Claudio Fleiner Cc: Christoph Hellwig Cc: # v3.7+ Signed-off-by: Nicholas Bellinger

target/pscsi: Fix NULL pointer dereference in get_device_type

2015-03-20T06:26:42Z

This patch fixes a NULL pointer dereference OOPs with pSCSI backends within target_core_stat.c code. The bug is caused by a configfs attr read if no pscsi_dev_virt->pdv_sd has been configured. Reported-by: Olaf Hering Cc: Signed-off-by: Nicholas Bellinger

tcm_fc: missing curly braces in ft_invl_hw_context()

2015-03-20T06:26:41Z

This patch adds a missing set of conditional check braces in ft_invl_hw_context() originally introduced by commit dcd998ccd when handling DDP failures in ft_recv_write_data() code. commit dcd998ccdbf74a7d8fe0f0a44e85da1ed5975946 Author: Kiran Patil Date: Wed Aug 3 09:20:01 2011 +0000 tcm_fc: Handle DDP/SW fc_frame_payload_get failures in ft_recv_write_data Signed-off-by: Dan Carpenter Cc: Kiran Patil Cc: # 3.1+ Signed-off-by: Nicholas Bellinger

target: Fix reference leak in target_get_sess_cmd() error path

2015-03-20T06:26:31Z

This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down is true within target_get_sess_cmd() submission path code. This se_cmd reference leak can occur during active session shutdown when ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers. Signed-off-by: Bart Van Assche Cc: # 3.6+ Signed-off-by: Nicholas Bellinger

loop/usb/vhost-scsi/xen-scsiback: Fix use of __transport_register_session

2015-03-20T06:15:14Z

This patch changes loopback, usb-gadget, vhost-scsi and xen-scsiback fabric code to invoke transport_register_session() instead of the unprotected flavour, to ensure se_tpg->session_lock is taken when adding new session list nodes to se_tpg->tpg_sess_list. Note that since these four fabric drivers already hold their own internal TPG mutexes when accessing se_tpg->tpg_sess_list, and consist of a single se_session created through configfs attribute access, no list corruption can currently occur. So for correctness sake, go ahead and use the se_tpg->session_lock protected version for these four fabric drivers. Signed-off-by: Bart Van Assche Signed-off-by: Nicholas Bellinger

iscsi-target: Avoid early conn_logout_comp for iser connections

2015-03-20T06:10:01Z

This patch fixes a iser specific logout bug where early complete() of conn->conn_logout_comp in iscsit_close_connection() was causing isert_wait4logout() to complete too soon, triggering a use after free NULL pointer dereference of iscsi_conn memory. The complete() was originally added for traditional iscsi-target when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given iser-target does not wait in logout failure, this special case needs to be avoided. Reported-by: Sagi Grimberg Cc: Sagi Grimberg Cc: Slava Shwartsman Cc: # v3.10+ Signed-off-by: Nicholas Bellinger