From c2f88b17a1d97ca4ecd96cc22333a7a4f1407d39 Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Wed, 2 Jul 2014 16:19:24 +0300 Subject: [PATCH 1/9] Target/iser: Get isert_conn reference once got to connected_handler In case the connection didn't reach connected state, disconnected handler will never be invoked thus the second kref_put on isert_conn will be missing. Signed-off-by: Sagi Grimberg Cc: # v3.10+ Signed-off-by: Nicholas Bellinger --- drivers/infiniband/ulp/isert/ib_isert.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index d4c7928a0f36..e318731ffe98 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -586,7 +586,6 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) init_completion(&isert_conn->conn_wait); init_completion(&isert_conn->conn_wait_comp_err); kref_init(&isert_conn->conn_kref); - kref_get(&isert_conn->conn_kref); mutex_init(&isert_conn->conn_mutex); spin_lock_init(&isert_conn->conn_lock); INIT_LIST_HEAD(&isert_conn->conn_fr_pool); @@ -746,7 +745,9 @@ isert_connect_release(struct isert_conn *isert_conn) static void isert_connected_handler(struct rdma_cm_id *cma_id) { - return; + struct isert_conn *isert_conn = cma_id->context; + + kref_get(&isert_conn->conn_kref); } static void From 0fc4ea701fcf5bc51ace4e288af5be741465f776 Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Wed, 2 Jul 2014 16:19:25 +0300 Subject: [PATCH 2/9] Target/iser: Don't put isert_conn inside disconnected handler disconnected_handler is invoked on several CM events (such as DISCONNECTED, DEVICE_REMOVAL, TIMEWAIT_EXIT...). Since multiple events can occur while before isert_free_conn is invoked, we might put all isert_conn references and free the connection too early. Signed-off-by: Sagi Grimberg Cc: # v3.10+ Signed-off-by: Nicholas Bellinger --- drivers/infiniband/ulp/isert/ib_isert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index e318731ffe98..9959cd1faad9 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -799,7 +799,6 @@ isert_disconnect_work(struct work_struct *work) wake_up: complete(&isert_conn->conn_wait); - isert_put_conn(isert_conn); } static void @@ -3235,6 +3234,7 @@ static void isert_wait_conn(struct iscsi_conn *conn) wait_for_completion(&isert_conn->conn_wait_comp_err); wait_for_completion(&isert_conn->conn_wait); + isert_put_conn(isert_conn); } static void isert_free_conn(struct iscsi_conn *conn) From 38a8316b5d80ddee071d493bae567185c07de359 Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Wed, 2 Jul 2014 16:19:26 +0300 Subject: [PATCH 3/9] Target/iser: Avoid calling rdma_disconnect twice rdma_disconnect may be called in 2 code flows: - isert_wait_conn: disconnect initiated be the target - disconnected_handler: disconnect invoked by the initiator In case isert_conn->disconnect is true then rdma_disconnect was called in disconnected handler, no need to call it again from isert_wait_conn. Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger --- drivers/infiniband/ulp/isert/ib_isert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index 9959cd1faad9..9e21747acce6 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -3215,7 +3215,7 @@ static void isert_wait_conn(struct iscsi_conn *conn) pr_debug("isert_wait_conn: Starting \n"); mutex_lock(&isert_conn->conn_mutex); - if (isert_conn->conn_cm_id) { + if (isert_conn->conn_cm_id && !isert_conn->disconnect) { pr_debug("Calling rdma_disconnect from isert_wait_conn\n"); rdma_disconnect(isert_conn->conn_cm_id); } From 1a92e17e39b9a5d476e0a7aa52280e76321834ee Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Thu, 19 Jun 2014 13:54:19 +0300 Subject: [PATCH 4/9] Target/iser: Fix initiator_depth and responder_resources The iser target is the RDMA requester and the iser initiator is the RDMA responder. In order to determine the max inflight RDMA READ requests to set on the QP (initiator_depth), it should take the min between the initiator published initiator_depth and the max inflight rdma read requests its local HCA support (max_qp_init_rd_atom). The target will never handle incoming RDMA READ requests so no need to set responder_resources. Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger --- drivers/infiniband/ulp/isert/ib_isert.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index 9e21747acce6..da8ff124762a 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -592,10 +592,6 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) cma_id->context = isert_conn; isert_conn->conn_cm_id = cma_id; - isert_conn->responder_resources = event->param.conn.responder_resources; - isert_conn->initiator_depth = event->param.conn.initiator_depth; - pr_debug("Using responder_resources: %u initiator_depth: %u\n", - isert_conn->responder_resources, isert_conn->initiator_depth); isert_conn->login_buf = kzalloc(ISCSI_DEF_MAX_RECV_SEG_LEN + ISER_RX_LOGIN_SIZE, GFP_KERNEL); @@ -642,6 +638,12 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) goto out_rsp_dma_map; } + /* Set max inflight RDMA READ requests */ + isert_conn->initiator_depth = min_t(u8, + event->param.conn.initiator_depth, + device->dev_attr.max_qp_init_rd_atom); + pr_debug("Using initiator_depth: %u\n", isert_conn->initiator_depth); + isert_conn->conn_device = device; isert_conn->conn_pd = ib_alloc_pd(isert_conn->conn_device->ib_device); if (IS_ERR(isert_conn->conn_pd)) { @@ -3067,7 +3069,6 @@ isert_rdma_accept(struct isert_conn *isert_conn) int ret; memset(&cp, 0, sizeof(struct rdma_conn_param)); - cp.responder_resources = isert_conn->responder_resources; cp.initiator_depth = isert_conn->initiator_depth; cp.retry_count = 7; cp.rnr_retry_count = 7; From 3687db882d8ec8f0792603ff00c2e80d791e49e8 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 7 Jul 2014 18:25:04 -0700 Subject: [PATCH 5/9] iscsi-target: Ignore ICF_GOT_LAST_DATAOUT during Data-Out ITT lookup This patch adds a explicit check in iscsit_find_cmd_from_itt_or_dump() to ignore commands with ICF_GOT_LAST_DATAOUT set. This is done to address the case where an ITT is being reused for DataOUT, but the previous command with the same ITT has not yet been acknowledged by ExpStatSN and removed from the per connection command list. This issue was originally manifesting itself by referencing the previous command during ITT lookup, and subsequently hitting the check in iscsit_check_dataout_hdr() for ICF_GOT_LAST_DATAOUT, that resulted in the DataOUT PDU + associated payload being silently dumped. Reported-by: Arshad Hussain Tested-by: Arshad Hussain Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_util.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c index fd90b28f1d94..73355f4fca74 100644 --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -400,6 +400,8 @@ struct iscsi_cmd *iscsit_find_cmd_from_itt_or_dump( spin_lock_bh(&conn->cmd_lock); list_for_each_entry(cmd, &conn->conn_cmd_list, i_conn_node) { + if (cmd->cmd_flags & ICF_GOT_LAST_DATAOUT) + continue; if (cmd->init_task_tag == init_task_tag) { spin_unlock_bh(&conn->cmd_lock); return cmd; From 096b49951712291824e9f9358a0c46417011098e Mon Sep 17 00:00:00 2001 From: Sebastian Herbszt Date: Sat, 30 Aug 2014 00:31:11 +0200 Subject: [PATCH 6/9] target: Fix user data segment multiplier in spc_emulate_evpd_b3() This patch fixes an apparent cut and paste error in spc_emulate_evpd_b3(), where lba_map_segment_size was being used twice for the Referrals VPD. Go ahead and set the correct user data segment multiplier instead of user data segment size. Signed-off-by: Sebastian Herbszt Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_spc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c index 6cd7222738fc..bc286a67af7c 100644 --- a/drivers/target/target_core_spc.c +++ b/drivers/target/target_core_spc.c @@ -664,7 +664,7 @@ spc_emulate_evpd_b3(struct se_cmd *cmd, unsigned char *buf) buf[0] = dev->transport->get_device_type(dev); buf[3] = 0x0c; put_unaligned_be32(dev->t10_alua.lba_map_segment_size, &buf[8]); - put_unaligned_be32(dev->t10_alua.lba_map_segment_size, &buf[12]); + put_unaligned_be32(dev->t10_alua.lba_map_segment_multiplier, &buf[12]); return 0; } From 1f0b030c45c781f9fe568e5e2a813d6c8567a051 Mon Sep 17 00:00:00 2001 From: Sebastian Herbszt Date: Mon, 1 Sep 2014 00:17:53 +0200 Subject: [PATCH 7/9] target: Fix inverted logic in SE_DEV_ALUA_SUPPORT_STATE_STORE Fix inverted logic in SE_DEV_ALUA_SUPPORT_STATE_STORE for setting the supported ALUA access states via configfs, originally introduced in commit b0a382c5. A value of 1 should enable the support, not disable it. Signed-off-by: Sebastian Herbszt Cc: # v3.14+ Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index bf55c5a04cfa..756def38c77a 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2363,7 +2363,7 @@ static ssize_t target_core_alua_tg_pt_gp_store_attr_alua_support_##_name(\ pr_err("Invalid value '%ld', must be '0' or '1'\n", tmp); \ return -EINVAL; \ } \ - if (!tmp) \ + if (tmp) \ t->_var |= _bit; \ else \ t->_var &= ~_bit; \ From b53b0d99d6fbf7d44330395349a895521cfdbc96 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Wed, 17 Sep 2014 11:45:17 -0700 Subject: [PATCH 8/9] iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid This patch fixes a bug in iscsit_logout_post_handler_diffcid() where a pointer used as storage for list_for_each_entry() was incorrectly being used to determine if no matching entry had been found. This patch changes iscsit_logout_post_handler_diffcid() to key off bool conn_found to determine if the function needs to exit early. Reported-by: Joern Engel Cc: # v3.1+ Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index 1f4c794f5fcc..260c3e1e312c 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -4540,6 +4540,7 @@ static void iscsit_logout_post_handler_diffcid( { struct iscsi_conn *l_conn; struct iscsi_session *sess = conn->sess; + bool conn_found = false; if (!sess) return; @@ -4548,12 +4549,13 @@ static void iscsit_logout_post_handler_diffcid( list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { if (l_conn->cid == cid) { iscsit_inc_conn_usage_count(l_conn); + conn_found = true; break; } } spin_unlock_bh(&sess->conn_lock); - if (!l_conn) + if (!conn_found) return; if (l_conn->sock) From 8ae757d09c45102b347a1bc2867f54ffc1ab8fda Mon Sep 17 00:00:00 2001 From: Joern Engel Date: Tue, 2 Sep 2014 17:49:54 -0400 Subject: [PATCH 9/9] iscsi-target: avoid NULL pointer in iscsi_copy_param_list failure In iscsi_copy_param_list() a failed iscsi_param_list memory allocation currently invokes iscsi_release_param_list() to cleanup, and will promptly trigger a NULL pointer dereference. Instead, go ahead and return for the first iscsi_copy_param_list() failure case. Found by coverity. Signed-off-by: Joern Engel Cc: # v3.1+ Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_parameters.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c index 02f9de26f38a..18c29260b4a2 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.c +++ b/drivers/target/iscsi/iscsi_target_parameters.c @@ -601,7 +601,7 @@ int iscsi_copy_param_list( param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL); if (!param_list) { pr_err("Unable to allocate memory for struct iscsi_param_list.\n"); - goto err_out; + return -1; } INIT_LIST_HEAD(¶m_list->param_list); INIT_LIST_HEAD(¶m_list->extra_response_list);