13 Apr, 2014
1 commit
-
Pull yet more networking updates from David Miller:
1) Various fixes to the new Redpine Signals wireless driver, from
Fariya Fatima.2) L2TP PPP connect code takes PMTU from the wrong socket, fix from
Dmitry Petukhov.3) UFO and TSO packets differ in whether they include the protocol
header in gso_size, account for that in skb_gso_transport_seglen().
From Florian Westphal.4) If VLAN untagging fails, we double free the SKB in the bridging
output path. From Toshiaki Makita.5) Several call sites of sk->sk_data_ready() were referencing an SKB
just added to the socket receive queue in order to calculate the
second argument via skb->len. This is dangerous because the moment
the skb is added to the receive queue it can be consumed in another
context and freed up.It turns out also that none of the sk->sk_data_ready()
implementations even care about this second argument.So just kill it off and thus fix all these use-after-free bugs as a
side effect.6) Fix inverted test in tcp_v6_send_response(), from Lorenzo Colitti.
7) pktgen needs to do locking properly for LLTX devices, from Daniel
Borkmann.8) xen-netfront driver initializes TX array entries in RX loop :-) From
Vincenzo Maffione.9) After refactoring, some tunnel drivers allow a tunnel to be
configured on top itself. Fix from Nicolas Dichtel.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits)
vti: don't allow to add the same tunnel twice
gre: don't allow to add the same tunnel twice
drivers: net: xen-netfront: fix array initialization bug
pktgen: be friendly to LLTX devices
r8152: check RTL8152_UNPLUG
net: sun4i-emac: add promiscuous support
net/apne: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO
net: ipv6: Fix oif in TCP SYN+ACK route lookup.
drivers: net: cpsw: enable interrupts after napi enable and clearing previous interrupts
drivers: net: cpsw: discard all packets received when interface is down
net: Fix use after free by removing length arg from sk_data_ready callbacks.
Drivers: net: hyperv: Address UDP checksum issues
Drivers: net: hyperv: Negotiate suitable ndis version for offload support
Drivers: net: hyperv: Allocate memory for all possible per-pecket information
bridge: Fix double free and memory leak around br_allowed_ingress
bonding: Remove debug_fs files when module init fails
i40evf: program RSS LUT correctly
i40evf: remove open-coded skb_cow_head
ixgb: remove open-coded skb_cow_head
igbvf: remove open-coded skb_cow_head
...
12 Apr, 2014
8 commits
-
Because it doesn't always create, if there's an existing one it just
returns it.Signed-off-by: Andy Grover
Signed-off-by: Nicholas Bellinger -
These functions are not adding or deleting an lport. They are adding a
wwn that may match with an lport that is present on the system.Renaming ft_del_lport also means we won't have functions named
both ft_del_lport and ft_lport_del any more.Signed-off-by: Andy Grover
Signed-off-by: Nicholas Bellinger -
Rename struct ft_lport_acl to ft_lport_wwn. "acl" is associated with
something different in LIO terms. Really, ft_lport_wwn is the
fabric-specific wrapper for the struct se_wwn.Rename "lacl" local variables to "ft_wwn" as well.
Rename list_heads used as list members to make it clear they're nodes, not
heads.Rename lport_node to ft_wwn_node.
Rename ft_lport_list to ft_wwn_list
Signed-off-by: Andy Grover
Signed-off-by: Nicholas Bellinger -
tcm_fc doesn't support multiple TPGs per wwn. For proof, see
ft_lport_find_tpg. Enforce this in the code.Replace ft_lport_wwn.tpg_list with a single pointer. We can't fold ft_tpg
into ft_lport_wwn because they can have different lifetimes.Signed-off-by: Andy Grover
Signed-off-by: Nicholas Bellinger -
Nobody outside tfc_conf.c uses it.
Signed-off-by: Andy Grover
Signed-off-by: Nicholas Bellinger -
ft_del_tpg checks tpg->tport is set before unlinking the tpg from the
tport when the tpg is being removed. Set this pointer in ft_tport_create,
or the unlinking won't happen in ft_del_tpg and tport->tpg will reference
a deleted object.This patch sets tpg->tport in ft_tport_create, because that's what
ft_del_tpg checks, and is the only way to get back to the tport to
clear tport->tpg.The bug was occuring when:
- lport created, tport (our per-lport, per-provider context) is
allocated.
tport->tpg = NULL
- tpg created
- a PRLI is received. ft_tport_create is called, tpg is found and
tport->tpg is set
- tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not
set, tport->tpg is not cleared and points at freed memory
- Future calls to ft_tport_create return tport via first conditional,
instead of searching for new tpg by calling ft_lport_find_tpg.
tport->tpg is still invalid, and will access freed memory.see https://bugzilla.redhat.com/show_bug.cgi?id=1071340
Cc: stable@vger.kernel.org # 3.0+
Signed-off-by: Andy Grover
Signed-off-by: Nicholas Bellinger -
This patch addresses an issue that occurs when an ABTS is received
for an se_cmd that completes just before the sess_cmd_list is searched
in core_tmr_abort_task(). When the sess_cmd_list is searched, since
the ABTS and the FCP_CMND being aborted (that just completed) both
have the same OXID, TFO->get_task_tag(TMR) returns a value that
matches tmr->ref_task_tag (from TFO->get_task_tag(FCP_CMND)), and
the Abort Task tries to abort itself. When this occurs,
transport_wait_for_tasks() hangs forever since the TMR is waiting
for itself to finish.This patch adds a check to core_tmr_abort_task() to make sure the
TMR does not attempt to abort itself.Signed-off-by: Alex Leung
Signed-off-by: Nicholas Bellinger -
Several spots in the kernel perform a sequence like:
skb_queue_tail(&sk->s_receive_queue, skb);
sk->sk_data_ready(sk, skb->len);But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up. So this skb->len access is potentially
to freed up memory.Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.And finally, no actual implementation of this callback actually uses
the length argument. And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.Signed-off-by: David S. Miller
07 Apr, 2014
21 commits
-
This patch enables the use of READ_STRIP software emulation in
target_complete_ok_work() code for I/O READs.This is useful when the fabric does not support READ_STRIP hardware
offload, but would still like to interact with backend device
that have T10 PI enabled.v2 changes:
- Move TARGET_PROT_DIN_STRIP check from target_check_read_strip()
into target_complete_ok_work() (Sagi)Cc: Martin K. Petersen
Cc: Sagi Grimberg
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
Split up __sbc_dif_verify_read() so that VERIFY READ emulation can
perform target-core specific READ_STRIP, seperate from the existing
FILEIO/RAMDISK backend emulation code.Also add sbc_dif_read_strip() in order to determine number of sectors
using cmd->prot_length, and skip the extra sbc_dif_copy_prot().Reviewed-by: Sagi Grimberg
Cc: Martin K. Petersen
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
This patch enables WRITE_INSERT emulation in target_execute_cmd()
in order to locally generate DIF PI before submitting the WRITE
to the underlying backend device.This is required for fabric drivers that currently don't support
DIF over-the-wire, in order to inact with backend devices that
have hardware (IBLOCK) or software (FILEIO + RAMDISK) support
for handling T10 PI.v2 changes:
- Convert to sbc_dif_generate() usage (Sagi)Reviewed-by: Sagi Grimberg
Cc: Martin K. Petersen
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
This patch adds WRITE_INSERT emulation within target-core
using TYPE1 / TYPE3 PI modes in sbc_dif_generate() code.This is useful in order for existing legacy fabrics that do not
support protection offloads to interact with backend devices that
currently have T10 PI enabled.v2 changes:
- Rename to sbc_dif_generate() (Sagi)Cc: Martin K. Petersen
Cc: Sagi Grimberg
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
Only expose the PI protection type bits in READ_CAPACITY_16
if the session + fabric support DIX PASS operations.Reviewed-by: Sagi Grimberg
Cc: Martin K. Petersen
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
Only expose the control modepage bit for Application Tag Owner (ATO)
if the session + fabric support DIX PASS operations.Reviewed-by: Sagi Grimberg
Cc: Martin K. Petersen
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
Only expose standard INQUIRY PROTECT=1 and EVPD=0x86 TYPE1/TYPE3
PI control bits if the session + fabric support DIX PASS operations.Reviewed-by: Sagi Grimberg
Cc: Martin K. Petersen
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
In order to support local WRITE_INSERT + READ_STRIP operations for
non PI enabled fabrics, the fabric driver needs to be able signal
what protection offload operations are supported.This is done at session initialization time so the modes can be
signaled by individual se_wwn + se_portal_group endpoints, as well
as optionally across different transports on the same endpoint.For iser-target, set TARGET_PROT_ALL if the underlying ib_device
has already signaled PI offload support, and allow this to be
exposed via a new iscsit_transport->iscsit_get_sup_prot_ops()
callback.For loopback, set TARGET_PROT_ALL to signal SCSI initiator mode
operation.For all other drivers, set TARGET_PROT_NORMAL to disable fabric
level PI.Cc: Martin K. Petersen
Cc: Sagi Grimberg
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Signed-off-by: Nicholas Bellinger -
This patch fixes a double free bug during IBLOCK backend shutdown
where bioset_integrity_free() was incorrectly called ahead of
bioset_free(), who is already making the same call directly.This bug was introduced with commit ecebbf6cc, and will end up
triggering a general protection fault in iblock_free_device()Reviewed-by: Sagi Grimberg
Cc: Martin K. Petersen
Cc: Or Gerlitz
Cc: Quinn Tran
Cc: Giridhar Malavali
Cc: #3.14+
Signed-off-by: Nicholas Bellinger -
When compiled with CONFIG_DEBUG_SG set, uninitialized SGL leads
to BUG() in compare_and_write_callback().Signed-off-by: Martin Svec
Cc: #3.12+
Signed-off-by: Nicholas Bellinger -
Ram disk is allocating 8x more space than required for diff data.
For large RAM disk test, there is small potential for memory
starvation.(Use block_size when calculating total_sg_needed - sagi + nab)
Signed-off-by: Giridhar Malavali
Signed-off-by: Quinn Tran
Cc: #3.14+
Signed-off-by: Nicholas Bellinger -
This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message()
where during ERL=2 connection recovery, a bogus conn_p pointer could
end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION
notifying the initiator that cmd->logout_cid has failed.The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with
a bogus conn_p pointer in iscsit_build_conn_drop_async_message().Reported-by: Arshad Hussain
Reported-by: santosh kulkarni
Cc: #3.1+
Signed-off-by: Nicholas Bellinger -
Now that TASK_ABORTED status is not generated for all cases by
TMR ABORT_TASK + LUN_RESET, a new TFO->abort_task() caller is
necessary in order to give fabric drivers a chance to unmap
hardware / software resources before the se_cmd descriptor is
released via the normal TFO->release_cmd() codepath.This patch adds TFO->aborted_task() in core_tmr_abort_task()
in place of the original transport_send_task_abort(), and
also updates all fabric drivers to implement this caller.The fabric drivers that include changes to perform cleanup
via ->aborted_task() are:- iscsi-target
- iser-target
- srpt
- tcm_qla2xxxThe fabric drivers that currently set ->aborted_task() to
NOPs are:- loopback
- tcm_fc
- usb-gadget
- sbp-target
- vhost-scsiFor the latter five, there appears to be no additional cleanup
required before invoking TFO->release_cmd() to release the
se_cmd descriptor.v2 changes:
- Move ->aborted_task() call into transport_cmd_finish_abort (Alex)Cc: Alex Leung
Cc: Mark Rustad
Cc: Roland Dreier
Cc: Vu Pham
Cc: Chris Boot
Cc: Sebastian Andrzej Siewior
Cc: Michael S. Tsirkin
Cc: Giridhar Malavali
Cc: Saurav Kashyap
Cc: Quinn Tran
Cc: Sagi Grimberg
Cc: Or Gerlitz
Signed-off-by: Nicholas Bellinger -
This patch addresses three of long standing issues wrt to Task
Aborted Status (TAS) handling.The first is the incorrect assumption in core_tmr_handle_tas_abort()
that TASK_ABORTED status is sent for the task referenced by TMR
ABORT_TASK, and sending TASK_ABORTED status for TMR LUN_RESET on
the same nexus the LUN_RESET was received.The second is to ensure the lun reference count is dropped within
transport_cmd_finish_abort() by calling transport_lun_remove_cmd()
before invoking transport_cmd_check_stop_to_fabric().The last is to fix the delayed TAS handling to allow outstanding
WRITEs to complete before sending the TASK_ABORTED status. This
includes changing transport_check_aborted_status() to avoid
processing when SCF_SEND_DELAYED_TAS has not be set, and updating
transport_send_task_abort() to drop the SCF_SENT_DELAYED_TAS
check.Signed-off-by: Alex Leung
Cc: Alex Leung
Signed-off-by: Nicholas Bellinger -
This patch adds check for NopOUT->flag (LMB) which is a mandatory
as per RFC 3720 Section 10.18.(Fix up context changes for v3.14-rc code - nab)
Signed-off-by: Arshad Hussain
Signed-off-by: Nicholas Bellinger -
Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
User may enable T10-PI support per network portal group. any connection
established on top of it, will be required to serve protected transactions.Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
In case an iscsi portal group will be defined as t10_pi enabled,
all connections on top of it will support protected transactions.T10-PI support may require extra reource allocation and maintenance by
the transport layer, so we don't want to apply them on non-t10_pi network
portals. This is a hook for the iscsi target layer to signal the transport
at connection establishment that this connection will carry protected
transactions.Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
This is not going to be supported soon - so drop it.
Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
Some transports (iSCSI/iSER/SRP/FC) support hardware INSERT/STRIP
capabilities while other transports like loopback/vhost-scsi need
perform this is software.This patch allows fabrics using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC
to signal the early LUN scan handling case where PROTECT CDB bits
are set, but no fabric buffer has been provided.For transports which use generic new command these buffers have yet
to be allocated.Also this way, target may support protection information
against legacy initiators (writes are inserted and reads
are stripped).(Only set prot_pto for loopback during early special case - nab)
Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
No need to actually compute protection information when formatting
Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
14 Mar, 2014
3 commits
-
SBC-3 mandates the protection checks that must be
performed in the rdprotect/wrprotect field. Use them.
According to backstore device pi_attributes and
cdb rdprotect/wrprotect field.(Fix incorrect se_cmd->prot_type -> TARGET_PROT_NORMAL
comparision in transport_generic_new_cmd - nab)
(Fix missing break in sbc_set_prot_op_checks - DanC + Sagi)Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
In case protection information is involved, allocate
protection SG-list for transport.Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
Building target_core_alua.o triggers a GCC warning:
drivers/target/target_core_alua.c: In function ‘target_alua_state_check’:
drivers/target/target_core_alua.c:773:18: warning: ‘alua_ascq’ may be used uninitialized in this function [-Wmaybe-uninitialized]
cmd->scsi_ascq = alua_ascq;
^This is a false positive. A little trial and error shows it is
apparently caused by core_alua_state_lba_dependent(). It must be hard
for GCC to track the branches of a switch statement, inside a
list_for_each_entry loop, inside a while loop.But if we add a small (inline) helper function we can reorganize the
code a bit. That also allows to drop alua_ascq which, obviously, gets
rid of this warning.Signed-off-by: Paul Bolle
Signed-off-by: Nicholas Bellinger
07 Mar, 2014
1 commit
-
When copying between device and command protection scatters
we must take into account that device scatters might be offset
and we might copy outside scatter range. Thus for each cmd prot
scatter we must take the min between cmd prot scatter, dev prot
scatter, and whats left (and loop in case we havn't copied enough
from/to cmd prot scatter).Example (single t_prot_sg of len 2048):
kernel: sbc_dif_copy_prot: se_cmd=ffff880380aaf970, left=2048, len=2048, dev_prot_sg_offset=3072, dev_prot_sg_len=4096
kernel: isert: se_cmd=ffff880380aaf970 PI error found type 0 at sector 0x2600 expected 0x0 vs actual 0x725f, lba=2580Instead of copying 2048 from offset 3072 (copying junk outside sg
limit 4096), we must to copy 1024 and continue to next sg until
we complete cmd prot scatter.This issue was found using iSER T10-PI offload over rd_mcp (wasn't
discovered with fileio since file_dev prot sglists are never offset).Changes from v1:
- Fix sbc_copy_prot copy length miss-calculationChanges from v0:
- Removed psg->offset consideration for psg_len computation
- Removed sg->offset consideration for offset condition
- Added copied consideraiton for len computation
- Added copied offset to paddr when doing memcpySigned-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
05 Mar, 2014
3 commits
-
This patch addresses a couple of different hug shutdown issues
related to wait_event() + isert_conn->state. First, it changes
isert_conn->conn_wait + isert_conn->conn_wait_comp_err from
waitqueues to completions, and sets ISER_CONN_TERMINATING from
within isert_disconnect_work().Second, it splits isert_free_conn() into isert_wait_conn() that
is called earlier in iscsit_close_connection() to ensure that
all outstanding commands have completed before continuing.Finally, it breaks isert_cq_comp_err() into seperate TX / RX
related code, and adds logic in isert_cq_rx_comp_err() to wait
for outstanding commands to complete before setting ISER_CONN_DOWN
and calling complete(&isert_conn->conn_wait_comp_err).Acked-by: Sagi Grimberg
Cc: Or Gerlitz
Cc: #3.10+
Signed-off-by: Nicholas Bellinger -
There are a handful of uses of list_empty() for cmd->i_conn_node
within iser-target code that expect to return false once a cmd
has been removed from the per connect list.This patch changes all uses of list_del -> list_del_init in order
to ensure that list_empty() returns false as expected.Acked-by: Sagi Grimberg
Cc: Or Gerlitz
Cc: #3.10+
Signed-off-by: Nicholas Bellinger -
This patch fixes a bug in iscsit_get_tpg_from_np() where the
tpg->tpg_state sanity check was looking for TPG_STATE_FREE,
instead of != TPG_STATE_ACTIVE.The latter is expected during a normal TPG shutdown once the
tpg_state goes into TPG_STATE_INACTIVE in order to reject any
new incoming login attempts.Cc: #3.10+
Signed-off-by: Nicholas Bellinger
24 Feb, 2014
3 commits
-
Because then this sg is passed to sbc_copy_prot which will
hit a protection fault in cases we have more than a single sg.Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger -
This patch adds the three missing DIF related sense codes within
transport_generic_request_failure(), which are required to ensure
that the correct ASC/ASQC is generated by the subsequent call to
transport_send_check_condition_and_sense().Cc: Martin K. Petersen
Cc: Christoph Hellwig
Cc: Hannes Reinecke
Cc: Sagi Grimberg
Cc: Or Gerlitz
Signed-off-by: Nicholas Bellinger -
This patch fixes a bug in sbc_dif_copy_prot() where the updated addr
offset did not take into account the case where the associated
scatterlist had not been incremented.This addresses the case where incoming protection scatterlists may
contain a length smaller than PAGE_SIZE across multiple entires,
when the target protection scatterlists are always being explicitly
filled up to PAGE_SIZE before adding another entry.Cc: Martin K. Petersen
Cc: Christoph Hellwig
Cc: Hannes Reinecke
Cc: Sagi Grimberg
Cc: Or Gerlitz
Signed-off-by: Nicholas Bellinger