1. 16 9月, 2015 6 次提交
  2. 31 8月, 2015 4 次提交
  3. 27 8月, 2015 3 次提交
  4. 25 7月, 2015 1 次提交
    • N
      iser-target: Fix REJECT CM event use-after-free OOPs · ce9a9fc2
      Nicholas Bellinger 提交于
      This patch fixes a bug in iser-target code where the REJECT CM event
      handler code currently performs a isert_put_conn() for the final
      isert_conn->kref put, while iscsi_np process context is still blocked
      in isert_get_login_rx().
      
      Once isert_get_login_rx() is awoking due to login timeout, iscsi_np
      process context will attempt to invoke iscsi_target_login_sess_out()
      to cleanup iscsi_conn as expected, and calls isert_wait_conn() +
      isert_free_conn() which triggers the use-after-free OOPs.
      
      To address this bug, move the kref_get_unless_zero() call from
      isert_connected_handler() into isert_connect_request() immediately
      preceeding isert_rdma_accept() to ensure the CM handler cleanup
      paths and isert_free_conn() are always operating with two refs.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: <stable@vger.kernel.org> # v3.10+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      ce9a9fc2
  5. 13 6月, 2015 1 次提交
  6. 09 6月, 2015 3 次提交
    • S
      iser-target: Fix possible use-after-free · 524630d5
      Sagi Grimberg 提交于
      iser connection termination process happens in 2 stages:
      - isert_wait_conn:
        - resumes rdma disconnect
        - wait for session commands
        - wait for flush completions (post a marked wr to signal we are done)
        - wait for logout completion
        - queue work for connection cleanup (depends on disconnected/timewait
          events)
      - isert_free_conn
        - last reference put on the connection
      
      In case we are terminating during IOs, we might be posting send/recv
      requests after we posted the last work request which might lead
      to a use-after-free condition in isert_handle_wc.
      After we posted the last wr in isert_wait_conn we are guaranteed that
      no successful completions will follow (meaning no new work request posts
      may happen) but other flush errors might still come. So before we
      put the last reference on the connection, we repeat the process of
      posting a marked work request (isert_wait4flush) in order to make sure all
      pending completions were flushed.
      Signed-off-by: NSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: NJenny Falkovich <jennyf@mellanox.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      524630d5
    • S
      iser-target: release stale iser connections · 2f1b6b7d
      Sagi Grimberg 提交于
      When receiving a new iser connect request we serialize
      the pending requests by adding the newly created iser connection
      to the np accept list and let the login thread process the connect
      request one by one (np_accept_wait).
      
      In case we received a disconnect request before the iser_conn
      has begun processing (still linked in np_accept_list) we should
      detach it from the list and clean it up and not have the login
      thread process a stale connection. We do it only when the connection
      state is not already terminating (initiator driven disconnect) as
      this might lead us to access np_accept_mutex after the np was released
      in live shutdown scenarios.
      Signed-off-by: NSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: NJenny Falkovich <jennyf@mellanox.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      2f1b6b7d
    • S
      iser-target: Fix variable-length response error completion · 9253e667
      Sagi Grimberg 提交于
      Since commit "2426bd45 target: Report correct response ..."
      we might get a command with data_size that does not fit to
      the number of allocated data sg elements. Given that we rely on
      cmd t_data_nents which might be different than the data_size,
      we sometimes receive local length error completion. The correct
      approach would be to take the command data_size into account when
      constructing the ib sg_list.
      Signed-off-by: NSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: NJenny Falkovich <jennyf@mellanox.com>
      Cc: stable@vger.kernel.org # 3.16+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      9253e667
  7. 31 5月, 2015 2 次提交
  8. 19 5月, 2015 1 次提交
  9. 08 4月, 2015 18 次提交
  10. 13 2月, 2015 1 次提交