From 3687db882d8ec8f0792603ff00c2e80d791e49e8 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 7 Jul 2014 18:25:04 -0700 Subject: iscsi-target: Ignore ICF_GOT_LAST_DATAOUT during Data-Out ITT lookup This patch adds a explicit check in iscsit_find_cmd_from_itt_or_dump() to ignore commands with ICF_GOT_LAST_DATAOUT set. This is done to address the case where an ITT is being reused for DataOUT, but the previous command with the same ITT has not yet been acknowledged by ExpStatSN and removed from the per connection command list. This issue was originally manifesting itself by referencing the previous command during ITT lookup, and subsequently hitting the check in iscsit_check_dataout_hdr() for ICF_GOT_LAST_DATAOUT, that resulted in the DataOUT PDU + associated payload being silently dumped. Reported-by: Arshad Hussain Tested-by: Arshad Hussain Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/target/iscsi') diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c index fd90b28f1d9..73355f4fca7 100644 --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -400,6 +400,8 @@ struct iscsi_cmd *iscsit_find_cmd_from_itt_or_dump( spin_lock_bh(&conn->cmd_lock); list_for_each_entry(cmd, &conn->conn_cmd_list, i_conn_node) { + if (cmd->cmd_flags & ICF_GOT_LAST_DATAOUT) + continue; if (cmd->init_task_tag == init_task_tag) { spin_unlock_bh(&conn->cmd_lock); return cmd; -- cgit v1.2.3-70-g09d2 From b53b0d99d6fbf7d44330395349a895521cfdbc96 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Wed, 17 Sep 2014 11:45:17 -0700 Subject: iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid This patch fixes a bug in iscsit_logout_post_handler_diffcid() where a pointer used as storage for list_for_each_entry() was incorrectly being used to determine if no matching entry had been found. This patch changes iscsit_logout_post_handler_diffcid() to key off bool conn_found to determine if the function needs to exit early. Reported-by: Joern Engel Cc: # v3.1+ Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/target/iscsi') diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index 1f4c794f5fc..260c3e1e312 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -4540,6 +4540,7 @@ static void iscsit_logout_post_handler_diffcid( { struct iscsi_conn *l_conn; struct iscsi_session *sess = conn->sess; + bool conn_found = false; if (!sess) return; @@ -4548,12 +4549,13 @@ static void iscsit_logout_post_handler_diffcid( list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { if (l_conn->cid == cid) { iscsit_inc_conn_usage_count(l_conn); + conn_found = true; break; } } spin_unlock_bh(&sess->conn_lock); - if (!l_conn) + if (!conn_found) return; if (l_conn->sock) -- cgit v1.2.3-70-g09d2 From 8ae757d09c45102b347a1bc2867f54ffc1ab8fda Mon Sep 17 00:00:00 2001 From: Joern Engel Date: Tue, 2 Sep 2014 17:49:54 -0400 Subject: iscsi-target: avoid NULL pointer in iscsi_copy_param_list failure In iscsi_copy_param_list() a failed iscsi_param_list memory allocation currently invokes iscsi_release_param_list() to cleanup, and will promptly trigger a NULL pointer dereference. Instead, go ahead and return for the first iscsi_copy_param_list() failure case. Found by coverity. Signed-off-by: Joern Engel Cc: # v3.1+ Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_parameters.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/target/iscsi') diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c index 02f9de26f38..18c29260b4a 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.c +++ b/drivers/target/iscsi/iscsi_target_parameters.c @@ -601,7 +601,7 @@ int iscsi_copy_param_list( param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL); if (!param_list) { pr_err("Unable to allocate memory for struct iscsi_param_list.\n"); - goto err_out; + return -1; } INIT_LIST_HEAD(¶m_list->param_list); INIT_LIST_HEAD(¶m_list->extra_response_list); -- cgit v1.2.3-70-g09d2