linux-toradex.git/drivers/target, branch 3.0-quartz-ts1.1 Linux kernel for Apalis and Colibri modules target: Handle 0 correctly in transport_get_sectors_6() 2011-12-21T20:57:37+00:00 Roland Dreier roland@purestorage.com 2011-11-22T21:51:33+00:00 2afc2fbeaafb4c9a5ab0f92efa0fa739c95c26e4 commit 9b5cd7f37e1e018432111333e2a67f78ba41edfe upstream. SBC-3 says: A TRANSFER LENGTH field set to zero specifies that 256 logical blocks shall be written. Any other value specifies the number of logical blocks that shall be written. The old code was always just returning the value in the TRANSFER LENGTH byte. Fix this to return 256 if the byte is 0. Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 9b5cd7f37e1e018432111333e2a67f78ba41edfe upstream.

SBC-3 says:

    A TRANSFER LENGTH field set to zero specifies that 256 logical
    blocks shall be written.  Any other value specifies the number
    of logical blocks that shall be written.

The old code was always just returning the value in the TRANSFER LENGTH
byte.  Fix this to return 256 if the byte is 0.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
tcm_loop: Add explict read buffer memset for SCF_SCSI_CONTROL_SG_IO_CDB 2011-11-11T17:37:01+00:00 Nicholas Bellinger nab@linux-iscsi.org 2011-10-24T20:35:37+00:00 fef547148349098f58bcea1c6cda5be1f6f8719c commit 8cd79f24350826b81e16990d9e12bc878e67d385 upstream. This patch addresses an issue with buggy userspace code sending I/O via scsi-generic that does not explictly clear their associated read buffers. It adds an explict memset of the first SGL entry within tcm_loop_new_cmd_map() for SCF_SCSI_CONTROL_SG_IO_CDB payloads that are currently guaranteed to be a single SGL by target-core code. This issue is a side effect of the v3.1-rc1 merge to remove the extra memcpy between certain control CDB types using a contigious + cleared buffer in target-core, and performing a memcpy into the SGL list within tcm_loop. It was originally mainfesting itself by udev + scsi_id + scsi-generic not properly setting up the expected /dev/disk/by-id/ symlinks because the INQUIRY payload was containing extra bogus data preventing the proper NAA IEEE WWN from being parsed by userspace. Cc: Christoph Hellwig <hch@lst.de> Cc: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 8cd79f24350826b81e16990d9e12bc878e67d385 upstream.

This patch addresses an issue with buggy userspace code sending I/O
via scsi-generic that does not explictly clear their associated read
buffers.  It adds an explict memset of the first SGL entry within
tcm_loop_new_cmd_map() for SCF_SCSI_CONTROL_SG_IO_CDB payloads that
are currently guaranteed to be a single SGL by target-core code.

This issue is a side effect of the v3.1-rc1 merge to remove the
extra memcpy between certain control CDB types using a contigious
+ cleared buffer in target-core, and performing a memcpy into the
SGL list within tcm_loop.

It was originally mainfesting itself by udev + scsi_id + scsi-generic
not properly setting up the expected /dev/disk/by-id/ symlinks because
the INQUIRY payload was containing extra bogus data preventing the
proper NAA IEEE WWN from being parsed by userspace.

Cc: Christoph Hellwig <hch@lst.de>
Cc: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
target: Fix REPORT TARGET PORT GROUPS handling with small allocation length 2011-11-11T17:35:26+00:00 Nicholas Bellinger nab@linux-iscsi.org 2011-10-19T06:48:04+00:00 f2c1c3233aa7b1742c458b1eed929d675222e70c commit 6b20fa9aaf0c2f69ee6f9648e20ab2be0206705e upstream. This patch fixes a bug with the handling of REPORT TARGET PORT GROUPS containing a smaller allocation length than the payload requires causing memory writes beyond the end of the buffer. This patch checks for the minimum 4 byte length for the response payload length, and also checks upon each loop of T10_ALUA(su_dev)->tg_pt_gps_list to ensure the Target port group and Target port descriptor list is able to fit into the remaining allocation length. If the response payload exceeds the allocation length length, then rd_len is still increments to indicate to the initiator that the payload has been truncated. Reported-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@risingtidesystems.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 6b20fa9aaf0c2f69ee6f9648e20ab2be0206705e upstream.

This patch fixes a bug with the handling of REPORT TARGET PORT GROUPS
containing a smaller allocation length than the payload requires causing
memory writes beyond the end of the buffer.  This patch checks for the
minimum 4 byte length for the response payload length, and also checks
upon each loop of T10_ALUA(su_dev)->tg_pt_gps_list to ensure the Target
port group and Target port descriptor list is able to fit into the
remaining allocation length.

If the response payload exceeds the allocation length length, then rd_len
is still increments to indicate to the initiator that the payload has
been truncated.

Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@risingtidesystems.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
tcm_fc: Fix conversion spec warning 2011-06-24T00:09:16+00:00 Nicholas Bellinger nab@linux-iscsi.org 2011-06-23T23:28:46+00:00 95efa2863996b643083957079b9304fb3c01130f This patch fixes the following conversion specification warning for size_t drivers/target/tcm_fc/tfc_io.c: In function ‘ft_queue_data_in’: drivers/target/tcm_fc/tfc_io.c:209: warning: format ‘%x’ expects type ‘unsigned int’, but argument 5 has type ‘size_t’ Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes the following conversion specification warning for size_t

drivers/target/tcm_fc/tfc_io.c: In function ‘ft_queue_data_in’:
drivers/target/tcm_fc/tfc_io.c:209: warning: format ‘%x’ expects type ‘unsigned int’, but argument 5 has type ‘size_t’

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
tcm_fc: Fix possible lock to unlock type deadlock 2011-06-24T00:09:15+00:00 Dan Carpenter error27@gmail.com 2011-06-13T20:08:46+00:00 7c7cf3b9c31ed09822e5c186297991093ee13c49 There is a typo here, it should be an unlock instead of a lock. The original code will deadlock. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
There is a typo here, it should be an unlock instead of a lock.  The
original code will deadlock.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
tcm_fc: Fix ft_send_tm LUN lookup OOPs 2011-06-24T00:09:15+00:00 Kiran Patil kiran.patil@intel.com 2011-06-22T23:30:22+00:00 61db952713a8bc1b18515db3f2eac354ec8990bd This patch fixes a bug in ft_send_tm() that was incorrectly calling ft_get_lun_for_cmd() -> transport_get_lun_for_cmd(), instead of using transport_get_lun_for_tmr() for the proper struct se_lun lookup that was triggering an OOPs in the se_cmd->tmr_req failure path. This patch fixes the issue by re-arranging the codepath where transport_get_lun_for_tmr() is called after tmr request is allocated and made it available as part of se_cmd. It also drops the now unnecessary ft_get_lun_for_cmd() unpacking code, and uses scsilun_to_int() directly ahead of transport_get_lun_for_cmd() and transport_get_lun_for_tmr() usage. Signed-off-by: Patil, Kiran <kiran.patil@intel.com> Signed-off-by: Robert Love <robert.w.love@intel.com> Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org> 
This patch fixes a bug in ft_send_tm() that was incorrectly calling
ft_get_lun_for_cmd() -> transport_get_lun_for_cmd(), instead of using
transport_get_lun_for_tmr() for the proper struct se_lun lookup
that was triggering an OOPs in the se_cmd->tmr_req failure path.

This patch fixes the issue by re-arranging the codepath where
transport_get_lun_for_tmr() is called after tmr request is allocated and
made it available as part of se_cmd.

It also drops the now unnecessary ft_get_lun_for_cmd() unpacking code, and
uses scsilun_to_int() directly ahead of transport_get_lun_for_cmd() and
transport_get_lun_for_tmr() usage.

Signed-off-by: Patil, Kiran <kiran.patil@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
target: Fix incorrect strlen() NULL terminator checks 2011-06-24T00:08:11+00:00 Dan Carpenter error27@gmail.com 2011-06-15T17:03:05+00:00 60d645a4e9e7e7ddc20e534fea82aa4e6947f911 This patch fixes a number of cases in target core using an incorrectly if (strlen(foo) > SOME_MAX_SIZE) As strlen() returns the number of characters in the string not counting the NULL character at the end. So if you do something like: char buf[10]; if (strlen("0123456789") > 10) return -ETOOLONG; snprintf(buf, 10, "0123456789"); printf("%s\n", buf); then the last "9" gets chopped off and only "012345678" is printed. Plus I threw in one small related cleanup. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch fixes a number of cases in target core using an incorrectly

	if (strlen(foo) > SOME_MAX_SIZE)

As strlen() returns the number of characters in the string not counting
the NULL character at the end.  So if you do something like:

        char buf[10];

        if (strlen("0123456789") > 10)
                return -ETOOLONG;
        snprintf(buf, 10, "0123456789");
        printf("%s\n", buf);

then the last "9" gets chopped off and only "012345678" is printed.

Plus I threw in one small related cleanup.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Drop bogus ERR_PTR usage in target_fabric_configfs_init 2011-06-24T00:03:51+00:00 Dan Carpenter error27@gmail.com 2011-06-13T20:10:49+00:00 5eff5be0b1993f4291f2b8c6d035b408010f96c5 In the original code, there were several places inside the target_fabric_configfs_init() function that returned NULL on error and one place the returned an ERR_PTR. There are two places that call this function and they only check for NULL returns; they don't check for ERR_PTRs. So I've changed the ERR_PTR so now the function only returns NULL on error. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
In the original code, there were several places inside the
target_fabric_configfs_init() function that returned NULL on error
and one place the returned an ERR_PTR.  There are two places that
call this function and they only check for NULL returns; they don't
check for ERR_PTRs.  So I've changed the ERR_PTR so now the function
only returns NULL on error.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Fix ERR_PTR dereferencing bugs 2011-06-24T00:03:27+00:00 Dan Carpenter error27@gmail.com 2011-06-15T16:41:33+00:00 552523dcbf0f33d44d816da310be8227a2c1502a transport_init_session() and core_tmr_alloc_req() never return NULL, they only return ERR_PTRs on error. v2: Fix patch to return PTR_ERR(tl_nexus->se_sess) from Ankit Jain's feedback. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Ankit Jain <jankit@suse.de> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
transport_init_session() and core_tmr_alloc_req() never return NULL,
they only return ERR_PTRs on error.

v2: Fix patch to return PTR_ERR(tl_nexus->se_sess) from Ankit Jain's
feedback.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Ankit Jain <jankit@suse.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
target: Convert transport_deregister_session_configfs nacl_sess_lock to save irq state 2011-06-23T23:59:45+00:00 Roland Dreier roland@purestorage.com 2011-06-22T08:02:21+00:00 233888644d80cc44330062e5e978c9e3a14c9cb9 This patch converts transport_deregister_session_configfs() to save/restore spinlock IRQ state for struct se_node_acl->nacl_sess_lock access as tcm_qla2xxx logic expects to call transport_deregister_session_configfs() code with irq save already held for struct qla_hw_data. Reported-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
This patch converts transport_deregister_session_configfs() to save/restore
spinlock IRQ state for struct se_node_acl->nacl_sess_lock access as tcm_qla2xxx
logic expects to call transport_deregister_session_configfs() code with
irq save already held for struct qla_hw_data.

Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>