releases/3.3.1/ib_srpt-fix-srpt_handle_cmd-send_ioctx-ioctx_kref-leak-on-exception.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 187e70a554e0f0717a65998bc9199945cbbd4692 Mon Sep 17 00:00:00 2001
 From: Nicholas Bellinger <nab@linux-iscsi.org>
 Date: Sat, 17 Mar 2012 20:12:36 -0700
 Subject: ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception

 From: Nicholas Bellinger <nab@linux-iscsi.org>

 commit 187e70a554e0f0717a65998bc9199945cbbd4692 upstream.

 This patch addresses a bug in srpt_handle_cmd() failure handling where
 send_ioctx->kref is being leaked with the local extra reference after init,
 causing the expected kref_put() in srpt_handle_send_comp() to not be the final
 call to invoke srpt_put_send_ioctx_kref() -> transport_generic_free_cmd() and
 perform se_cmd descriptor memory release.

 It also fixes a SCF_SCSI_RESERVATION_CONFLICT handling bug where this code
 is incorrectly falling through to transport_handle_cdb_direct() after
 invoking srpt_queue_status() to send SAM_STAT_RESERVATION_CONFLICT status.

 Note this patch is for >= v3.3 mainline code, and current lio-core.git
 code has already been converted to target_submit_cmd() + se_cmd->cmd_kref usage,
 and internal ioctx->kref usage has been removed.  I'm including this patch
 now into target-pending/for-next with a CC' for v3.3 stable.

 Cc: Bart Van Assche <bvanassche@acm.org>
 Cc: Roland Dreier <roland@purestorage.com>
 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/infiniband/ulp/srpt/ib_srpt.c |   19 ++++++++++++-------
  1 file changed, 12 insertions(+), 7 deletions(-)

 --- a/drivers/infiniband/ulp/srpt/ib_srpt.c
 +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
 @@ -1750,6 +1750,7 @@ static int srpt_handle_cmd(struct srpt_r
  		       srp_cmd->tag);
  		cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION;
  		cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD;
 +		kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
  		goto send_sense;
  	}

 @@ -1757,15 +1758,19 @@ static int srpt_handle_cmd(struct srpt_r
  	cmd->data_direction = dir;
  	unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun,
  				       sizeof(srp_cmd->lun));
 -	if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0)
 +	if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) {
 +		kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
  		goto send_sense;
 +	}
  	ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb);
 -	if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT)
 -		srpt_queue_status(cmd);
 -	else if (cmd->se_cmd_flags & SCF_SCSI_CDB_EXCEPTION)
 -		goto send_sense;
 -	else
 -		WARN_ON_ONCE(ret);
 +	if (ret < 0) {
 +		kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
 +		if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) {
 +			srpt_queue_status(cmd);
 +			return 0;
 +		} else
 +			goto send_sense;
 +	}

  	transport_handle_cdb_direct(cmd);
  	return 0;
	From 187e70a554e0f0717a65998bc9199945cbbd4692 Mon Sep 17 00:00:00 2001
	From: Nicholas Bellinger <nab@linux-iscsi.org>
	Date: Sat, 17 Mar 2012 20:12:36 -0700
	Subject: ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception

	From: Nicholas Bellinger <nab@linux-iscsi.org>

	commit 187e70a554e0f0717a65998bc9199945cbbd4692 upstream.

	This patch addresses a bug in srpt_handle_cmd() failure handling where
	send_ioctx->kref is being leaked with the local extra reference after init,
	causing the expected kref_put() in srpt_handle_send_comp() to not be the final
	call to invoke srpt_put_send_ioctx_kref() -> transport_generic_free_cmd() and
	perform se_cmd descriptor memory release.

	It also fixes a SCF_SCSI_RESERVATION_CONFLICT handling bug where this code
	is incorrectly falling through to transport_handle_cdb_direct() after
	invoking srpt_queue_status() to send SAM_STAT_RESERVATION_CONFLICT status.

	Note this patch is for >= v3.3 mainline code, and current lio-core.git
	code has already been converted to target_submit_cmd() + se_cmd->cmd_kref usage,
	and internal ioctx->kref usage has been removed. I'm including this patch
	now into target-pending/for-next with a CC' for v3.3 stable.

	Cc: Bart Van Assche <bvanassche@acm.org>
	Cc: Roland Dreier <roland@purestorage.com>
	Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/infiniband/ulp/srpt/ib_srpt.c \| 19 ++++++++++++-------
	1 file changed, 12 insertions(+), 7 deletions(-)

	--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
	+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
	@@ -1750,6 +1750,7 @@ static int srpt_handle_cmd(struct srpt_r
	srp_cmd->tag);
	cmd->se_cmd_flags \|= SCF_SCSI_CDB_EXCEPTION;
	cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD;
	+ kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
	goto send_sense;
	}

	@@ -1757,15 +1758,19 @@ static int srpt_handle_cmd(struct srpt_r
	cmd->data_direction = dir;
	unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun,
	sizeof(srp_cmd->lun));
	- if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0)
	+ if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) {
	+ kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
	goto send_sense;
	+ }
	ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb);
	- if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT)
	- srpt_queue_status(cmd);
	- else if (cmd->se_cmd_flags & SCF_SCSI_CDB_EXCEPTION)
	- goto send_sense;
	- else
	- WARN_ON_ONCE(ret);
	+ if (ret < 0) {
	+ kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
	+ if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) {
	+ srpt_queue_status(cmd);
	+ return 0;
	+ } else
	+ goto send_sense;
	+ }

	transport_handle_cdb_direct(cmd);
	return 0;