1. 25 5月, 2011 5 次提交
    • N
      [SCSI] target: Convert REPORT_LUNs to use int_to_scsilun · d60b7a0f
      Nicholas Bellinger 提交于
      This patch converts transport_core_report_lun_response() to use
      drivers/scsi/scsi_scan.c:int_to_scsilun instead of using the
      struct target_core_fabric_ops->pack_lun() fabric provided API vector.
      
      It also removes the tfo->pack_lun check from target_fabric_tf_ops_check()
      and removes from struct target_core_fabric_ops->pack_lun() from
      target_core_fabric_ops.h, and the following mainline scsi-misc fabric
      modules:
      
      *) tcm_loop: Drop tcm_loop_pack_lun() usage
      *) tcm_fc: Drop ft_pack_lun() usage
      Reported-by: NMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <jbottomley@parallels.com>
      d60b7a0f
    • N
      [SCSI] target: Fix task->task_execute_queue=1 clear bug + LUN_RESET OOPs · af57c3ac
      Nicholas Bellinger 提交于
      This patch fixes a bug where task->task_execute_queue=1 was not being
      cleared once se_task had been removed from se_device->execute_task_list,
      resulting in an OOPs in core_tmr_lun_reset() for the task->task_active=0
      case where transport_remove_task_from_execute_queue() was incorrectly
      being called.
      
      This patch fixes two cases in transport_get_task_from_execute_queue()
      and transport_remove_task_from_execute_queue() to properly clear
      task->task_execute_queue=0 once list_del(&task->t_execute_list) has
      been called.
      
      It also adds an explict check in transport_remove_task_from_execute_queue()
      to dump_stack + return if called with task->task_execute_queue=0.
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <jbottomley@parallels.com>
      af57c3ac
    • N
      [SCSI] target: Fix bug with task_sg chained transport_free_dev_tasks release · f4366772
      Nicholas Bellinger 提交于
      This patch addresses a bug in the target core release path for HW
      operation where transport_free_dev_tasks() was incorrectly being called
      from transport_lun_remove_cmd() while releasing a se_cmd reference and
      calling struct target_core_fabric_ops->queue_data_in().
      
      This would result in a OOPs with HW target mode when the release of
      se_task->task_sg[] would happen before pci_unmap_sg() can be called in
      HW target mode fabric module code.  This patch addresses the issue by
      moving transport_free_dev_tasks() from transport_lun_remove_cmd() into
      transport_generic_free_cmd(), and adding TRANSPORT_FREE_CMD_INTR and
      transport_generic_free_cmd_intr() to allow se_cmd descriptor release
      to happen fromfrom within transport_processing_thread() process context
      when release of se_cmd is not possible from HW interrupt context.
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <jbottomley@parallels.com>
      f4366772
    • N
      [SCSI] target: Fix interrupt context bug with stats_lock and core_tmr_alloc_req · 53ab6709
      Nicholas Bellinger 提交于
      This patch fixes two bugs wrt to the interrupt context usage of target
      core with HW target mode drivers.  It first converts the usage of struct
      se_device->stats_lock in transport_get_lun_for_cmd() and core_tmr_lun_reset()
      to properly use spin_lock_irq() to address an BUG with CONFIG_LOCKDEP_SUPPORT=y
      enabled.
      
      This patch also adds a 'in_interrupt()' check to allow GFP_ATOMIC usage from
      core_tmr_alloc_req() to fix a 'sleeping in interrupt context' BUG with HW
      target fabrics that require this logic to function.
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <jbottomley@parallels.com>
      53ab6709
    • N
      [SCSI] target: Fix multi task->task_sg[] chaining logic bug · 97868c89
      Nicholas Bellinger 提交于
      This patch fixes a bug in transport_do_task_sg_chain() used by HW target
      mode modules with sg_chain() to provide a single sg_next() walkable memory
      layout for use with pci_map_sg() and friends.  This patch addresses an
      issue with mapping multiple small block max_sector tasks across multiple
      struct se_task->task_sg[] mappings for HW target mode operation.
      
      This was causing OOPs with (cmd->t_task->t_tasks_no > 1) I/O traffic for
      HW target drivers using transport_do_task_sg_chain(), and has been tested
      so far with tcm_fc(openfcoe), tcm_qla2xxx, and ib_srpt fabrics with
      t_tasks_no > 1 IBLOCK backends using a smaller max_sectors to trigger the
      original issue.
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      Acked-by: NKiran Patil <kiran.patil@intel.com>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <jbottomley@parallels.com>
      97868c89
  2. 17 5月, 2011 1 次提交
  3. 10 4月, 2011 1 次提交
  4. 31 3月, 2011 1 次提交
  5. 24 3月, 2011 14 次提交
  6. 15 3月, 2011 1 次提交
  7. 10 3月, 2011 1 次提交
  8. 02 3月, 2011 1 次提交
  9. 01 3月, 2011 1 次提交
    • N
      [SCSI] target: Fix t_transport_aborted handling in LUN_RESET + active I/O shutdown · 52208ae3
      Nicholas Bellinger 提交于
      This patch addresses two outstanding bugs related to
      T_TASK(cmd)->t_transport_aborted handling during TMR LUN_RESET and
      active I/O shutdown.
      
      This first involves adding two explict t_transport_aborted=1
      assignments in core_tmr_lun_reset() in order to signal the task has
      been aborted, and updating transport_generic_wait_for_tasks() to skip
      sleeping when t_transport_aborted=1 has been set.  This fixes an issue
      where transport_generic_wait_for_tasks() would end up sleeping
      indefinately when called from fabric module context while TMR
      LUN_RESET was happening with long outstanding backend struct se_task
      not yet being completed.
      
      The second adds a missing call to
      transport_remove_task_from_execute_queue() when
      task->task_execute_queue=1 is set in order to fix an OOPs when
      task->t_execute_list has not been dropped.  It also fixes the same
      case in transport_processing_shutdown() to prevent the issue from
      happening during active I/O struct se_device shutdown.
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      52208ae3
  10. 17 2月, 2011 1 次提交
  11. 13 2月, 2011 8 次提交
    • N
      [SCSI] target: fix use after free detected by SLUB poison · 1f6fe7cb
      Nicholas Bellinger 提交于
      This patch moves a large number of memory release paths inside of the
      configfs callback target_core_hba_item_ops->release() called from
      within fs/configfs/item.c: config_item_cleanup() context.  This patch
      resolves the SLUB 'Poison overwritten' warnings.
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      1f6fe7cb
    • N
      [SCSI] target: Remove procfs based target_core_mib.c code · e89d15ee
      Nicholas Bellinger 提交于
      This patch removes the legacy procfs based target_core_mib.c code,
      and moves the necessary scsi_index_tables functions and defines into
      target_core_transport.c and target_core_base.h code to allow existing
      fabric independent statistics to function.
      
      This includes the removal of a handful of 'atomic_t mib_ref_count'
      counters used in struct se_node_acl, se_session and se_hba to prevent
      removal while using seq_list procfs walking logic.
      
      [jejb: fix up compile failures]
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      e89d15ee
    • N
      [SCSI] target: Fix SCF_SCSI_CONTROL_SG_IO_CDB breakage · e63af958
      Nicholas Bellinger 提交于
      This patch fixes a bug introduced during the v4 control CDB emulation
      refactoring that broke SCF_SCSI_CONTROL_SG_IO_CDB operation within
      transport_map_control_cmd_to_task().  It moves the BUG_ON() into
      transport_do_se_mem_map() after the TRANSPORT(dev)->do_se_mem_map()
      RAMDISK_DR special case, and adds the proper struct se_mem assignment
      when !list_empty() for normal non RAMDISK_DR backend device cases.
      Reported-by: NKai-Thorsten Hambrecht <kai@hambrecht.org>
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      e63af958
    • N
      [SCSI] target: Fix top-level configfs_subsystem default_group shutdown breakage · 7c2bf6e9
      Nicholas Bellinger 提交于
      This patch fixes two bugs uncovered during testing with
      slub_debug=FPUZ during module_exit() -> target_core_exit_configfs()
      with release of configfs subsystem consumer default groups, namely how
      this should be working with
      fs/configfs/dir.c:configfs_unregister_subsystem() release logic for
      struct config_group->default_group.
      
      The first issue involves configfs_unregister_subsystem() expecting to
      walk+drain the top-level subsys->su_group.default_groups directly in
      unlink_group(), and not directly from the configfs subsystem consumer
      for the top level struct config_group->default_groups.  This patch
      drops the walk+drain of subsys->su_group.default_groups from TCM
      configfs subsystem consumer code, and moves the top-level
      ->default_groups kfree() after configfs_unregister_subsystem() has
      been called.
      
      The second issue involves calling
      core_alua_free_lu_gp(se_global->default_lu_gp) to release the
      default_lu_gp->lu_gp_group before configfs_unregister_subsystem() has
      been called.  This patches also moves the core_alua_free_lu_gp() call
      to release default_lu_group->lu_gp_group after the subsys has been
      unregistered.
      
      Finally, this patch explictly clears the
      [lu_gp,alua,hba]_cg->default_groups pointers after kfree() to ensure
      that no stale memory is picked up from child struct
      config_group->default_group[] while configfs_unregister_subsystem() is
      called.
      Reported-by: NFubo Chen <fubo.chen@gmail.com>
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      7c2bf6e9
    • F
      [SCSI] target: fixed missing lock drop in error path · 85dc98d9
      Fubo Chen 提交于
      The struct se_node_acl->device_list_lock needs to be released if either
      sanity check for struct se_dev_entry->se_lun_acl or deve->se_lun fails.
      Signed-off-by: NFubo Chen <fubo.chen@gmail.com>
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      85dc98d9
    • N
      [SCSI] target: Fix demo-mode MappedLUN shutdown UA/PR breakage · 29fe609d
      Nicholas Bellinger 提交于
      This patch fixes a bug in core_update_device_list_for_node() where
      individual demo-mode generated MappedLUN's UA + Persistent
      Reservations metadata where being leaked, instead of falling through
      and calling existing core_scsi3_ua_release_all() and
      core_scsi3_free_pr_reg_from_nacl() at the end of
      core_update_device_list_for_node().
      
      This bug would manifest itself with the following OOPs w/ TPG
      demo-mode endpoints (tfo->tpg_check_demo_mode()=1), and PROUT
      REGISTER+RESERVE -> explict struct se_session logout -> struct
      se_device shutdown:
      
      [  697.021139] LIO_iblock used greatest stack depth: 2704 bytes left
      [  702.235017] general protection fault: 0000 [#1] SMP
      [  702.235074] last sysfs file: /sys/devices/virtual/net/lo/operstate
      [  704.372695] CPU 0
      [  704.372725] Modules linked in: crc32c target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: iscsi_target_mod]
      [  704.375442]
      [  704.375563] Pid: 4964, comm: tcm_node Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
      [  704.375912] RIP: 0010:[<ffffffffa00aaa16>]  [<ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
      [  704.376017] RSP: 0018:ffff88001e5ffcb8  EFLAGS: 00010296
      [  704.376017] RAX: 6d32335b1b0a0d0a RBX: ffff88001d952cb0 RCX: 0000000000000015
      [  704.376017] RDX: ffff88001b428000 RSI: ffff88001da5a4c0 RDI: ffff88001e5ffcd8
      [  704.376017] RBP: ffff88001e5ffd28 R08: ffff88001e5ffcd8 R09: ffff88001d952080
      [  704.377116] R10: ffff88001dfc5480 R11: ffff88001df8abb0 R12: ffff88001d952cb0
      [  704.377319] R13: 0000000000000000 R14: ffff88001df8abb0 R15: ffff88001b428000
      [  704.377521] FS:  00007f033d15c6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000
      [  704.377861] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  704.378043] CR2: 00007fff09281510 CR3: 000000001e5db000 CR4: 00000000000006f0
      [  704.378110] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  704.378110] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  704.378110] Process tcm_node (pid: 4964, threadinfo ffff88001e5fe000, task ffff88001d99c260)
      [  704.378110] Stack:
      [  704.378110]  ffffea0000678980 ffff88001da5a4c0 ffffea0000678980 ffff88001f402b00
      [  704.378110]  ffff88001e5ffd08 ffffffff810ea236 ffff88001e5ffd18 0000000000000282
      [  704.379772]  ffff88001d952080 ffff88001d952cb0 ffff88001d952cb0 ffff88001dc79010
      [  704.380082] Call Trace:
      [  704.380220]  [<ffffffff810ea236>] ? __slab_free+0x89/0x11c
      [  704.380403]  [<ffffffffa00ab781>] core_scsi3_free_all_registrations+0x3e/0x157 [target_core_mod]
      [  704.380479]  [<ffffffffa00a752b>] se_release_device_for_hba+0xa6/0xd8 [target_core_mod]
      [  704.380479]  [<ffffffffa00a7598>] se_free_virtual_device+0x3b/0x45 [target_core_mod]
      [  704.383750]  [<ffffffffa00a3177>] target_core_drop_subdev+0x13a/0x18d [target_core_mod]
      [  704.384068]  [<ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
      [  704.384263]  [<ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
      [  704.384459]  [<ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
      [  704.384631]  [<ffffffff810fc3be>] do_rmdir+0xa3/0xf4
      [  704.384895]  [<ffffffff810eed15>] ? filp_close+0x67/0x72
      [  704.386485]  [<ffffffff810fc446>] sys_rmdir+0x11/0x13
      [  704.387893]  [<ffffffff81002a92>] system_call_fastpath+0x16/0x1b
      [  704.388083] Code: 4c 8d 45 b0 41 56 49 89 d7 41 55 41 89 cd 41 54 b9 15 00 00 00 53 48 89 fb 48 83 ec 48 4c 89 c7 48 89 75 98 48 8b 86 28 01 00 00 <48> 8b 80 90 01 00 00 48 89 45 a0 31 c0 f3 aa c7 45 ac 00 00 00
      [  704.388763] RIP  [<ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
      [  704.389142]  RSP <ffff88001e5ffcb8>
      [  704.389572] ---[ end trace 2a3614f3cd6261a5 ]---
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      29fe609d
    • N
      [SCSI] target/iblock: Fix failed bd claim NULL pointer dereference · bc665524
      Nicholas Bellinger 提交于
      This patch adds an explict check for struct iblock_dev->ibd_bd in
      iblock_free_device() before calling blkdev_put(), which will otherwise hit
      the following NULL pointer dereference @ ib_dev->ibd_bd when iblock_create_virtdevice()
      fails to claim an already in-use struct block_device via blkdev_get_by_path().
      
      [  112.528578] Target_Core_ConfigFS: Allocated struct se_subsystem_dev: ffff88001e750000 se_dev_su_ptr: ffff88001dd05d70
      [  112.534681] Target_Core_ConfigFS: Calling t->free_device() for se_dev_su_ptr: ffff88001dd05d70
      [  112.535029] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      [  112.535029] IP: [<ffffffff814987a3>] mutex_lock+0x14/0x35
      [  112.535029] PGD 1e5d0067 PUD 1e274067 PMD 0
      [  112.535029] Oops: 0002 [#1] SMP
      [  112.535029] last sysfs file: /sys/devices/pci0000:00/0000:00:07.1/host2/target2:0:0/2:0:0:0/type
      [  112.535029] CPU 0
      [  112.535029] Modules linked in: iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: scsi_wait_scan]
      [  112.535029]
      [  112.535029] Pid: 3345, comm: python2.5 Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
      [  112.535029] RIP: 0010:[<ffffffff814987a3>]  [<ffffffff814987a3>] mutex_lock+0x14/0x35
      [  112.535029] RSP: 0018:ffff88001e6d7d58  EFLAGS: 00010246
      [  112.535029] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000082
      [  112.535029] RDX: ffff88001e6d7fd8 RSI: 0000000000000083 RDI: 0000000000000020
      [  112.535029] RBP: ffff88001e6d7d68 R08: 0000000000000000 R09: 0000000000000000
      [  112.535029] R10: ffff8800000be860 R11: ffff88001f420000 R12: 0000000000000020
      [  112.535029] R13: 0000000000000083 R14: ffff88001d809430 R15: ffff88001d8094f8
      [  112.535029] FS:  00007ff17ca7d6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000
      [  112.535029] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  112.535029] CR2: 0000000000000020 CR3: 000000001e5d2000 CR4: 00000000000006f0
      [  112.535029] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  112.535029] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  112.535029] Process python2.5 (pid: 3345, threadinfo ffff88001e6d6000, task ffff88001e2d0760)
      [  112.535029] Stack:
      [  112.535029]  ffff88001e6d7d88 0000000000000000 ffff88001e6d7d98 ffffffff811187fc
      [  112.535029]  ffff88001d809430 ffff88001dd05d70 ffff88001e750860 ffff88001e750000
      [  112.535029]  ffff88001e6d7db8 ffffffffa00e3757 ffff88001e6d7db8 0000000000000004
      [  112.535029] Call Trace:
      [  112.535029]  [<ffffffff811187fc>] blkdev_put+0x28/0x107
      [  112.535029]  [<ffffffffa00e3757>] iblock_free_device+0x1d/0x36 [target_core_iblock]
      [  112.535029]  [<ffffffffa00a319c>] target_core_drop_subdev+0x15f/0x18d [target_core_mod]
      [  112.535029]  [<ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
      [  112.535029]  [<ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
      [  112.535029]  [<ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
      [  112.535029]  [<ffffffff810fc3be>] do_rmdir+0xa3/0xf4
      [  112.535029]  [<ffffffff810fc446>] sys_rmdir+0x11/0x13
      [  112.535029]  [<ffffffff81002a92>] system_call_fastpath+0x16/0x1b
      [  112.535029] Code: 8b 04 25 88 b5 00 00 48 2d d8 1f 00 00 48 89 43 18 31 c0 5e 5b c9 c3 55 48 89 e5 53 48 89 fb 48 83 ec 08 e8 c4 f7 ff ff 48 89 df <3e> ff 0f 79 05 e8 1e ff ff ff 65 48 8b 04 25 88 b5 00 00 48 2d
      [  112.535029] RIP  [<ffffffff814987a3>] mutex_lock+0x14/0x35
      [  112.535029]  RSP <ffff88001e6d7d58>
      [  112.535029] CR2: 0000000000000020
      [  132.679636] ---[ end trace 05754bb48eb828f0 ]---
      
      Note it also adds an second explict check for ib_dev->ibd_bio_set before calling
      bioset_free() to fix the same possible NULL pointer deference during an early
      iblock_create_virtdevice() failure.
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      bc665524
    • D
      [SCSI] target: iblock/pscsi claim checking for NULL instead of IS_ERR · 3ae279d2
      Dan Carpenter 提交于
      blkdev_get_by_path() returns an ERR_PTR() or error and it doesn't return
      a NULL.  It looks like this bug would be easy to trigger by mistake.
      Signed-off-by: NDan Carpenter <error27@gmail.com>
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      3ae279d2
  12. 15 1月, 2011 1 次提交
    • N
      [SCSI] target: Add LIO target core v4.0.0-rc6 · c66ac9db
      Nicholas Bellinger 提交于
      LIO target is a full featured in-kernel target framework with the
      following feature set:
      
      High-performance, non-blocking, multithreaded architecture with SIMD
      support.
      
      Advanced SCSI feature set:
      
          * Persistent Reservations (PRs)
          * Asymmetric Logical Unit Assignment (ALUA)
          * Protocol and intra-nexus multiplexing, load-balancing and failover (MC/S)
          * Full Error Recovery (ERL=0,1,2)
          * Active/active task migration and session continuation (ERL=2)
          * Thin LUN provisioning (UNMAP and WRITE_SAMExx)
      
      Multiprotocol target plugins
      
      Storage media independence:
      
          * Virtualization of all storage media; transparent mapping of IO to LUNs
          * No hard limits on number of LUNs per Target; maximum LUN size ~750 TB
          * Backstores: SATA, SAS, SCSI, BluRay, DVD, FLASH, USB, ramdisk, etc.
      
      Standards compliance:
      
          * Full compliance with IETF (RFC 3720)
          * Full implementation of SPC-4 PRs and ALUA
      
      Significant code cleanups done by Christoph Hellwig.
      
      [jejb: fix up for new block bdev exclusive interface. Minor fixes from
       Randy Dunlap and Dan Carpenter.]
      Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJames Bottomley <James.Bottomley@suse.de>
      c66ac9db