1. 01 9月, 2013 1 次提交
    • N
      target: Fix se_cmd->state_list leak regression during WRITE failure · c130480b
      Nicholas Bellinger 提交于
      This patch addresses a v3.11 specific regression where se_cmd->state_list
      was being leaked during a fabric WRITE failure, when the fabric releases
      an associated se_cmd descriptor before I/O submission occurs, and normal
      fast path callbacks have a chance to call target_remove_from_state_list().
      
      It was manifesting with Poison overwritten messages with iscsi-target
      once an ImmediateData payload CRC32C failure occured.
      
      This bug was originally introduced during v3.11-rc1 with the following
      commit:
      
      commit 0b66818a
      Author: Nicholas Bellinger <nab@linux-iscsi.org>
      Date:   Thu Jun 6 01:36:41 2013 -0700
      
          target: Drop unnecessary CMD_T_DEV_ACTIVE check from transport_lun_remove_cmd
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      c130480b
  2. 08 7月, 2013 1 次提交
    • R
      target: Add tracepoints for SCSI commands being processed · e5c0d6ad
      Roland Dreier 提交于
      This patch adds tracepoints to the target code for commands being
      received and being completed, which is quite useful for debugging
      interactions with initiators. For example, one can do something like the
      following to watch commands that are completing unsuccessfully:
      
          # echo 'scsi_status!=0' > /sys/kernel/debug/tracing/events/target/target_cmd_complete/filter
          # echo 1 > /sys/kernel/debug/tracing/events/target/target_cmd_complete/enable
      
              <run command that fails>
      
          # cat /sys/kernel/debug/tracing/trace
               iscsi_trx-0-1902  [003] ...1 990185.810385: target_cmd_complete: iqn.1993-08.org.debian:01:e51ede6aacfd <- LUN 001 status CHECK CONDITION (sense len 18 / 70 00 05 00 00 00 00 0a 00 00 00 00 20 00 00 00 00 00)  0x95 data_length    512  CDB 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (TA:SIMPLE C:00)
      
      (v2: Drop undefined COMPARE_AND_WRITE)
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      e5c0d6ad
  3. 21 6月, 2013 6 次提交
    • N
      target: Drop legacy se_cmd->check_release bit · ca24976a
      Nicholas Bellinger 提交于
      Now with iscsi-target using modern se_cmd->cmd_kref accounting in
      v3.10 code, it's safe to go ahead and drop the legacy release
      codepath + se_cmd->check_release bit in transport_release_cmd()
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: Kent Overstreet <koverstreet@google.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Moussa Ba <moussaba@micron.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      ca24976a
    • N
      target: Drop unnecessary t_state_lock access for SCF_SUPPORTED_SAM_OPCODE assignment · b28e545c
      Nicholas Bellinger 提交于
      This patch drops the se_cmd->t_state_lock access around SCF_SUPPORTED_SAM_OPCODE
      assignment within target_setup_cmd_from_cdb().
      
      Original v4.0 target code required this as fabrics would be checking for
      this values in different process contexts for setup and I/O submission.
      
      Given that modern v4.1 target code performs setup and I/O submission
      from the same process context, this t_state_lock access is no longer
      required.
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: Kent Overstreet <koverstreet@google.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Moussa Ba <moussaba@micron.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      b28e545c
    • N
      target: Avoid extra t_state_lock access in __target_execute_cmd · 1a398b97
      Nicholas Bellinger 提交于
      This patch makes target_execute_cmd() set CMD_T_BUSY|CMD_T_SENT while
      holding se_cmd->t_state_lock, in order to avoid the extra aquire/release
      in __target_execute_cmd().
      
      It also clears these bits in case of a target_handle_task_attr()
      failure.
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: Kent Overstreet <koverstreet@google.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Moussa Ba <moussaba@micron.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      1a398b97
    • N
      target: Remove legacy t_fe_count + avoid t_state_lock access in transport_put_cmd · c1c35d52
      Nicholas Bellinger 提交于
      This patch removes legacy se_cmd->t_fe_count usage in order to avoid
      se_cmd->t_state_lock access within transport_put_cmd() during normal
      fast path se_cmd descriptor release.
      
      Also drop the left-over parameter usage within core_tmr_handle_tas_abort()
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: Kent Overstreet <koverstreet@google.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Moussa Ba <moussaba@micron.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      c1c35d52
    • N
      target: Drop unnecessary CMD_T_DEV_ACTIVE check from transport_lun_remove_cmd · 0b66818a
      Nicholas Bellinger 提交于
      This patch drops an unnecessary acquire/release of se_cmd->t_state_lock within
      transport_lun_remove_cmd() when checking CMD_T_DEV_ACTIVE for invoking
      target_remove_from_state_list().
      
      For all fast path completion cases, transport_lun_remove_cmd() is always
      called ahead of transport_cmd_check_stop(), and since transport_cmd_check_stop()
      is calling target_remove_from_state_list() when remove_from_lists=true,
      the t_state_lock usage in transport_lun_remove_cmd() can safely be removed.
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: Kent Overstreet <koverstreet@google.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Moussa Ba <moussaba@micron.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      0b66818a
    • N
      target: Add transport_cmd_check_stop write_pending bit · 862e6389
      Nicholas Bellinger 提交于
      This patch adds a new transport_cmd_check_stop() parameter for signaling
      when TRANSPORT_WRITE_PENDING needs to be set.
      
      This allows transport_generic_new_cmd() to avoid the extra lock acquire/release
      of ->t_state_lock in the fast path for DMA_TO_DEVICE operations ahead of
      transport_cmd_check_stop() + se_tfo->write_pending().
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: Kent Overstreet <koverstreet@google.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Moussa Ba <moussaba@micron.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      862e6389
  4. 31 5月, 2013 1 次提交
  5. 30 5月, 2013 1 次提交
    • N
      target: Re-instate sess_wait_list for target_wait_for_sess_cmds · 9b31a328
      Nicholas Bellinger 提交于
      Switch back to pre commit 1c7b13fe list splicing logic for active I/O
      shutdown with tcm_qla2xxx + ib_srpt fabrics.
      
      The original commit was done under the incorrect assumption that it's safe to
      walk se_sess->sess_cmd_list unprotected in target_wait_for_sess_cmds() after
      sess->sess_tearing_down = 1 has been set by target_sess_cmd_list_set_waiting()
      during session shutdown.
      
      So instead of adding sess->sess_cmd_lock protection around sess->sess_cmd_list
      during target_wait_for_sess_cmds(), switch back to sess->sess_wait_list to
      allow wait_for_completion() + TFO->release_cmd() to occur without having to
      walk ->sess_cmd_list after the list_splice.
      
      Also add a check to exit if target_sess_cmd_list_set_waiting() has already
      been called, and add a WARN_ON to check for any fabric bug where new se_cmds
      are added to sess->sess_cmd_list after sess->sess_tearing_down = 1 has already
      been set.
      
      Cc: Joern Engel <joern@logfs.org>
      Cc: Roland Dreier <roland@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      9b31a328
  6. 21 5月, 2013 1 次提交
  7. 15 5月, 2013 1 次提交
  8. 04 5月, 2013 1 次提交
  9. 25 4月, 2013 2 次提交
  10. 29 3月, 2013 1 次提交
    • N
      target: Fix RESERVATION_CONFLICT status regression for iscsi-target special case · f85eda8d
      Nicholas Bellinger 提交于
      This patch fixes a regression introduced in v3.8-rc1 code where a failed
      target_check_reservation() check in target_setup_cmd_from_cdb() was causing
      an incorrect SAM_STAT_GOOD status to be returned during a WRITE operation
      performed by an unregistered / unreserved iscsi initiator port.
      
      This regression is only effecting iscsi-target due to a special case check
      for TCM_RESERVATION_CONFLICT within iscsi_target_erl1.c:iscsit_execute_cmd(),
      and was still correctly disallowing WRITE commands from backend submission
      for unregistered / unreserved initiator ports, while returning the incorrect
      SAM_STAT_GOOD status due to the missing SAM_STAT_RESERVATION_CONFLICT
      assignment.
      
      This regression was first introduced with:
      
      commit de103c93
      Author: Christoph Hellwig <hch@lst.de>
      Date:   Tue Nov 6 12:24:09 2012 -0800
      
          target: pass sense_reason as a return value
      
      Go ahead and re-add the missing SAM_STAT_RESERVATION_CONFLICT assignment
      during a target_check_reservation() failure, so that iscsi-target code
      sends the correct SCSI status.
      
      All other fabrics using target_submit_cmd_*() with a RESERVATION_CONFLICT
      call to transport_generic_request_failure() are not effected by this bug.
      Reported-by: NJeff Leung <jleung@curriegrad2004.ca>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      f85eda8d
  11. 14 2月, 2013 2 次提交
    • R
      target: Fix error checking for UNMAP commands · bb992e72
      Roland Dreier 提交于
      SBC-3 (revision 35) says:
      
          The PARAMETER LIST LENGTH field specifies the length in bytes of the
          UNMAP parameter list that is available to be transferred from the
          Data-Out Buffer. If the parameter list length is greater than zero
          and less than 0008h (i.e., eight), then the device server shall
          terminate the command with CHECK CONDITION status with the sense key
          set to ILLEGAL REQUEST and the additional sense code set to
          PARAMETER LIST LENGTH ERROR. A PARAMETER LIST LENGTH set to zero
          specifies that no data shall be sent.
      
      so our sense code for too-short descriptors was wrong, and we were
      incorrectly failing commands that didn't transfer any descriptors.
      
      While we're at it, also handle the UNMAP check:
      
          If the ANCHOR bit is set to one, and the ANC_SUP bit in the Logical
          Block Provisioning VPD page (see 6.6.4) is set to zero, then the
          device server shall terminate the command with CHECK CONDITION
          status with the sense key set to ILLEGAL REQUEST and the additional
          sense code set to INVALID FIELD IN CDB.
      
      (chris boot: Fix wrong cut+paste comment in transport_send_check_condition_and_sense)
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      bb992e72
    • D
      target: change sprintf to snprintf in transport_dump_vpd_ident · 703d641d
      Dan Carpenter 提交于
      "buf" is 128 characters and "vpd->device_identifier" is 256.  It makes
      the static checkers complain.
      
      Also bump VPD_TMP_BUF_SIZE to match INQUIRY_VPD_DEVICE_IDENTIFIER_LEN.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      703d641d
  12. 11 1月, 2013 4 次提交
    • R
      target: Release se_cmd when LUN lookup fails for TMR · 5a3b6fc0
      Roland Dreier 提交于
      When transport_lookup_tmr_lun() fails and we return a task management
      response from target_complete_tmr_failure(), we need to call
      transport_cmd_check_stop_to_fabric() to release the last ref to the
      cmd after calling se_tfo->queue_tm_rsp(), or else we will never remove
      the failed TMR from the session command list (and we'll end up waiting
      forever when trying to tear down the session).
      
      (nab: Fix minor compile breakage)
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      5a3b6fc0
    • R
      target: Fix use-after-free in LUN RESET handling · 72b59d6e
      Roland Dreier 提交于
      If a backend IO takes a really long then an initiator might abort a
      command, and then when it gives up on the abort, send a LUN reset too,
      all before we process any of the original command or the abort.  (The
      abort will wait for the backend IO to complete too)
      
      When the backend IO final completes (or fails), the abort handling
      will proceed and queue up a "return aborted status" operation.  Then,
      while that's still pending, the LUN reset might find the original
      command still on the LUN's list of commands and try to return aborted
      status again, which leads to a use-after free when the first
      se_tfo->queue_status call frees the command and then the second
      se_tfo->queue_status call runs.
      
      Fix this by removing a command from the LUN state_list when we first
      are about to queue aborted status; we shouldn't do anything
      LUN-related after we've started returning status, so this seems like
      the correct thing to do.
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      72b59d6e
    • R
      target: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs · e627c615
      Roland Dreier 提交于
      This patch fixes a regression bug introduced during v3.6.x code with
      the following commit to drop transport_add_cmd_to_queue(), which
      originally re-set CMD_T_ACTIVE during pending WRITE I/O submission:
      
      commit af877292
      Author: Christoph Hellwig <hch@infradead.org>
      Date:   Sun Jul 8 15:58:49 2012 -0400
      
          target: replace the processing thread with a TMR work queue
      
      The following sequence happens for write commands (or any other
      commands with a data out phase):
      
       - The transport calls target_submit_cmd(), which sets CMD_T_ACTIVE in
         cmd->transport_state and sets cmd->t_state to TRANSPORT_NEW_CMD.
       - Things go on transport_generic_new_cmd(), which notices that the
         command needs to transfer data, so it sets cmd->t_state to
         TRANSPORT_WRITE_PENDING and calls transport_cmd_check_stop().
       - transport_cmd_check_stop() clears CMD_T_ACTIVE in cmd->transport_state
         and returns in the normal case.
       - Then we continue on to call ->se_tfo->write_pending().
       - The data comes back from the initiator, and the transport calls
         target_execute_cmd(), which sets cmd->t_state to TRANSPORT_PROCESSING
         and calls into the backend to actually write the data.
      
      At this point, the backend might take a long time to complete the
      command, since it has to do real IO.  If an abort request comes in for
      this command at this point, it will not wait for the command to finish
      since CMD_T_ACTIVE is not set.  Then when the command does finally
      finish, we blow up with use-after-free.
      
      Avoid this by setting CMD_T_ACTIVE in target_execute_cmd() so that
      transport_wait_for_tasks() waits for the command to finish executing.
      This matches the behavior from before commit 1389533e ("target:
      remove transport_generic_handle_data"), when data was signaled via
      transport_generic_handle_data(), which set CMD_T_ACTIVE because it
      called transport_add_cmd_to_queue().
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Reported-by: NMartin Svec <martin.svec@zoner.cz>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      e627c615
    • H
      target: Introduce TCM_NO_SENSE · ba829137
      Hannes Reinecke 提交于
      Introduce TCM_NO_SENSE, mapping to sense code
      'Not ready, no additional sense information'.
      Signed-off-by: NHannes Reinecke <hare@suse.de>
      Cc: Nicholas Bellinger <nab@risingtidesystems.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      ba829137
  13. 09 1月, 2013 1 次提交
  14. 28 11月, 2012 3 次提交
  15. 18 11月, 2012 1 次提交
  16. 08 11月, 2012 1 次提交
    • N
      target: Fix possible TFO->write_pending() sense_reason_t silent WRITE corruption · b69c1fcf
      Nicholas Bellinger 提交于
      This patch fixes a possible case in transport_generic_new_cmd() where a
      failure from TFO->write_pending() from a fabric module return something
      other than -EAGAIN or -ENOMEM would cause a failed WRITE to silently
      succeed.
      
      Go ahead and return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE for this
      special case instead of only just making noise with WARN_ON().
      
      (v2: Fix incorrect exception return for all cases)
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@purestorage.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      b69c1fcf
  17. 07 11月, 2012 6 次提交
  18. 27 10月, 2012 1 次提交
    • N
      target: Fix double-free of se_cmd in target_complete_tmr_failure · e13d5fef
      Nicholas Bellinger 提交于
      Fabric drivers currently expect to internally release se_cmd in the event
      of a TMR failure during target_submit_tmr(), which means the immediate call
      to transport_generic_free_cmd() after TFO->queue_tm_rsp() from within
      target_complete_tmr_failure() workqueue context is wrong.
      
      This is done as some fabrics expect TMR operations to be acknowledged
      before releasing the descriptor, so the assumption that core is releasing
      se_cmd associated TMR memory is incorrect.  This fixes a OOPs where
      transport_generic_free_cmd() was being called more than once.
      
      This bug was originally observed with tcm_qla2xxx fabric ports.
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Roland Dreier <roland@purestorage.com>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      e13d5fef
  19. 03 10月, 2012 2 次提交
  20. 18 9月, 2012 3 次提交
    • P
      target: go through normal processing for all zero-length commands · d81cb447
      Paolo Bonzini 提交于
      Yay, all users of transport_kmap_data_sg now check for a zero-length
      request and/or a too-small parameter list length.  We can thus go through
      the normal emulation path even for such commands.
      
      This means that out-of-bounds reads and writes are now reported correctly
      even if they transfer 0 blocks.  Other errors are also reported correctly.
      
      Testcase: sg_raw /dev/sdb 28 00 80 00 00 00 00 00 00 00
          should fail with ILLEGAL REQUEST / LBA OUT OF RANGE sense
          does not fail without the patch
          (still wrong with the patch, but better: the ASC is INVALID FIELD IN CDB)
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      d81cb447
    • M
      target: Fix minor spelling typos in drivers/target · 35d1efe8
      Masanari Iida 提交于
      Correct spelling typo in printk and comment within drivers/target.
      Signed-off-by: NMasanari Iida <standby24x7@gmail.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      35d1efe8
    • R
      target: Simplify fabric sense data length handling · 9c58b7dd
      Roland Dreier 提交于
      Every fabric driver has to supply a se_tfo->set_fabric_sense_len()
      method, just so iSCSI can return an offset of 2.  However, every fabric
      driver is already allocating a sense buffer and passing it into the
      target core, either via transport_init_se_cmd() or target_submit_cmd().
      
      So instead of having iSCSI pass the start of its sense buffer into the
      core and then later tell the core to skip the first 2 bytes, it seems
      easier for iSCSI just to do the offset of 2 when it passes the sense
      buffer into the core.  Then we can drop the se_tfo->set_fabric_sense_len()
      everywhere, and just add a couple of lines of code to iSCSI to set the
      sense data length to the beginning of the buffer right before it sends
      it over the network.
      
      (nab: Remove .set_fabric_sense_len usage from tcm_qla2xxx_npiv_ops +
            change transport_get_sense_buffer to follow v3.6-rc6 code w/o
            ->set_fabric_sense_len usage)
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      9c58b7dd