1. 20 Jul, 2016 3 commits
  2. 16 May, 2016 2 commits
  3. 13 May, 2016 1 commit
  4. 10 May, 2016 10 commits
  5. 30 Mar, 2016 2 commits
  6. 10 Mar, 2016 1 commit
  7. 06 Mar, 2016 1 commit
  8. 27 Feb, 2016 1 commit
  9. 11 Feb, 2016 1 commit
  10. 06 Feb, 2016 1 commit
  11. 05 Feb, 2016 1 commit
    • Nicholas Bellinger's avatar
      target: Fix remote-port TMR ABORT + se_cmd fabric stop · 0f4a9431
      Nicholas Bellinger authored
      To address the bug where fabric driver level shutdown
      of se_cmd occurs at the same time when TMR CMD_T_ABORTED
      is happening resulting in a -1 ->cmd_kref, this patch
      adds a CMD_T_FABRIC_STOP bit that is used to determine
      when TMR + driver I_T nexus shutdown is happening
      concurrently.
      
      It changes target_sess_cmd_list_set_waiting() to obtain
      se_cmd->cmd_kref + set CMD_T_FABRIC_STOP, and drop local
      reference in target_wait_for_sess_cmds() and invoke extra
      target_put_sess_cmd() during Task Aborted Status (TAS)
      when necessary.
      
      Also, it adds a new target_wait_free_cmd() wrapper around
      transport_wait_for_tasks() for the special case within
      transport_generic_free_cmd() to set CMD_T_FABRIC_STOP,
      and is now aware of CMD_T_ABORTED + CMD_T_TAS status
      bits to know when an extra transport_put_cmd() during
      TAS is required.
      
      Note transport_generic_free_cmd() is expected to block on
      cmd->cmd_wait_comp in order to follow what iscsi-target
      expects during iscsi_conn context se_cmd shutdown.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@daterainc.com>
      0f4a9431
  12. 03 Feb, 2016 1 commit
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active I/O handling for ACK_KREF · febe562c
      Nicholas Bellinger authored
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active se_cmd
      I/O, that can be triggered during se_cmd descriptor
      shutdown + release via core_tmr_drain_state_list() code.
      
      To address this bug, add common __target_check_io_state()
      helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
      checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
      both cases ahead of last target_put_sess_cmd() after
      TFO->aborted_task() -> transport_cmd_finish_abort()
      callback has completed.
      
      It also introduces SCF_ACK_KREF to determine when
      transport_cmd_finish_abort() needs to drop the second
      extra reference, ahead of calling target_put_sess_cmd()
      for the final kref_put(&se_cmd->cmd_kref).
      
      It also updates transport_cmd_check_stop() to avoid
      holding se_cmd->t_state_lock while dropping se_cmd
      device state via target_remove_from_state_list(), now
      that core_tmr_drain_state_list() is holding the
      se_device lock while checking se_cmd state from
      within TMR logic.
      
      Finally, move transport_put_cmd() release of SGL +
      TMR + extended CDB memory into target_free_cmd_mem()
      in order to avoid potential resource leaks in TMR
      ABORT_TASK + LUN_RESET code-paths.  Also update
      target_release_cmd_kref() accordingly.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      febe562c
  13. 29 Jan, 2016 1 commit
    • Mike Christie's avatar
      target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors · 8a9ebe71
      Mike Christie authored
      In a couple places we are not converting to/from the Linux
      block layer 512 bytes sectors.
      
      1.
      
      The request queue values and what we do are a mismatch of
      things:
      
      max_discard_sectors - This is in linux block layer 512 byte
      sectors. We are just copying this to max_unmap_lba_count.
      
      discard_granularity - This is in bytes. We are converting it
      to Linux block layer 512 byte sectors.
      
      discard_alignment - This is in bytes. We are just copying
      this over.
      
      The problem is that the core LIO code exports these values in
      spc_emulate_evpd_b0 and we use them to test request arguments
      in sbc_execute_unmap, but we never convert to the block size
      we export to the initiator. If we are not using 512 byte sectors
      then we are exporting the wrong values or are checks are off.
      And, for the discard_alignment/bytes case we are just plain messed
      up.
      
      2.
      
      blkdev_issue_discard's start and number of sector arguments
      are supposed to be in linux block layer 512 byte sectors. We are
      currently passing in the values we get from the initiator which
      might be based on some other sector size.
      
      There is a similar problem in iblock_execute_write_same where
      the bio functions want values in 512 byte sectors but we are
      passing in what we got from the initiator.
      Signed-off-by: default avatarMike Christie <mchristi@redhat.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      8a9ebe71
  14. 27 Jan, 2016 1 commit
  15. 20 Jan, 2016 2 commits
    • Nicholas Bellinger's avatar
      target: Obtain se_node_acl->acl_kref during get_initiator_node_acl · 21aaa23b
      Nicholas Bellinger authored
      This patch addresses a long standing race where obtaining
      se_node_acl->acl_kref in __transport_register_session()
      happens a bit too late, and leaves open the potential
      for core_tpg_del_initiator_node_acl() to hit a NULL
      pointer dereference.
      
      Instead, take ->acl_kref in core_tpg_get_initiator_node_acl()
      while se_portal_group->acl_node_mutex is held, and move the
      final target_put_nacl() from transport_deregister_session()
      into transport_free_session() so that fabric driver login
      failure handling using the modern method to still work
      as expected.
      
      Also, update core_tpg_get_initiator_node_acl() to take
      an extra reference for dynamically generated acls for
      demo-mode, before returning to fabric caller.  Also
      update iscsi-target sendtargets special case handling
      to use target_tpg_has_node_acl() when checking if
      demo_mode_discovery == true during discovery lookup.
      
      Note the existing wait_for_completion(&acl->acl_free_comp)
      in core_tpg_del_initiator_node_acl() does not change.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      21aaa23b
    • Nicholas Bellinger's avatar
      target: Convert ACL change queue_depth se_session reference usage · d36ad77f
      Nicholas Bellinger authored
      This patch converts core_tpg_set_initiator_node_queue_depth()
      to use struct se_node_acl->acl_sess_list when performing
      explicit se_tpg_tfo->shutdown_session() for active sessions,
      in order for new se_node_acl->queue_depth to take effect.
      
      This follows how core_tpg_del_initiator_node_acl() currently
      works when invoking se_tpg_tfo->shutdown-session(), and ahead
      of the next patch to take se_node_acl->acl_kref during lookup,
      the extra get_initiator_node_acl() can go away. In order to
      achieve this, go ahead and change target_get_session() to use
      kref_get_unless_zero() and propigate up the return value
      to know when a session is already being released.
      
      This is because se_node_acl->acl_group is already protecting
      se_node_acl->acl_group reference via configfs, and shutdown
      within core_tpg_del_initiator_node_acl() won't occur until
      sys_write() to core_tpg_set_initiator_node_queue_depth()
      attribute returns back to user-space.
      
      Also, drop the left-over iscsi-target hack, and obtain
      se_portal_group->session_lock in lio_tpg_shutdown_session()
      internally. Remove iscsi-target wrapper and unused se_tpg +
      force parameters and associated code.
      Reported-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      d36ad77f
  16. 07 Jan, 2016 3 commits
  17. 06 Jan, 2016 1 commit
  18. 28 Nov, 2015 1 commit
    • Nicholas Bellinger's avatar
      target: Fix race for SCF_COMPARE_AND_WRITE_POST checking · 057085e5
      Nicholas Bellinger authored
      This patch addresses a race + use after free where the first
      stage of COMPARE_AND_WRITE in compare_and_write_callback()
      is rescheduled after the backend sends the secondary WRITE,
      resulting in second stage compare_and_write_post() callback
      completing in target_complete_ok_work() before the first
      can return.
      
      Because current code depends on checking se_cmd->se_cmd_flags
      after return from se_cmd->transport_complete_callback(),
      this results in first stage having SCF_COMPARE_AND_WRITE_POST
      set, which incorrectly falls through into second stage CAW
      processing code, eventually triggering a NULL pointer
      dereference due to use after free.
      
      To address this bug, pass in a new *post_ret parameter into
      se_cmd->transport_complete_callback(), and depend upon this
      value instead of ->se_cmd_flags to determine when to return
      or fall through into ->queue_status() code for CAW.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      057085e5
  19. 13 Oct, 2015 1 commit
  20. 25 Sep, 2015 1 commit
  21. 11 Sep, 2015 1 commit
    • Nicholas Bellinger's avatar
      target/qla2xxx: Honor max_data_sg_nents I/O transfer limit · 8f9b5654
      Nicholas Bellinger authored
      This patch adds an optional fabric driver provided SGL limit
      that target-core will honor as it's own internal I/O maximum
      transfer length limit, as exposed by EVPD=0xb0 block limits
      parameters.
      
      This is required for handling cases when host I/O transfer
      length exceeds the requested EVPD block limits maximum
      transfer length. The initial user of this logic is qla2xxx,
      so that we can avoid having to reject I/Os from some legacy
      FC hosts where EVPD=0xb0 parameters are not honored.
      
      When se_cmd payload length exceeds the provided limit in
      target_check_max_data_sg_nents() code, se_cmd->data_length +
      se_cmd->prot_length are reset with se_cmd->residual_count
      plus underflow bit for outgoing TFO response callbacks.
      It also checks for existing CDB level underflow + overflow
      and recalculates final residual_count as necessary.
      
      Note this patch currently assumes 1:1 mapping of PAGE_SIZE
      per struct scatterlist entry.
      Reported-by: default avatarCraig Watson <craig.watson@vanguard-rugged.com>
      Cc: Craig Watson <craig.watson@vanguard-rugged.com>
      Tested-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Roland Dreier <roland@purestorage.com>
      Cc: Arun Easi <arun.easi@qlogic.com>
      Cc: Giridhar Malavali <giridhar.malavali@qlogic.com>
      Cc: Andrew Vasquez <andrew.vasquez@qlogic.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      8f9b5654
  22. 27 Aug, 2015 3 commits