summaryrefslogtreecommitdiff
path: root/drivers/target
AgeCommit message (Collapse)Author
2013-07-11Merge branch 'for-next' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending Pull SCSI target updates from Nicholas Bellinger: "Lots of activity this round on performance improvements in target-core while benchmarking the prototype scsi-mq initiator code with vhost-scsi fabric ports, along with a number of iscsi/iser-target improvements and hardening fixes for exception path cases post v3.10 merge. The highlights include: - Make persistent reservations APTPL buffer allocated on-demand, and drop per t10_reservation buffer. (grover) - Make virtual LUN=0 a NULLIO device, and skip allocation of NULLIO device pages (grover) - Add transport_cmd_check_stop write_pending bit to avoid extra access of ->t_state_lock is WRITE I/O submission fast-path. (nab) - Drop unnecessary CMD_T_DEV_ACTIVE check from transport_lun_remove_cmd to avoid extra access of ->t_state_lock in release fast-path. (nab) - Avoid extra t_state_lock access in __target_execute_cmd fast-path (nab) - Drop unnecessary vhost-scsi wait_for_tasks=true usage + ->t_state_lock access in release fast-path. (nab) - Convert vhost-scsi to use modern se_cmd->cmd_kref TARGET_SCF_ACK_KREF usage (nab) - Add tracepoints for SCSI commands being processed (roland) - Refactoring of iscsi-target handling of ISCSI_OP_NOOP + ISCSI_OP_TEXT to be transport independent (nab) - Add iscsi-target SendTargets=$IQN support for in-band discovery (nab) - Add iser-target support for in-band discovery (nab + Or) - Add iscsi-target demo-mode TPG authentication context support (nab) - Fix isert_put_reject payload buffer post (nab) - Fix iscsit_add_reject* usage for iser (nab) - Fix iscsit_sequence_cmd reject handling for iser (nab) - Fix ISCSI_OP_SCSI_TMFUNC handling for iser (nab) - Fix session reset bug with RDMA_CM_EVENT_DISCONNECTED (nab) The last five iscsi/iser-target items are CC'ed to stable, as they do address issues present in v3.10 code. They are certainly larger than I'd like for stable patch set, but are important to ensure proper REJECT exception handling in iser-target for 3.10.y" * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (51 commits) iser-target: Ignore non TEXT + LOGOUT opcodes for discovery target: make queue_tm_rsp() return void target: remove unused codes from enum tcm_tmrsp_table iscsi-target: kstrtou* configfs attribute parameter cleanups iscsi-target: Fix tfc_tpg_auth_cit configfs length overflow iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow iser-target: Add support for ISCSI_OP_TEXT opcode + payload handling iser-target: Rename sense_buf_[dma,len] to pdu_[dma,len] iser-target: Add vendor_err debug output target: Add (obsolete) checking for PMI/LBA fields in READ CAPACITY(10) target: Return correct sense data for IO past the end of a device target: Add tracepoints for SCSI commands being processed iser-target: Fix session reset bug with RDMA_CM_EVENT_DISCONNECTED iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iser iscsi-target: Fix iscsit_sequence_cmd reject handling for iser iscsi-target: Fix iscsit_add_reject* usage for iser iser-target: Fix isert_put_reject payload buffer post iscsi-target: missing kfree() on error path iscsi-target: Drop left-over iscsi_conn->bad_hdr target: Make core_scsi3_update_and_write_aptpl return sense_reason_t ...
2013-07-07target: make queue_tm_rsp() return voidJoern Engel
The return value wasn't checked by any of the callers. Assuming this is correct behaviour, we can simplify some code by not bothering to generate it. nab: Add srpt_queue_data_in() + srpt_queue_tm_rsp() nops around srpt_queue_response() void return Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07target: remove unused codes from enum tcm_tmrsp_tableJoern Engel
Three have been checked for but were never set. Remove the dead code. Also renumbers the remaining ones to a) get rid of the holes after the removal and b) avoid a collision between TMR_FUNCTION_COMPLETE==0 and the uninitialized case. If we failed to set a code, we should rather fall into the default case then return success. Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07iscsi-target: kstrtou* configfs attribute parameter cleanupsJörn Engel
This patch includes the conversion of iscsi-target configfs attributes for NetworkPortal, NodeACL, TPG, IQN and Discovery groups to use kstrtou*() instead of simple_strtou*(). It also cleans up new-line usage during iscsi_tpg_param_store_##name to use isspace(). Signed-off-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07iscsi-target: Fix tfc_tpg_auth_cit configfs length overflowNicholas Bellinger
This patch fixes another potential buffer overflow while processing iscsi_node_auth input for configfs attributes in v3.11 for-next TPG tfc_tpg_auth_cit context. Reported-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflowJörn Engel
This patch fixes a potential buffer overflow while processing iscsi_node_auth input for configfs attributes within NodeACL tfc_tpg_nacl_auth_cit context. Signed-off-by: Joern Engel <joern@logfs.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07target: Add (obsolete) checking for PMI/LBA fields in READ CAPACITY(10)Roland Dreier
The SBC-2 specification of READ CAPACITY(10) has PMI and LOGICAL BLOCK ADDRESS fields in the CDB; in SBC-3 these fields are simply listed as obsolete. However, SBC-2 also has the language If the PMI bit is set to zero and the LOGICAL BLOCK ADDRESS field is not set to zero, the device server shall terminate the command with CHECK CONDITION status with the sense key set to ILLEGAL REQUEST and the additional sense code set to INVALID FIELD IN CDB. and in fact at least the Windows SCSI compliance test checks this behavior. Since no one following SBC-3 is going to set these fields, we might as well include the check from SBC-2 and pass this test. Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07target: Return correct sense data for IO past the end of a deviceRoland Dreier
We should use TCM_ADDRESS_OUT_OF_RANGE (-> sense data LOGICAL BLOCK ADDRESS OUT OF RANGE) for IOs past the end of a device instead of INVALID FIELD IN CDB. Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07target: Add tracepoints for SCSI commands being processedRoland Dreier
This patch adds tracepoints to the target code for commands being received and being completed, which is quite useful for debugging interactions with initiators. For example, one can do something like the following to watch commands that are completing unsuccessfully: # echo 'scsi_status!=0' > /sys/kernel/debug/tracing/events/target/target_cmd_complete/filter # echo 1 > /sys/kernel/debug/tracing/events/target/target_cmd_complete/enable <run command that fails> # cat /sys/kernel/debug/tracing/trace iscsi_trx-0-1902 [003] ...1 990185.810385: target_cmd_complete: iqn.1993-08.org.debian:01:e51ede6aacfd <- LUN 001 status CHECK CONDITION (sense len 18 / 70 00 05 00 00 00 00 0a 00 00 00 00 20 00 00 00 00 00) 0x95 data_length 512 CDB 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (TA:SIMPLE C:00) (v2: Drop undefined COMPARE_AND_WRITE) Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-07iser-target: Fix session reset bug with RDMA_CM_EVENT_DISCONNECTEDNicholas Bellinger
This patch addresses a bug where RDMA_CM_EVENT_DISCONNECTED may occur before the connection shutdown has been completed by rx/tx threads, that causes isert_free_conn() to wait indefinately on ->conn_wait. This patch allows isert_disconnect_work code to invoke rdma_disconnect when isert_disconnect_work() process context is started by client session reset before isert_free_conn() code has been reached. It also adds isert_conn->conn_mutex protection for ->state within isert_disconnect_work(), isert_cq_comp_err() and isert_free_conn() code, along with isert_check_state() for wait_event usage. (v2: Add explicit iscsit_cause_connection_reinstatement call during isert_disconnect_work() to force conn reset) Cc: stable@vger.kernel.org # 3.10+ Cc: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-06iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iserNicholas Bellinger
This patch adds target_get_sess_cmd reference counting for iscsit_handle_task_mgt_cmd(), and adds a target_put_sess_cmd() for the failure case. It also fixes a bug where ISCSI_OP_SCSI_TMFUNC type commands where leaking iscsi_cmd->i_conn_node and eventually triggering an OOPs during struct isert_conn shutdown. Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-06iscsi-target: Fix iscsit_sequence_cmd reject handling for iserNicholas Bellinger
This patch moves ISCSI_OP_REJECT failures into iscsit_sequence_cmd() in order to avoid external iscsit_reject_cmd() reject usage for all PDU types. It also updates PDU specific handlers for traditional iscsi-target code to not reset the session after posting a ISCSI_OP_REJECT during setup. (v2: Fix CMDSN_LOWER_THAN_EXP for ISCSI_OP_SCSI to call target_put_sess_cmd() after iscsit_sequence_cmd() failure) Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-06iscsi-target: Fix iscsit_add_reject* usage for iserNicholas Bellinger
This patch changes iscsit_add_reject() + iscsit_add_reject_from_cmd() usage to not sleep on iscsi_cmd->reject_comp to address a free-after-use usage bug in v3.10 with iser-target code. It saves ->reject_reason for use within iscsit_build_reject() so the correct value for both transport cases. It also drops the legacy fail_conn parameter usage throughput iscsi-target code and adds two iscsit_add_reject_cmd() and iscsit_reject_cmd helper functions, along with various small cleanups. (v2: Re-enable target_put_sess_cmd() to be called from iscsit_add_reject_from_cmd() for rejects invoked after target_get_sess_cmd() has been called) Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03iscsi-target: missing kfree() on error pathDan Carpenter
Fix-up breakage in iscsit_build_sendtargets_response() from v3.11 changes, and free "payload" before returning. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03iscsi-target: Drop left-over iscsi_conn->bad_hdrNicholas Bellinger
All REJECT response setup of the rejected payload is now done using on-demand cmd->buf_ptr allocations. Go ahead and remove dead iscsi_conn->bad_hdr usage rx_opcode path Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03target: Make core_scsi3_update_and_write_aptpl return sense_reason_tNicholas Bellinger
Fix up sense_reason_t breakage in core_scsi3_update_and_write_aptpl() from recent conversion to use local scope memory allocation. Reported as sparse warnings: (new ones prefixed by >>) by Fengguang: >> drivers/target/target_core_pr.c:2069:57: sparse: incorrect type in >> return expression (different base types) drivers/target/target_core_pr.c:2069:57: expected restricted sense_reason_t drivers/target/target_core_pr.c:2069:57: got int >> drivers/target/target_core_pr.c:2179:21: sparse: incorrect type in >> assignment (different base types) drivers/target/target_core_pr.c:2179:21: expected restricted sense_reason_t [assigned] [usertype] ret drivers/target/target_core_pr.c:2179:21: got int >> drivers/target/target_core_pr.c:2197:13: sparse: incorrect type in >> assignment (different base types) drivers/target/target_core_pr.c:2197:13: expected restricted sense_reason_t [assigned] [usertype] ret drivers/target/target_core_pr.c:2197:13: got int drivers/target/target_core_pr.c:1245:28: sparse: context imbalance in '__core_scsi3_free_registration' - unexpected unlock Reported-by: kbuild test robot <fengguang.wu@intel.com> Cc: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03iscsi-target: Add demo-mode TPG authentication context supportNicholas Bellinger
This patch adds a auth configfs group context following existing explict NodeACL and discovery auth within: /sys/kernel/config/target/iscsi/$TARGETNAME/$TPGT/auth/ This patch allows these attributes to be used for CHAP authentication an TPG is configured in demo-mode (generate_node_acl=1). Note this authentication information takes precedence over NodeACL authentication when struct se_node_acl->dynamic_node_acl is present. Cc: Dax Kelson <dkelson@gurulabs.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03target: Add se_portal_group->tpg_auth_groupNicholas Bellinger
This patch adds an optional /auth/ configfs group to TPG context that can be used by fabrics like iscsi-target for TPG demo-mode authentication. Cc: Dax Kelson <dkelson@gurulabs.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03iscsi-target: Add IFC_SENDTARGETS_SINGLE supportNicholas Bellinger
This patch changes ISCSI_OP_TEXT handling of SendTargets=[iqn.,eui.] payloads to return explicit discovery information. It adds checks to iscsit_process_text_cmd() and adds the special single $TARGETNAME discovery case in iscsit_build_sendtargets_response() code. Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03iscsi-target: Move sendtargets parsing into iscsit_process_text_cmdNicholas Bellinger
This patch moves ISCSI_OP_TEXT PDU buffer sanity checks to iscsit_process_text_cmd() code, so that it can be shared with iser-target code. It adds IFC_SENDTARGETS_ALL + iscsi_cmd->text_in_ptr in order to save text payload for ISCSI_OP_TEXT_RSP, and updates iscsit_release_cmd() to assigned memory. Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-07-03iscsi-target: Allow ->MaxXmitDataSegmentLength assignment for iser discoveryNicholas Bellinger
This patch changes iscsi_set_connection_parameters() to allow conn_ops->MaxXmitDataSegmentLength assignement to occur during in-band iser send-targets discovery, as this value is required by TEXT response processing code. Reported-by: Or Gerlitz <ogerlitz@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-26iscsi-target: Refactor ISCSI_OP_TEXT_RSP TX handlingNicholas Bellinger
This patch refactoring existing iscsit_send_text_rsp() in order to handle iscsi_text_rsp payloads in a transport specific manner. This includes the addition of iscsit_build_text_rsp() to build the response payload and initialize ISCSI_OP_TEXT_RSP. v2: Make iscsit_build_text_rsp() determine extra padding bytes, and drop legacy padding calculation for traditional iSCSI text responses within iscsit_send_text_rsp() Reported-by: Or Gerlitz <ogerlitz@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-24iscsi-target: Refactor ISCSI_OP_TEXT RX handlingNicholas Bellinger
This patch refactors ISCSI_OP_TEXT handling within iscsi-target in order to handle iscsi_text payloads in a transport specific manner. This includes splitting current iscsit_handle_text_cmd() into iscsit_setup_text_cmd() and iscsit_process_text_cmd() calls, and makes iscsit_handle_text_cmd be only used internally by traditional iscsi socket calls. Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-24iscsi/isert-target: Refactor ISCSI_OP_NOOP RX handlingNicholas Bellinger
This patch refactors ISCSI_OP_NOOP handling within iscsi-target in order to handle iscsi_nopout payloads in a transport specific manner. This includes splitting existing iscsit_handle_nop_out() into iscsit_setup_nop_out() and iscsit_process_nop_out() calls, and makes iscsit_handle_nop_out() be only used internally by traditional iscsi socket calls. Next update iser-target code to use new callers and add FIXME for the handling iscsi_nopout payloads. Also fix reject response handling in iscsit_setup_nop_out() to use proper iscsit_add_reject_from_cmd(). v2: Fix uninitialized iscsit_handle_nop_out() payload_length usage (Fengguang) v3: Remove left-over dead code in iscsit_setup_nop_out() (DanC) Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20iscsi-target: Remove left over v3.10-rc debug printksNicholas Bellinger
Reported-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target/iscsi: Fix op=disable + error handling cases in np_store_iserAndy Grover
Writing 0 when iser was not previously enabled, so succeed but do nothing so that user-space code doesn't need a try: catch block when ib_isert logic is not available. Also, return actual error from add_network_portal using PTR_ERR during op=enable failure. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target: Drop legacy se_cmd->check_release bitNicholas Bellinger
Now with iscsi-target using modern se_cmd->cmd_kref accounting in v3.10 code, it's safe to go ahead and drop the legacy release codepath + se_cmd->check_release bit in transport_release_cmd() Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20iscsi-target: Avoid unnecessary t_state_lock during unsolicited data-out checkNicholas Bellinger
In modern iscsi-target code, the setup and I/O submission is done within a single process context, so there is no need to acquire se_cmd->t_state_lock while checking SCF_SUPPORTED_SAM_OPCODE for determining when unsolicited data-out should be dumped. Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target: Drop unnecessary t_state_lock access for SCF_SUPPORTED_SAM_OPCODE ↵Nicholas Bellinger
assignment This patch drops the se_cmd->t_state_lock access around SCF_SUPPORTED_SAM_OPCODE assignment within target_setup_cmd_from_cdb(). Original v4.0 target code required this as fabrics would be checking for this values in different process contexts for setup and I/O submission. Given that modern v4.1 target code performs setup and I/O submission from the same process context, this t_state_lock access is no longer required. Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target: Avoid extra t_state_lock access in __target_execute_cmdNicholas Bellinger
This patch makes target_execute_cmd() set CMD_T_BUSY|CMD_T_SENT while holding se_cmd->t_state_lock, in order to avoid the extra aquire/release in __target_execute_cmd(). It also clears these bits in case of a target_handle_task_attr() failure. Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target: Remove legacy t_fe_count + avoid t_state_lock access in ↵Nicholas Bellinger
transport_put_cmd This patch removes legacy se_cmd->t_fe_count usage in order to avoid se_cmd->t_state_lock access within transport_put_cmd() during normal fast path se_cmd descriptor release. Also drop the left-over parameter usage within core_tmr_handle_tas_abort() Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target: Drop unnecessary CMD_T_DEV_ACTIVE check from transport_lun_remove_cmdNicholas Bellinger
This patch drops an unnecessary acquire/release of se_cmd->t_state_lock within transport_lun_remove_cmd() when checking CMD_T_DEV_ACTIVE for invoking target_remove_from_state_list(). For all fast path completion cases, transport_lun_remove_cmd() is always called ahead of transport_cmd_check_stop(), and since transport_cmd_check_stop() is calling target_remove_from_state_list() when remove_from_lists=true, the t_state_lock usage in transport_lun_remove_cmd() can safely be removed. Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-20target: Add transport_cmd_check_stop write_pending bitNicholas Bellinger
This patch adds a new transport_cmd_check_stop() parameter for signaling when TRANSPORT_WRITE_PENDING needs to be set. This allows transport_generic_new_cmd() to avoid the extra lock acquire/release of ->t_state_lock in the fast path for DMA_TO_DEVICE operations ahead of transport_cmd_check_stop() + se_tfo->write_pending(). Cc: Christoph Hellwig <hch@lst.de> Cc: Roland Dreier <roland@kernel.org> Cc: Kent Overstreet <koverstreet@google.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Moussa Ba <moussaba@micron.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer()Jörn Engel
Here is a fun one. Bug seems to have been introduced by commit 140854cb, almost two years ago. I have no idea why we only started seeing it now, but we did. Rough callgraph: core_tpg_set_initiator_node_queue_depth() `-> spin_lock_irqsave(&tpg->session_lock, flags); `-> lio_tpg_shutdown_session() `-> iscsit_stop_time2retain_timer() `-> spin_unlock_bh(&se_tpg->session_lock); `-> spin_lock_bh(&se_tpg->session_lock); `-> spin_unlock_irqrestore(&tpg->session_lock, flags); core_tpg_set_initiator_node_queue_depth() used to call spin_lock_bh(), but 140854cb changed that to spin_lock_irqsave(). However, lio_tpg_shutdown_session() still claims to be called with spin_lock_bh() held, as does iscsit_stop_time2retain_timer(): * Called with spin_lock_bh(&struct se_portal_group->session_lock) held Stale documentation is mostly annoying, but in this case the dropping the lock with the _bh variant is plain wrong. It is also wrong to drop locks two functions below the lock-holder, but I will ignore that bit for now. After some more locking and unlocking we eventually hit this backtrace: ------------[ cut here ]------------ WARNING: at kernel/softirq.c:159 local_bh_enable_ip+0xe8/0x100() Pid: 24645, comm: lio_helper.py Tainted: G O 3.6.11+ Call Trace: [<ffffffff8103e5ff>] warn_slowpath_common+0x7f/0xc0 [<ffffffffa040ae37>] ? iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod] [<ffffffff8103e65a>] warn_slowpath_null+0x1a/0x20 [<ffffffff810472f8>] local_bh_enable_ip+0xe8/0x100 [<ffffffff815b8365>] _raw_spin_unlock_bh+0x15/0x20 [<ffffffffa040ae37>] iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod] [<ffffffffa041149a>] iscsit_stop_session+0xfa/0x1c0 [iscsi_target_mod] [<ffffffffa0417fab>] lio_tpg_shutdown_session+0x7b/0x90 [iscsi_target_mod] [<ffffffffa033ede4>] core_tpg_set_initiator_node_queue_depth+0xe4/0x290 [target_core_mod] [<ffffffffa0409032>] iscsit_tpg_set_initiator_node_queue_depth+0x12/0x20 [iscsi_target_mod] [<ffffffffa0415c29>] lio_target_nacl_store_cmdsn_depth+0xa9/0x180 [iscsi_target_mod] [<ffffffffa0331b49>] target_fabric_nacl_base_attr_store+0x39/0x40 [target_core_mod] [<ffffffff811b857d>] configfs_write_file+0xbd/0x120 [<ffffffff81148f36>] vfs_write+0xc6/0x180 [<ffffffff81149251>] sys_write+0x51/0x90 [<ffffffff815c0969>] system_call_fastpath+0x16/0x1b ---[ end trace 3747632b9b164652 ]--- As a pure band-aid, this patch drops the _bh. Signed-off-by: Joern Engel <joern@logfs.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Don't allocate pages for NULLIO devicesAndy Grover
Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Make virtual_lun0 a nullio deviceAndy Grover
Nobody should be expecting to read or write virtual_lun0. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Further refactoring of core_scsi3_emulate_pro_register()Andy Grover
Use bool params when appropriate. Eliminate unneeded pr_reg_e and type variables. Just one goto label, so rename to 'out' from 'out_put_pr_reg'. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Use if/else for sa_res_key conditional in emulate_pro_register()Andy Grover
Don't need goto, we can just do an if/else for sa_res_key behavior. Move shorter case first. Slightly shorter b/c both cases can share a call to update_and_write_aptpl() now. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Allocate aptpl_buf inside update_and_write_aptpl()Andy Grover
Instead of taking the buffer and length, update_and_write_aptpl() will allocate the buffer as needed, and then free it. Instead, the function takes an 'aptpl' boolean parameter. This enables us to remove memory alloc/frees from struct t10_pr_registration and other spots. There is a slight loss of functionality because each callsite doesn't get its own pr_debug any more, but this info can be cleaned via ftrace if necessary and I think the shorter code is worth it. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Delete incorrect commentAndy Grover
aptpl_file_mutex seems to no longer exist. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Remove unneeded param pr_aptpl_buf_len to write_aptpl_to_file()Andy Grover
As mentioned in the comments in update_and_write_aptpl, write_aptpl_to_file() calls strlen() on the buffer, and the length was always being passed as zero. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Remove t10_reservation.pr_aptpl_buf_lenAndy Grover
It's only ever set to PR_APTPL_BUF_LEN, so we don't need a variable. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Unify __core_scsi3_update_aptpl_buf and core_scsi3_update_aptpl_bufAndy Grover
The __ version is only ever called from the regular version, so just inline it. It's not too much more complex to handle both spinlocks in the same function. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Simplify metadata handling when clearing aptpl metadataAndy Grover
Simpler to just set buf in update_and_write_aptpl(), rather than passing down to ____core_scsi3_update_aptpl_buf(). Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Fix two debugprints that appear to be wrongAndy Grover
They're in emulate_pro_register, so change UNREGISTER to REGISTER. The first one seems wrong -- sa_res_key could be 0 there, but it's testing spec_i_pt. Remove unneeded parens in 2nd conditional. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Alter core_pr_dump_initiator_port for ease of useAndy Grover
We use this function exclusively in debug prints. Instead of returning 0 or 1 if isid is present, just set buf to "" if it isn't there. This saves callers from having to check the return value. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-06-14target: Add register_type and preempt_type enums to clarify codeAndy Grover
core_scsi3_enulate_pro_register took an 'ignore_key' parameter that really distinguished between REGISTER and REGISTER_AND_IGNORE_EXISTING_KEY registration types, which was a little confusing. Same situation for PREEMPT and PREEMPT_AND_ABORT. Use enums to add a little more descriptiveness to the code. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-05-31iscsi-target: Fix iscsit_free_cmd() se_cmd->cmd_kref shutdown handlingNicholas Bellinger
With the introduction of target_get_sess_cmd() referencing counting for ISCSI_OP_SCSI_CMD processing with iser-target, iscsit_free_cmd() usage in traditional iscsi-target driver code now needs to be aware of the active I/O shutdown case when a remaining se_cmd->cmd_kref reference may exist after transport_generic_free_cmd() completes, requiring a final target_put_sess_cmd() to release iscsi_cmd descriptor memory. This patch changes iscsit_free_cmd() to invoke __iscsit_free_cmd() before transport_generic_free_cmd() -> target_put_sess_cmd(), and also avoids aquiring the per-connection queue locks for typical fast-path calls during normal ISTATE_REMOVE operation. Also update iscsit_free_cmd() usage throughout iscsi-target to use the new 'bool shutdown' parameter. This patch fixes a regression bug introduced during v3.10-rc1 in commit 3e1c81a95, that was causing the following WARNING to appear: [ 257.235153] ------------[ cut here]------------ [ 257.240314] WARNING: at kernel/softirq.c:160 local_bh_enable_ip+0x3c/0x86() [ 257.248089] Modules linked in: vhost_scsi ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx tcm_loop tcm_fc libfc iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi loop acpi_cpufreq freq_table mperf kvm_intel kvm crc32c_intel button ehci_pci pcspkr joydev i2c_i801 microcode ext3 jbd raid10 raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq async_tx raid1 raid0 linear igb hwmon i2c_algo_bit i2c_core ptp ata_piix libata qla2xxx uhci_hcd ehci_hcd mlx4_core scsi_transport_fc scsi_tgt pps_core [ 257.308748] CPU: 1 PID: 3295 Comm: iscsi_ttx Not tainted 3.10.0-rc2+ #103 [ 257.316329] Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.00.0057.031020111721 03/10/2011 [ 257.327597] ffffffff814c24b7 ffff880458331b58 ffffffff8138eef2 ffff880458331b98 [ 257.335892] ffffffff8102c052 ffff880400000008 0000000000000000 ffff88085bdf0000 [ 257.344191] ffff88085bdf00d8 ffff88085bdf00e0 ffff88085bdf00f8 ffff880458331ba8 [ 257.352488] Call Trace: [ 257.355223] [<ffffffff8138eef2>] dump_stack+0x19/0x1f [ 257.360963] [<ffffffff8102c052>] warn_slowpath_common+0x62/0x7b [ 257.367669] [<ffffffff8102c080>] warn_slowpath_null+0x15/0x17 [ 257.374181] [<ffffffff81032345>] local_bh_enable_ip+0x3c/0x86 [ 257.380697] [<ffffffff813917fd>] _raw_spin_unlock_bh+0x10/0x12 [ 257.387311] [<ffffffffa029069c>] iscsit_free_r2ts_from_list+0x5e/0x67 [iscsi_target_mod] [ 257.396438] [<ffffffffa02906c5>] iscsit_release_cmd+0x20/0x223 [iscsi_target_mod] [ 257.404893] [<ffffffffa02977a4>] lio_release_cmd+0x3a/0x3e [iscsi_target_mod] [ 257.412964] [<ffffffffa01d59a1>] target_release_cmd_kref+0x7a/0x7c [target_core_mod] [ 257.421712] [<ffffffffa01d69bc>] target_put_sess_cmd+0x5f/0x7f [target_core_mod] [ 257.430071] [<ffffffffa01d6d6d>] transport_release_cmd+0x59/0x6f [target_core_mod] [ 257.438625] [<ffffffffa01d6eb4>] transport_put_cmd+0x131/0x140 [target_core_mod] [ 257.446985] [<ffffffffa01d6192>] ? transport_wait_for_tasks+0xfa/0x1d5 [target_core_mod] [ 257.456121] [<ffffffffa01d6f11>] transport_generic_free_cmd+0x4e/0x52 [target_core_mod] [ 257.465159] [<ffffffff81050537>] ? __migrate_task+0x110/0x110 [ 257.471674] [<ffffffffa02904ba>] iscsit_free_cmd+0x46/0x55 [iscsi_target_mod] [ 257.479741] [<ffffffffa0291edb>] iscsit_immediate_queue+0x301/0x353 [iscsi_target_mod] [ 257.488683] [<ffffffffa0292f7e>] iscsi_target_tx_thread+0x1c6/0x2a8 [iscsi_target_mod] [ 257.497623] [<ffffffff81047486>] ? wake_up_bit+0x25/0x25 [ 257.503652] [<ffffffffa0292db8>] ? iscsit_ack_from_expstatsn+0xd5/0xd5 [iscsi_target_mod] [ 257.512882] [<ffffffff81046f89>] kthread+0xb0/0xb8 [ 257.518329] [<ffffffff81046ed9>] ? kthread_freezable_should_stop+0x60/0x60 [ 257.526105] [<ffffffff81396fec>] ret_from_fork+0x7c/0xb0 [ 257.532133] [<ffffffff81046ed9>] ? kthread_freezable_should_stop+0x60/0x60 [ 257.539906] ---[ end trace 5520397d0f2e0800 ]--- Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-05-31target: Propigate up ->cmd_kref put return via transport_generic_free_cmdNicholas Bellinger
Go ahead and propigate up the ->cmd_kref put return value from target_put_sess_cmd() -> transport_release_cmd() -> transport_put_cmd() -> transport_generic_free_cmd(). This is useful for certain fabrics when determining the active I/O shutdown case with SCF_ACK_KREF where a final target_put_sess_cmd() is still required by the caller. Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2013-05-30iscsi-target: fix heap buffer overflow on errorKees Cook
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>