* [PATCH 0/6] target fixes for v4.15-rc1
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel; +Cc: linux-scsi, lkml, Nicholas Bellinger
From: Nicholas Bellinger <nab@linux-iscsi.org>
Hi all,
Here are the outstanding target bugfixes in queue for v4.15-rc1
code.
Patch #1 addresses a long standing bug wrt to QUEUE_FULL and
SCSI task attribute handling, that results in SCSI task related
counters getting updated multiple times during QUEUE_FULL.
It primarly effects hosts using ORDERED tasks, which depend upon
these counters to know when to delay incoming tasks.
Patch #2 is for a recent v4.11+ regression, which during ABORT
of COMPARE_AND_WRITE can result in se_device->cam_sem getting
leaked due to se_cmd->transport_complete_callback() being
skipped.
Patch #3 addresses a possible end-less loop during QUEUE_FULL +
TFO->write_pending() failure, allowing se_cmd quiese to properly
complete the outstanding descriptor when requested.
Patch #4 addresses a use-after-tree that was hit in the field,
involving pre-backend execution se_cmd exceptions + subsequent
ABORT_TASK for a matching tag.
Patch #5 + #6 address a iscsi-target TMR related memory and
se_cmd->cmd_kref reference leaks respectively.
We've been testing #4, #5, and #6 internally on v4.1.y stable
code, and have not run into additional regressions.
The rest are straight-forward.
Please review.
--nab
Nicholas Bellinger (6):
target: Fix QUEUE_FULL + SCSI task attribute handling
target: Fix caw_sem leak in transport_generic_request_failure
target: Fix quiese during transport_write_pending_qf endless loop
target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
iscsi-target: Fix non-immediate TMR reference leak
drivers/target/iscsi/iscsi_target.c | 30 ++++++++++++++----------------
drivers/target/target_core_tmr.c | 9 +++++++++
drivers/target/target_core_transport.c | 26 +++++++++++++++++++++++---
include/target/target_core_base.h | 1 +
4 files changed, 47 insertions(+), 19 deletions(-)
--
1.9.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 0/6] target fixes for v4.15-rc1
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel; +Cc: linux-scsi, lkml, Nicholas Bellinger
From: Nicholas Bellinger <nab@linux-iscsi.org>
Hi all,
Here are the outstanding target bugfixes in queue for v4.15-rc1
code.
Patch #1 addresses a long standing bug wrt to QUEUE_FULL and
SCSI task attribute handling, that results in SCSI task related
counters getting updated multiple times during QUEUE_FULL.
It primarly effects hosts using ORDERED tasks, which depend upon
these counters to know when to delay incoming tasks.
Patch #2 is for a recent v4.11+ regression, which during ABORT
of COMPARE_AND_WRITE can result in se_device->cam_sem getting
leaked due to se_cmd->transport_complete_callback() being
skipped.
Patch #3 addresses a possible end-less loop during QUEUE_FULL +
TFO->write_pending() failure, allowing se_cmd quiese to properly
complete the outstanding descriptor when requested.
Patch #4 addresses a use-after-tree that was hit in the field,
involving pre-backend execution se_cmd exceptions + subsequent
ABORT_TASK for a matching tag.
Patch #5 + #6 address a iscsi-target TMR related memory and
se_cmd->cmd_kref reference leaks respectively.
We've been testing #4, #5, and #6 internally on v4.1.y stable
code, and have not run into additional regressions.
The rest are straight-forward.
Please review.
--nab
Nicholas Bellinger (6):
target: Fix QUEUE_FULL + SCSI task attribute handling
target: Fix caw_sem leak in transport_generic_request_failure
target: Fix quiese during transport_write_pending_qf endless loop
target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
iscsi-target: Fix non-immediate TMR reference leak
drivers/target/iscsi/iscsi_target.c | 30 ++++++++++++++----------------
drivers/target/target_core_tmr.c | 9 +++++++++
drivers/target/target_core_transport.c | 26 +++++++++++++++++++++++---
include/target/target_core_base.h | 1 +
4 files changed, 47 insertions(+), 19 deletions(-)
--
1.9.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 1/6] target: Fix QUEUE_FULL + SCSI task attribute handling
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
-1 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Michael Cyr, Bryant G. Ly,
Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a bug during QUEUE_FULL where transport_complete_qf()
calls transport_complete_task_attr() after it's already been invoked
by target_complete_ok_work() or transport_generic_request_failure()
during initial completion, preceeding QUEUE_FULL.
This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id
and/or se_device->dev_ordered_sync being updated multiple times for
a single se_cmd.
To address this bug, clear SCF_TASK_ATTR_SET after the first call
to transport_complete_task_attr(), and avoid updating SCSI task
attribute related counters for any subsequent calls.
Also, when a se_cmd is deferred due to ordered tags and executed
via target_restart_delayed_cmds(), set CMD_T_SENT before execution
matching what target_execute_cmd() does.
Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_transport.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 473d652..c33d1e9 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2011,6 +2011,8 @@ static void target_restart_delayed_cmds(struct se_device *dev)
list_del(&cmd->se_delayed_node);
spin_unlock(&dev->delayed_cmd_lock);
+ cmd->transport_state |= CMD_T_SENT;
+
__target_execute_cmd(cmd, true);
if (cmd->sam_task_attr == TCM_ORDERED_TAG)
@@ -2046,6 +2048,8 @@ static void transport_complete_task_attr(struct se_cmd *cmd)
pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n",
dev->dev_cur_ordered_id);
}
+ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET;
+
restart:
target_restart_delayed_cmds(dev);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 1/6] target: Fix QUEUE_FULL + SCSI task attribute handling
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Michael Cyr, Bryant G. Ly,
Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a bug during QUEUE_FULL where transport_complete_qf()
calls transport_complete_task_attr() after it's already been invoked
by target_complete_ok_work() or transport_generic_request_failure()
during initial completion, preceeding QUEUE_FULL.
This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id
and/or se_device->dev_ordered_sync being updated multiple times for
a single se_cmd.
To address this bug, clear SCF_TASK_ATTR_SET after the first call
to transport_complete_task_attr(), and avoid updating SCSI task
attribute related counters for any subsequent calls.
Also, when a se_cmd is deferred due to ordered tags and executed
via target_restart_delayed_cmds(), set CMD_T_SENT before execution
matching what target_execute_cmd() does.
Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_transport.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 473d652..c33d1e9 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2011,6 +2011,8 @@ static void target_restart_delayed_cmds(struct se_device *dev)
list_del(&cmd->se_delayed_node);
spin_unlock(&dev->delayed_cmd_lock);
+ cmd->transport_state |= CMD_T_SENT;
+
__target_execute_cmd(cmd, true);
if (cmd->sam_task_attr = TCM_ORDERED_TAG)
@@ -2046,6 +2048,8 @@ static void transport_complete_task_attr(struct se_cmd *cmd)
pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n",
dev->dev_cur_ordered_id);
}
+ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET;
+
restart:
target_restart_delayed_cmds(dev);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 2/6] target: Fix caw_sem leak in transport_generic_request_failure
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
-1 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Mike Christie,
Hannes Reinecke, Bart Van Assche
From: Nicholas Bellinger <nab@linux-iscsi.org>
With the recent addition of transport_check_aborted_status() within
transport_generic_request_failure() to avoid sending a SCSI status
exception after CMD_T_ABORTED w/ TAS=1 has occured, it introduced
a COMPARE_AND_WRITE early failure regression.
Namely when COMPARE_AND_WRITE fails and se_device->caw_sem has
been taken by sbc_compare_and_write(), if the new check for
transport_check_aborted_status() returns true and exits,
cmd->transport_complete_callback() -> compare_and_write_post()
is skipped never releasing se_device->caw_sem.
This regression was originally introduced by:
commit e3b88ee95b4e4bf3e9729a4695d695b9c7c296c8
Author: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Tue Feb 14 16:25:45 2017 -0800
target: Fix handling of aborted failed commands
To address this bug, move the transport_check_aborted_status()
call after transport_complete_task_attr() and
cmd->transport_complete_callback().
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_transport.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index c33d1e9..d02218c 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1729,9 +1729,6 @@ void transport_generic_request_failure(struct se_cmd *cmd,
{
int ret = 0, post_ret = 0;
- if (transport_check_aborted_status(cmd, 1))
- return;
-
pr_debug("-----[ Storage Engine Exception; sense_reason %d\n",
sense_reason);
target_show_cmd("-----[ ", cmd);
@@ -1740,6 +1737,7 @@ void transport_generic_request_failure(struct se_cmd *cmd,
* For SAM Task Attribute emulation for failed struct se_cmd
*/
transport_complete_task_attr(cmd);
+
/*
* Handle special case for COMPARE_AND_WRITE failure, where the
* callback is expected to drop the per device ->caw_sem.
@@ -1748,6 +1746,9 @@ void transport_generic_request_failure(struct se_cmd *cmd,
cmd->transport_complete_callback)
cmd->transport_complete_callback(cmd, false, &post_ret);
+ if (transport_check_aborted_status(cmd, 1))
+ return;
+
switch (sense_reason) {
case TCM_NON_EXISTENT_LUN:
case TCM_UNSUPPORTED_SCSI_OPCODE:
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 2/6] target: Fix caw_sem leak in transport_generic_request_failure
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Mike Christie,
Hannes Reinecke, Bart Van Assche
From: Nicholas Bellinger <nab@linux-iscsi.org>
With the recent addition of transport_check_aborted_status() within
transport_generic_request_failure() to avoid sending a SCSI status
exception after CMD_T_ABORTED w/ TAS=1 has occured, it introduced
a COMPARE_AND_WRITE early failure regression.
Namely when COMPARE_AND_WRITE fails and se_device->caw_sem has
been taken by sbc_compare_and_write(), if the new check for
transport_check_aborted_status() returns true and exits,
cmd->transport_complete_callback() -> compare_and_write_post()
is skipped never releasing se_device->caw_sem.
This regression was originally introduced by:
commit e3b88ee95b4e4bf3e9729a4695d695b9c7c296c8
Author: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Tue Feb 14 16:25:45 2017 -0800
target: Fix handling of aborted failed commands
To address this bug, move the transport_check_aborted_status()
call after transport_complete_task_attr() and
cmd->transport_complete_callback().
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_transport.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index c33d1e9..d02218c 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1729,9 +1729,6 @@ void transport_generic_request_failure(struct se_cmd *cmd,
{
int ret = 0, post_ret = 0;
- if (transport_check_aborted_status(cmd, 1))
- return;
-
pr_debug("-----[ Storage Engine Exception; sense_reason %d\n",
sense_reason);
target_show_cmd("-----[ ", cmd);
@@ -1740,6 +1737,7 @@ void transport_generic_request_failure(struct se_cmd *cmd,
* For SAM Task Attribute emulation for failed struct se_cmd
*/
transport_complete_task_attr(cmd);
+
/*
* Handle special case for COMPARE_AND_WRITE failure, where the
* callback is expected to drop the per device ->caw_sem.
@@ -1748,6 +1746,9 @@ void transport_generic_request_failure(struct se_cmd *cmd,
cmd->transport_complete_callback)
cmd->transport_complete_callback(cmd, false, &post_ret);
+ if (transport_check_aborted_status(cmd, 1))
+ return;
+
switch (sense_reason) {
case TCM_NON_EXISTENT_LUN:
case TCM_UNSUPPORTED_SCSI_OPCODE:
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 3/6] target: Fix quiese during transport_write_pending_qf endless loop
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
-1 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Mike Christie,
Hannes Reinecke, Bryant G. Ly, Michael Cyr, Potnuri Bharat Teja,
Sagi Grimberg
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a potential end-less loop during QUEUE_FULL,
where cmd->se_tfo->write_pending() callback fails repeatedly
but __transport_wait_for_tasks() has already been invoked to
quiese the outstanding se_cmd descriptor.
To address this bug, this patch adds a CMD_T_STOP|CMD_T_ABORTED
check within transport_write_pending_qf() and invokes the
existing se_cmd->t_transport_stop_comp to signal quiese
completion back to __transport_wait_for_tasks().
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
Cc: Potnuri Bharat Teja <bharat@chelsio.com>
Cc: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_transport.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index d02218c..0e89db8 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2560,7 +2560,20 @@ void transport_kunmap_data_sg(struct se_cmd *cmd)
static void transport_write_pending_qf(struct se_cmd *cmd)
{
+ unsigned long flags;
int ret;
+ bool stop;
+
+ spin_lock_irqsave(&cmd->t_state_lock, flags);
+ stop = (cmd->transport_state & (CMD_T_STOP | CMD_T_ABORTED));
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+
+ if (stop) {
+ pr_debug("%s:%d CMD_T_STOP|CMD_T_ABORTED for ITT: 0x%08llx\n",
+ __func__, __LINE__, cmd->tag);
+ complete_all(&cmd->t_transport_stop_comp);
+ return;
+ }
ret = cmd->se_tfo->write_pending(cmd);
if (ret) {
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 3/6] target: Fix quiese during transport_write_pending_qf endless loop
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Mike Christie,
Hannes Reinecke, Bryant G. Ly, Michael Cyr, Potnuri Bharat Teja,
Sagi Grimberg
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a potential end-less loop during QUEUE_FULL,
where cmd->se_tfo->write_pending() callback fails repeatedly
but __transport_wait_for_tasks() has already been invoked to
quiese the outstanding se_cmd descriptor.
To address this bug, this patch adds a CMD_T_STOP|CMD_T_ABORTED
check within transport_write_pending_qf() and invokes the
existing se_cmd->t_transport_stop_comp to signal quiese
completion back to __transport_wait_for_tasks().
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
Cc: Potnuri Bharat Teja <bharat@chelsio.com>
Cc: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_transport.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index d02218c..0e89db8 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2560,7 +2560,20 @@ void transport_kunmap_data_sg(struct se_cmd *cmd)
static void transport_write_pending_qf(struct se_cmd *cmd)
{
+ unsigned long flags;
int ret;
+ bool stop;
+
+ spin_lock_irqsave(&cmd->t_state_lock, flags);
+ stop = (cmd->transport_state & (CMD_T_STOP | CMD_T_ABORTED));
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+
+ if (stop) {
+ pr_debug("%s:%d CMD_T_STOP|CMD_T_ABORTED for ITT: 0x%08llx\n",
+ __func__, __LINE__, cmd->tag);
+ complete_all(&cmd->t_transport_stop_comp);
+ return;
+ }
ret = cmd->se_tfo->write_pending(cmd);
if (ret) {
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 4/6] target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
-1 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Donald White,
Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes bug where early se_cmd exceptions that occur
before backend execution can result in use-after-free if/when
a subsequent ABORT_TASK occurs for the same tag.
Since an early se_cmd exception will have had se_cmd added to
se_session->sess_cmd_list via target_get_sess_cmd(), it will
not have CMD_T_COMPLETE set by the usual target_complete_cmd()
backend completion path.
This causes a subsequent ABORT_TASK + __target_check_io_state()
to signal ABORT_TASK should proceed. As core_tmr_abort_task()
executes, it will bring the outstanding se_cmd->cmd_kref count
down to zero releasing se_cmd, after se_cmd has already been
queued with error status into fabric driver response path code.
To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is
set at target_get_sess_cmd() time, and cleared immediately before
backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE
is set.
Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to
determine when an early exception has occured, and avoid aborting
this se_cmd since it will have already been queued into fabric
driver response path code.
Reported-by: Donald White <dew@datera.io>
Cc: Donald White <dew@datera.io>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_tmr.c | 9 +++++++++
drivers/target/target_core_transport.c | 2 ++
include/target/target_core_base.h | 1 +
3 files changed, 12 insertions(+)
diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 61909b2..9c7bc1c 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -133,6 +133,15 @@ static bool __target_check_io_state(struct se_cmd *se_cmd,
spin_unlock(&se_cmd->t_state_lock);
return false;
}
+ if (se_cmd->transport_state & CMD_T_PRE_EXECUTE) {
+ if (se_cmd->scsi_status) {
+ pr_debug("Attempted to abort io tag: %llu early failure"
+ " status: 0x%02x\n", se_cmd->tag,
+ se_cmd->scsi_status);
+ spin_unlock(&se_cmd->t_state_lock);
+ return false;
+ }
+ }
if (sess->sess_tearing_down || se_cmd->cmd_wait_set) {
pr_debug("Attempted to abort io tag: %llu already shutdown,"
" skipping\n", se_cmd->tag);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 0e89db8..58caacd 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1975,6 +1975,7 @@ void target_execute_cmd(struct se_cmd *cmd)
}
cmd->t_state = TRANSPORT_PROCESSING;
+ cmd->transport_state &= ~CMD_T_PRE_EXECUTE;
cmd->transport_state |= CMD_T_ACTIVE | CMD_T_SENT;
spin_unlock_irq(&cmd->t_state_lock);
@@ -2667,6 +2668,7 @@ int target_get_sess_cmd(struct se_cmd *se_cmd, bool ack_kref)
ret = -ESHUTDOWN;
goto out;
}
+ se_cmd->transport_state |= CMD_T_PRE_EXECUTE;
list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list);
out:
spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
index d3139a9..ccf501b 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -490,6 +490,7 @@ struct se_cmd {
#define CMD_T_STOP (1 << 5)
#define CMD_T_TAS (1 << 10)
#define CMD_T_FABRIC_STOP (1 << 11)
+#define CMD_T_PRE_EXECUTE (1 << 12)
spinlock_t t_state_lock;
struct kref cmd_kref;
struct completion t_transport_stop_comp;
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 4/6] target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Donald White,
Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes bug where early se_cmd exceptions that occur
before backend execution can result in use-after-free if/when
a subsequent ABORT_TASK occurs for the same tag.
Since an early se_cmd exception will have had se_cmd added to
se_session->sess_cmd_list via target_get_sess_cmd(), it will
not have CMD_T_COMPLETE set by the usual target_complete_cmd()
backend completion path.
This causes a subsequent ABORT_TASK + __target_check_io_state()
to signal ABORT_TASK should proceed. As core_tmr_abort_task()
executes, it will bring the outstanding se_cmd->cmd_kref count
down to zero releasing se_cmd, after se_cmd has already been
queued with error status into fabric driver response path code.
To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is
set at target_get_sess_cmd() time, and cleared immediately before
backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE
is set.
Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to
determine when an early exception has occured, and avoid aborting
this se_cmd since it will have already been queued into fabric
driver response path code.
Reported-by: Donald White <dew@datera.io>
Cc: Donald White <dew@datera.io>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_tmr.c | 9 +++++++++
drivers/target/target_core_transport.c | 2 ++
include/target/target_core_base.h | 1 +
3 files changed, 12 insertions(+)
diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 61909b2..9c7bc1c 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -133,6 +133,15 @@ static bool __target_check_io_state(struct se_cmd *se_cmd,
spin_unlock(&se_cmd->t_state_lock);
return false;
}
+ if (se_cmd->transport_state & CMD_T_PRE_EXECUTE) {
+ if (se_cmd->scsi_status) {
+ pr_debug("Attempted to abort io tag: %llu early failure"
+ " status: 0x%02x\n", se_cmd->tag,
+ se_cmd->scsi_status);
+ spin_unlock(&se_cmd->t_state_lock);
+ return false;
+ }
+ }
if (sess->sess_tearing_down || se_cmd->cmd_wait_set) {
pr_debug("Attempted to abort io tag: %llu already shutdown,"
" skipping\n", se_cmd->tag);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 0e89db8..58caacd 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1975,6 +1975,7 @@ void target_execute_cmd(struct se_cmd *cmd)
}
cmd->t_state = TRANSPORT_PROCESSING;
+ cmd->transport_state &= ~CMD_T_PRE_EXECUTE;
cmd->transport_state |= CMD_T_ACTIVE | CMD_T_SENT;
spin_unlock_irq(&cmd->t_state_lock);
@@ -2667,6 +2668,7 @@ int target_get_sess_cmd(struct se_cmd *se_cmd, bool ack_kref)
ret = -ESHUTDOWN;
goto out;
}
+ se_cmd->transport_state |= CMD_T_PRE_EXECUTE;
list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list);
out:
spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
index d3139a9..ccf501b 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -490,6 +490,7 @@ struct se_cmd {
#define CMD_T_STOP (1 << 5)
#define CMD_T_TAS (1 << 10)
#define CMD_T_FABRIC_STOP (1 << 11)
+#define CMD_T_PRE_EXECUTE (1 << 12)
spinlock_t t_state_lock;
struct kref cmd_kref;
struct completion t_transport_stop_comp;
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 5/6] iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
-1 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Donald White,
Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
Since commit 59b6986dbf fixed a potential NULL pointer dereference
by allocating a se_tmr_req for ISCSI_TM_FUNC_TASK_REASSIGN, the
se_tmr_req is currently leaked by iscsit_free_cmd() because no
iscsi_cmd->se_cmd.se_tfo was associated.
To address this, treat ISCSI_TM_FUNC_TASK_REASSIGN like any other
TMR and call transport_init_se_cmd() + target_get_sess_cmd() to
setup iscsi_cmd->se_cmd.se_tfo with se_cmd->cmd_kref of 2.
This will ensure normal release operation once se_cmd->cmd_kref
reaches zero and target_release_cmd_kref() is invoked, se_tmr_req
will be released via existing target_free_cmd_mem() and
core_tmr_release_req() code.
Reported-by: Donald White <dew@datera.io>
Cc: Donald White <dew@datera.io>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/iscsi/iscsi_target.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 541f66a..048d422 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1955,7 +1955,6 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
struct iscsi_tmr_req *tmr_req;
struct iscsi_tm *hdr;
int out_of_order_cmdsn = 0, ret;
- bool sess_ref = false;
u8 function, tcm_function = TMR_UNKNOWN;
hdr = (struct iscsi_tm *) buf;
@@ -1988,22 +1987,23 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
cmd->data_direction = DMA_NONE;
cmd->tmr_req = kzalloc(sizeof(*cmd->tmr_req), GFP_KERNEL);
- if (!cmd->tmr_req)
+ if (!cmd->tmr_req) {
return iscsit_add_reject_cmd(cmd,
ISCSI_REASON_BOOKMARK_NO_RESOURCES,
buf);
+ }
+
+ transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
+ conn->sess->se_sess, 0, DMA_NONE,
+ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+
+ target_get_sess_cmd(&cmd->se_cmd, true);
/*
* TASK_REASSIGN for ERL=2 / connection stays inside of
* LIO-Target $FABRIC_MOD
*/
if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {
- transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
- conn->sess->se_sess, 0, DMA_NONE,
- TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
-
- target_get_sess_cmd(&cmd->se_cmd, true);
- sess_ref = true;
tcm_function = iscsit_convert_tmf(function);
if (tcm_function == TMR_UNKNOWN) {
pr_err("Unknown iSCSI TMR Function:"
@@ -2119,12 +2119,8 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
* For connection recovery, this is also the default action for
* TMR TASK_REASSIGN.
*/
- if (sess_ref) {
- pr_debug("Handle TMR, using sess_ref=true check\n");
- target_put_sess_cmd(&cmd->se_cmd);
- }
-
iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state);
+ target_put_sess_cmd(&cmd->se_cmd);
return 0;
}
EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd);
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 5/6] iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Donald White,
Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
Since commit 59b6986dbf fixed a potential NULL pointer dereference
by allocating a se_tmr_req for ISCSI_TM_FUNC_TASK_REASSIGN, the
se_tmr_req is currently leaked by iscsit_free_cmd() because no
iscsi_cmd->se_cmd.se_tfo was associated.
To address this, treat ISCSI_TM_FUNC_TASK_REASSIGN like any other
TMR and call transport_init_se_cmd() + target_get_sess_cmd() to
setup iscsi_cmd->se_cmd.se_tfo with se_cmd->cmd_kref of 2.
This will ensure normal release operation once se_cmd->cmd_kref
reaches zero and target_release_cmd_kref() is invoked, se_tmr_req
will be released via existing target_free_cmd_mem() and
core_tmr_release_req() code.
Reported-by: Donald White <dew@datera.io>
Cc: Donald White <dew@datera.io>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/iscsi/iscsi_target.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 541f66a..048d422 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1955,7 +1955,6 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
struct iscsi_tmr_req *tmr_req;
struct iscsi_tm *hdr;
int out_of_order_cmdsn = 0, ret;
- bool sess_ref = false;
u8 function, tcm_function = TMR_UNKNOWN;
hdr = (struct iscsi_tm *) buf;
@@ -1988,22 +1987,23 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
cmd->data_direction = DMA_NONE;
cmd->tmr_req = kzalloc(sizeof(*cmd->tmr_req), GFP_KERNEL);
- if (!cmd->tmr_req)
+ if (!cmd->tmr_req) {
return iscsit_add_reject_cmd(cmd,
ISCSI_REASON_BOOKMARK_NO_RESOURCES,
buf);
+ }
+
+ transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
+ conn->sess->se_sess, 0, DMA_NONE,
+ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
+
+ target_get_sess_cmd(&cmd->se_cmd, true);
/*
* TASK_REASSIGN for ERL=2 / connection stays inside of
* LIO-Target $FABRIC_MOD
*/
if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {
- transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
- conn->sess->se_sess, 0, DMA_NONE,
- TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
-
- target_get_sess_cmd(&cmd->se_cmd, true);
- sess_ref = true;
tcm_function = iscsit_convert_tmf(function);
if (tcm_function = TMR_UNKNOWN) {
pr_err("Unknown iSCSI TMR Function:"
@@ -2119,12 +2119,8 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
* For connection recovery, this is also the default action for
* TMR TASK_REASSIGN.
*/
- if (sess_ref) {
- pr_debug("Handle TMR, using sess_ref=true check\n");
- target_put_sess_cmd(&cmd->se_cmd);
- }
-
iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state);
+ target_put_sess_cmd(&cmd->se_cmd);
return 0;
}
EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd);
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 6/6] iscsi-target: Fix non-immediate TMR reference leak
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
-1 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a se_cmd->cmd_kref reference leak that can
occur when a non immediate TMR is proceeded our of command
sequence number order, and CMDSN_LOWER_THAN_EXP is returned
by iscsit_sequence_cmd().
To address this bug, call target_put_sess_cmd() during this
special case following what iscsit_process_scsi_cmd() does
upon CMDSN_LOWER_THAN_EXP.
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/iscsi/iscsi_target.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 048d422..3b7bb58 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2094,12 +2094,14 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn);
- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP)
+ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) {
out_of_order_cmdsn = 1;
- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP)
+ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
+ target_put_sess_cmd(&cmd->se_cmd);
return 0;
- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
+ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
return -1;
+ }
}
iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn));
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 6/6] iscsi-target: Fix non-immediate TMR reference leak
@ 2017-11-08 4:31 ` Nicholas A. Bellinger
0 siblings, 0 replies; 18+ messages in thread
From: Nicholas A. Bellinger @ 2017-11-08 4:31 UTC (permalink / raw)
To: target-devel
Cc: linux-scsi, lkml, Nicholas Bellinger, Mike Christie, Hannes Reinecke
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a se_cmd->cmd_kref reference leak that can
occur when a non immediate TMR is proceeded our of command
sequence number order, and CMDSN_LOWER_THAN_EXP is returned
by iscsit_sequence_cmd().
To address this bug, call target_put_sess_cmd() during this
special case following what iscsit_process_scsi_cmd() does
upon CMDSN_LOWER_THAN_EXP.
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/iscsi/iscsi_target.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 048d422..3b7bb58 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2094,12 +2094,14 @@ static enum tcm_tmreq_table iscsit_convert_tmf(u8 iscsi_tmf)
if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn);
- if (cmdsn_ret = CMDSN_HIGHER_THAN_EXP)
+ if (cmdsn_ret = CMDSN_HIGHER_THAN_EXP) {
out_of_order_cmdsn = 1;
- else if (cmdsn_ret = CMDSN_LOWER_THAN_EXP)
+ } else if (cmdsn_ret = CMDSN_LOWER_THAN_EXP) {
+ target_put_sess_cmd(&cmd->se_cmd);
return 0;
- else if (cmdsn_ret = CMDSN_ERROR_CANNOT_RECOVER)
+ } else if (cmdsn_ret = CMDSN_ERROR_CANNOT_RECOVER) {
return -1;
+ }
}
iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn));
--
1.9.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH 3/6] target: Fix quiese during transport_write_pending_qf endless loop
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 21:29 ` Bryant G. Ly
-1 siblings, 0 replies; 18+ messages in thread
From: Bryant G. Ly @ 2017-11-08 21:29 UTC (permalink / raw)
To: Nicholas A. Bellinger, target-devel
Cc: linux-scsi, lkml, Mike Christie, Hannes Reinecke, Michael Cyr,
Potnuri Bharat Teja, Sagi Grimberg
> From: Nicholas Bellinger <nab@linux-iscsi.org>
>
> This patch fixes a potential end-less loop during QUEUE_FULL,
> where cmd->se_tfo->write_pending() callback fails repeatedly
> but __transport_wait_for_tasks() has already been invoked to
> quiese the outstanding se_cmd descriptor.
>
> To address this bug, this patch adds a CMD_T_STOP|CMD_T_ABORTED
> check within transport_write_pending_qf() and invokes the
> existing se_cmd->t_transport_stop_comp to signal quiese
> completion back to __transport_wait_for_tasks().
>
> Cc: Mike Christie <mchristi@redhat.com>
> Cc: Hannes Reinecke <hare@suse.com>
> Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
> Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
> Cc: Potnuri Bharat Teja <bharat@chelsio.com>
> Cc: Sagi Grimberg <sagi@grimberg.me>
> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
> ---
>
Reviewed-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 3/6] target: Fix quiese during transport_write_pending_qf endless loop
@ 2017-11-08 21:29 ` Bryant G. Ly
0 siblings, 0 replies; 18+ messages in thread
From: Bryant G. Ly @ 2017-11-08 21:29 UTC (permalink / raw)
To: Nicholas A. Bellinger, target-devel
Cc: linux-scsi, lkml, Mike Christie, Hannes Reinecke, Michael Cyr,
Potnuri Bharat Teja, Sagi Grimberg
> From: Nicholas Bellinger <nab@linux-iscsi.org>
>
> This patch fixes a potential end-less loop during QUEUE_FULL,
> where cmd->se_tfo->write_pending() callback fails repeatedly
> but __transport_wait_for_tasks() has already been invoked to
> quiese the outstanding se_cmd descriptor.
>
> To address this bug, this patch adds a CMD_T_STOP|CMD_T_ABORTED
> check within transport_write_pending_qf() and invokes the
> existing se_cmd->t_transport_stop_comp to signal quiese
> completion back to __transport_wait_for_tasks().
>
> Cc: Mike Christie <mchristi@redhat.com>
> Cc: Hannes Reinecke <hare@suse.com>
> Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
> Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
> Cc: Potnuri Bharat Teja <bharat@chelsio.com>
> Cc: Sagi Grimberg <sagi@grimberg.me>
> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
> ---
>
Reviewed-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 1/6] target: Fix QUEUE_FULL + SCSI task attribute handling
2017-11-08 4:31 ` Nicholas A. Bellinger
@ 2017-11-08 21:29 ` Bryant G. Ly
-1 siblings, 0 replies; 18+ messages in thread
From: Bryant G. Ly @ 2017-11-08 21:29 UTC (permalink / raw)
To: Nicholas A. Bellinger, target-devel
Cc: linux-scsi, lkml, Michael Cyr, Mike Christie, Hannes Reinecke
> From: Nicholas Bellinger <nab@linux-iscsi.org>
>
> This patch fixes a bug during QUEUE_FULL where transport_complete_qf()
> calls transport_complete_task_attr() after it's already been invoked
> by target_complete_ok_work() or transport_generic_request_failure()
> during initial completion, preceeding QUEUE_FULL.
>
> This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id
> and/or se_device->dev_ordered_sync being updated multiple times for
> a single se_cmd.
>
> To address this bug, clear SCF_TASK_ATTR_SET after the first call
> to transport_complete_task_attr(), and avoid updating SCSI task
> attribute related counters for any subsequent calls.
>
> Also, when a se_cmd is deferred due to ordered tags and executed
> via target_restart_delayed_cmds(), set CMD_T_SENT before execution
> matching what target_execute_cmd() does.
>
> Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
> Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
> Cc: Mike Christie <mchristi@redhat.com>
> Cc: Hannes Reinecke <hare@suse.com>
> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
> ---
>
Reviewed-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 1/6] target: Fix QUEUE_FULL + SCSI task attribute handling
@ 2017-11-08 21:29 ` Bryant G. Ly
0 siblings, 0 replies; 18+ messages in thread
From: Bryant G. Ly @ 2017-11-08 21:29 UTC (permalink / raw)
To: Nicholas A. Bellinger, target-devel
Cc: linux-scsi, lkml, Michael Cyr, Mike Christie, Hannes Reinecke
> From: Nicholas Bellinger <nab@linux-iscsi.org>
>
> This patch fixes a bug during QUEUE_FULL where transport_complete_qf()
> calls transport_complete_task_attr() after it's already been invoked
> by target_complete_ok_work() or transport_generic_request_failure()
> during initial completion, preceeding QUEUE_FULL.
>
> This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id
> and/or se_device->dev_ordered_sync being updated multiple times for
> a single se_cmd.
>
> To address this bug, clear SCF_TASK_ATTR_SET after the first call
> to transport_complete_task_attr(), and avoid updating SCSI task
> attribute related counters for any subsequent calls.
>
> Also, when a se_cmd is deferred due to ordered tags and executed
> via target_restart_delayed_cmds(), set CMD_T_SENT before execution
> matching what target_execute_cmd() does.
>
> Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
> Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
> Cc: Mike Christie <mchristi@redhat.com>
> Cc: Hannes Reinecke <hare@suse.com>
> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
> ---
>
Reviewed-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2017-11-08 21:29 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-08 4:31 [PATCH 0/6] target fixes for v4.15-rc1 Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
2017-11-08 4:31 ` [PATCH 1/6] target: Fix QUEUE_FULL + SCSI task attribute handling Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
2017-11-08 21:29 ` Bryant G. Ly
2017-11-08 21:29 ` Bryant G. Ly
2017-11-08 4:31 ` [PATCH 2/6] target: Fix caw_sem leak in transport_generic_request_failure Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
2017-11-08 4:31 ` [PATCH 3/6] target: Fix quiese during transport_write_pending_qf endless loop Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
2017-11-08 21:29 ` Bryant G. Ly
2017-11-08 21:29 ` Bryant G. Ly
2017-11-08 4:31 ` [PATCH 4/6] target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
2017-11-08 4:31 ` [PATCH 5/6] iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
2017-11-08 4:31 ` [PATCH 6/6] iscsi-target: Fix non-immediate TMR reference leak Nicholas A. Bellinger
2017-11-08 4:31 ` Nicholas A. Bellinger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.