[PATCH 0/6 V3] iscsi fixes

[PATCH 0/6 V3] iscsi fixes

[Mike Christie]

The following patches were made over Linus's tree. Martin's staging
branches were missing fe0a8a95e7134d0b44cd407bc0085b9ba8d8fe31.

The patches are mostly fixes. There is one cleanup to the locking
and non standard task cleanup that is used by a later patch that
fixes the refcounting during timeouts/TMFs.

V3:
- Add some patches for issues found while testing.
	- session queue depth was stuck at 128
	- cmd window could not be detected when session was relogged in.
- Patch "libiscsi: drop taskqueuelock" had a bug where we did not
disable bhs and during xmit thread suspension leaked the current task.
V2:
- Take back_lock when looping over running cmds in iscsi_eh_cmd_timed_out
in case those complete while we are accessing them.

[PATCH 1/6 V3] libiscsi: fix iscsi_prep_scsi_cmd_pdu error handling

[Mike Christie]

If iscsi_prep_scsi_cmd_pdu fails we try to add it back to the
cmdqueue, but we leave it partially setup. We don't have functions
that can undo the pdu and init task setup. We only have cleanup_task
which can cleanup both parts. So this has us just fail the cmd and
go through the standard cleanup routine and then have scsi-ml retry
it like is done when it fails in the queuecommand path.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
---
 drivers/scsi/libiscsi.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index f9314f1..ee0786b 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -1532,14 +1532,9 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
 		}
 		rc = iscsi_prep_scsi_cmd_pdu(conn->task);
 		if (rc) {
-			if (rc == -ENOMEM || rc == -EACCES) {
-				spin_lock_bh(&conn->taskqueuelock);
-				list_add_tail(&conn->task->running,
-					      &conn->cmdqueue);
-				conn->task = NULL;
-				spin_unlock_bh(&conn->taskqueuelock);
-				goto done;
-			} else
+			if (rc == -ENOMEM || rc == -EACCES)
+				fail_scsi_task(conn->task, DID_IMM_RETRY);
+			else
 				fail_scsi_task(conn->task, DID_ABORT);
 			spin_lock_bh(&conn->taskqueuelock);
 			continue;
-- 
1.8.3.1

[PATCH 2/6 V3] libiscsi: drop taskqueuelock

[Mike Christie]

The purpose of the taskqueuelock was to handle the issue where a bad
target decides to send a R2T and before it's data has been sent
decides to send a cmd response to complete the cmd. The following
patches fix up the frwd/back locks so they are taken from the
queue/xmit (frwd) and completion (back) paths again. To get there
this patch removes the taskqueuelock which for iscsi xmit wq based
drivers was taken in the queue, xmit and completion paths.

Instead of the lock, we just make sure we have a ref to the task
when we queue a R2T, and then we always remove the task from the
requeue list in the xmit path or the forced cleanup paths.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
---
 drivers/scsi/libiscsi.c     | 178 ++++++++++++++++++++++++++++----------------
 drivers/scsi/libiscsi_tcp.c |  84 ++++++++++++++-------
 include/scsi/libiscsi.h     |   4 +-
 3 files changed, 171 insertions(+), 95 deletions(-)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index ee0786b..5582e4f 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -523,16 +523,6 @@ static void iscsi_complete_task(struct iscsi_task *task, int state)
 	WARN_ON_ONCE(task->state == ISCSI_TASK_FREE);
 	task->state = state;
 
-	spin_lock_bh(&conn->taskqueuelock);
-	if (!list_empty(&task->running)) {
-		pr_debug_once("%s while task on list", __func__);
-		list_del_init(&task->running);
-	}
-	spin_unlock_bh(&conn->taskqueuelock);
-
-	if (conn->task == task)
-		conn->task = NULL;
-
 	if (READ_ONCE(conn->ping_task) == task)
 		WRITE_ONCE(conn->ping_task, NULL);
 
@@ -564,9 +554,40 @@ void iscsi_complete_scsi_task(struct iscsi_task *task,
 }
 EXPORT_SYMBOL_GPL(iscsi_complete_scsi_task);
 
+/*
+ * Must be called with back and frwd lock
+ */
+static bool cleanup_queued_task(struct iscsi_task *task)
+{
+	struct iscsi_conn *conn = task->conn;
+	bool early_complete = false;
+
+	/* Bad target might have completed task while it was still running */
+	if (task->state == ISCSI_TASK_COMPLETED)
+		early_complete = true;
+
+	if (!list_empty(&task->running)) {
+		list_del_init(&task->running);
+		/*
+		 * If it's on a list but still running, this could be from
+		 * a bad target sending a rsp early, cleanup from a TMF, or
+		 * session recovery.
+		 */
+		if (task->state == ISCSI_TASK_RUNNING ||
+		    task->state == ISCSI_TASK_COMPLETED)
+			__iscsi_put_task(task);
+	}
+
+	if (conn->task == task) {
+		conn->task = NULL;
+		__iscsi_put_task(task);
+	}
+
+	return early_complete;
+}
 
 /*
- * session back_lock must be held and if not called for a task that is
+ * session frwd_lock must be held and if not called for a task that is
  * still pending or from the xmit thread, then xmit thread must
  * be suspended.
  */
@@ -585,6 +606,13 @@ static void fail_scsi_task(struct iscsi_task *task, int err)
 	if (!sc)
 		return;
 
+	/* regular RX path uses back_lock */
+	spin_lock_bh(&conn->session->back_lock);
+	if (cleanup_queued_task(task)) {
+		spin_unlock_bh(&conn->session->back_lock);
+		return;
+	}
+
 	if (task->state == ISCSI_TASK_PENDING) {
 		/*
 		 * cmd never made it to the xmit thread, so we should not count
@@ -600,9 +628,6 @@ static void fail_scsi_task(struct iscsi_task *task, int err)
 
 	sc->result = err << 16;
 	scsi_set_resid(sc, scsi_bufflen(sc));
-
-	/* regular RX path uses back_lock */
-	spin_lock_bh(&conn->session->back_lock);
 	iscsi_complete_task(task, state);
 	spin_unlock_bh(&conn->session->back_lock);
 }
@@ -748,9 +773,7 @@ static int iscsi_prep_mgmt_task(struct iscsi_conn *conn,
 		if (session->tt->xmit_task(task))
 			goto free_task;
 	} else {
-		spin_lock_bh(&conn->taskqueuelock);
 		list_add_tail(&task->running, &conn->mgmtqueue);
-		spin_unlock_bh(&conn->taskqueuelock);
 		iscsi_conn_queue_work(conn);
 	}
 
@@ -1411,31 +1434,61 @@ static int iscsi_check_cmdsn_window_closed(struct iscsi_conn *conn)
 	return 0;
 }
 
-static int iscsi_xmit_task(struct iscsi_conn *conn)
+static int iscsi_xmit_task(struct iscsi_conn *conn, struct iscsi_task *task,
+			   bool was_requeue)
 {
-	struct iscsi_task *task = conn->task;
 	int rc;
 
-	if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx))
-		return -ENODATA;
-
 	spin_lock_bh(&conn->session->back_lock);
-	if (conn->task == NULL) {
+
+	if (!conn->task) {
+		/* Take a ref so we can access it after xmit_task() */
+		__iscsi_get_task(task);
+	} else {
+		/* Already have a ref from when we failed to send it last call */
+		conn->task = NULL;
+	}
+
+	/*
+	 * If this was a requeue for a R2T we have an extra ref on the task in
+	 * case a bad target sends a cmd rsp before we have handled the task.
+	 */
+	if (was_requeue)
+		__iscsi_put_task(task);
+
+	/*
+	 * Do this after dropping the extra ref because if this was a requeue
+	 * it's removed from that list and cleanup_queued_task would miss it.
+	 */
+	if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
+		/*
+		 * Save the task and ref in case we weren't cleaning up this
+		 * task and get woken up again.
+		 */
+		conn->task = task;
 		spin_unlock_bh(&conn->session->back_lock);
 		return -ENODATA;
 	}
-	__iscsi_get_task(task);
 	spin_unlock_bh(&conn->session->back_lock);
+
 	spin_unlock_bh(&conn->session->frwd_lock);
 	rc = conn->session->tt->xmit_task(task);
 	spin_lock_bh(&conn->session->frwd_lock);
 	if (!rc) {
 		/* done with this task */
 		task->last_xfer = jiffies;
-		conn->task = NULL;
 	}
 	/* regular RX path uses back_lock */
 	spin_lock(&conn->session->back_lock);
+	if (rc && task->state == ISCSI_TASK_RUNNING) {
+		/*
+		 * get an extra ref that is released next time we access it
+		 * as conn->task above.
+		 */
+		__iscsi_get_task(task);
+		conn->task = task;
+	}
+
 	__iscsi_put_task(task);
 	spin_unlock(&conn->session->back_lock);
 	return rc;
@@ -1445,9 +1498,7 @@ static int iscsi_xmit_task(struct iscsi_conn *conn)
  * iscsi_requeue_task - requeue task to run from session workqueue
  * @task: task to requeue
  *
- * LLDs that need to run a task from the session workqueue should call
- * this. The session frwd_lock must be held. This should only be called
- * by software drivers.
+ * Callers must have taken a ref to the task that is going to be requeued.
  */
 void iscsi_requeue_task(struct iscsi_task *task)
 {
@@ -1457,11 +1508,18 @@ void iscsi_requeue_task(struct iscsi_task *task)
 	 * this may be on the requeue list already if the xmit_task callout
 	 * is handling the r2ts while we are adding new ones
 	 */
-	spin_lock_bh(&conn->taskqueuelock);
-	if (list_empty(&task->running))
+	spin_lock_bh(&conn->session->frwd_lock);
+	if (list_empty(&task->running)) {
 		list_add_tail(&task->running, &conn->requeue);
-	spin_unlock_bh(&conn->taskqueuelock);
+	} else {
+		/*
+		 * Don't need the extra ref since it's already requeued and
+		 * has a ref.
+		 */
+		iscsi_put_task(task);
+	}
 	iscsi_conn_queue_work(conn);
+	spin_unlock_bh(&conn->session->frwd_lock);
 }
 EXPORT_SYMBOL_GPL(iscsi_requeue_task);
 
@@ -1487,7 +1545,7 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
 	}
 
 	if (conn->task) {
-		rc = iscsi_xmit_task(conn);
+		rc = iscsi_xmit_task(conn, conn->task, false);
 	        if (rc)
 		        goto done;
 	}
@@ -1497,49 +1555,41 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
 	 * only have one nop-out as a ping from us and targets should not
 	 * overflow us with nop-ins
 	 */
-	spin_lock_bh(&conn->taskqueuelock);
 check_mgmt:
 	while (!list_empty(&conn->mgmtqueue)) {
-		conn->task = list_entry(conn->mgmtqueue.next,
-					 struct iscsi_task, running);
-		list_del_init(&conn->task->running);
-		spin_unlock_bh(&conn->taskqueuelock);
-		if (iscsi_prep_mgmt_task(conn, conn->task)) {
+		task = list_entry(conn->mgmtqueue.next, struct iscsi_task,
+				  running);
+		list_del_init(&task->running);
+		if (iscsi_prep_mgmt_task(conn, task)) {
 			/* regular RX path uses back_lock */
 			spin_lock_bh(&conn->session->back_lock);
-			__iscsi_put_task(conn->task);
+			__iscsi_put_task(task);
 			spin_unlock_bh(&conn->session->back_lock);
-			conn->task = NULL;
-			spin_lock_bh(&conn->taskqueuelock);
 			continue;
 		}
-		rc = iscsi_xmit_task(conn);
+		rc = iscsi_xmit_task(conn, task, false);
 		if (rc)
 			goto done;
-		spin_lock_bh(&conn->taskqueuelock);
 	}
 
 	/* process pending command queue */
 	while (!list_empty(&conn->cmdqueue)) {
-		conn->task = list_entry(conn->cmdqueue.next, struct iscsi_task,
-					running);
-		list_del_init(&conn->task->running);
-		spin_unlock_bh(&conn->taskqueuelock);
+		task = list_entry(conn->cmdqueue.next, struct iscsi_task,
+				  running);
+		list_del_init(&task->running);
 		if (conn->session->state == ISCSI_STATE_LOGGING_OUT) {
-			fail_scsi_task(conn->task, DID_IMM_RETRY);
-			spin_lock_bh(&conn->taskqueuelock);
+			fail_scsi_task(task, DID_IMM_RETRY);
 			continue;
 		}
-		rc = iscsi_prep_scsi_cmd_pdu(conn->task);
+		rc = iscsi_prep_scsi_cmd_pdu(task);
 		if (rc) {
 			if (rc == -ENOMEM || rc == -EACCES)
-				fail_scsi_task(conn->task, DID_IMM_RETRY);
+				fail_scsi_task(task, DID_IMM_RETRY);
 			else
-				fail_scsi_task(conn->task, DID_ABORT);
-			spin_lock_bh(&conn->taskqueuelock);
+				fail_scsi_task(task, DID_ABORT);
 			continue;
 		}
-		rc = iscsi_xmit_task(conn);
+		rc = iscsi_xmit_task(conn, task, false);
 		if (rc)
 			goto done;
 		/*
@@ -1547,7 +1597,6 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
 		 * we need to check the mgmt queue for nops that need to
 		 * be sent to aviod starvation
 		 */
-		spin_lock_bh(&conn->taskqueuelock);
 		if (!list_empty(&conn->mgmtqueue))
 			goto check_mgmt;
 	}
@@ -1561,21 +1610,17 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
 
 		task = list_entry(conn->requeue.next, struct iscsi_task,
 				  running);
+
 		if (iscsi_check_tmf_restrictions(task, ISCSI_OP_SCSI_DATA_OUT))
 			break;
 
-		conn->task = task;
-		list_del_init(&conn->task->running);
-		conn->task->state = ISCSI_TASK_RUNNING;
-		spin_unlock_bh(&conn->taskqueuelock);
-		rc = iscsi_xmit_task(conn);
+		list_del_init(&task->running);
+		rc = iscsi_xmit_task(conn, task, true);
 		if (rc)
 			goto done;
-		spin_lock_bh(&conn->taskqueuelock);
 		if (!list_empty(&conn->mgmtqueue))
 			goto check_mgmt;
 	}
-	spin_unlock_bh(&conn->taskqueuelock);
 	spin_unlock_bh(&conn->session->frwd_lock);
 	return -ENODATA;
 
@@ -1741,9 +1786,7 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc)
 			goto prepd_reject;
 		}
 	} else {
-		spin_lock_bh(&conn->taskqueuelock);
 		list_add_tail(&task->running, &conn->cmdqueue);
-		spin_unlock_bh(&conn->taskqueuelock);
 		iscsi_conn_queue_work(conn);
 	}
 
@@ -2914,7 +2957,6 @@ struct iscsi_cls_conn *
 	INIT_LIST_HEAD(&conn->mgmtqueue);
 	INIT_LIST_HEAD(&conn->cmdqueue);
 	INIT_LIST_HEAD(&conn->requeue);
-	spin_lock_init(&conn->taskqueuelock);
 	INIT_WORK(&conn->xmitwork, iscsi_xmitworker);
 
 	/* allocate login_task used for the login/text sequences */
@@ -3080,10 +3122,16 @@ int iscsi_conn_start(struct iscsi_cls_conn *cls_conn)
 		ISCSI_DBG_SESSION(conn->session,
 				  "failing mgmt itt 0x%x state %d\n",
 				  task->itt, task->state);
+
+		spin_lock_bh(&session->back_lock);
+		if (cleanup_queued_task(task)) {
+			spin_unlock_bh(&session->back_lock);
+			continue;
+		}
+
 		state = ISCSI_TASK_ABRT_SESS_RECOV;
 		if (task->state == ISCSI_TASK_PENDING)
 			state = ISCSI_TASK_COMPLETED;
-		spin_lock_bh(&session->back_lock);
 		iscsi_complete_task(task, state);
 		spin_unlock_bh(&session->back_lock);
 	}
diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c
index 83f14b2..14c9169 100644
--- a/drivers/scsi/libiscsi_tcp.c
+++ b/drivers/scsi/libiscsi_tcp.c
@@ -524,48 +524,79 @@ static int iscsi_tcp_data_in(struct iscsi_conn *conn, struct iscsi_task *task)
 /**
  * iscsi_tcp_r2t_rsp - iSCSI R2T Response processing
  * @conn: iscsi connection
- * @task: scsi command task
+ * @hdr: PDU header
  */
-static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
+static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_hdr *hdr)
 {
 	struct iscsi_session *session = conn->session;
-	struct iscsi_tcp_task *tcp_task = task->dd_data;
-	struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
-	struct iscsi_r2t_rsp *rhdr = (struct iscsi_r2t_rsp *)tcp_conn->in.hdr;
+	struct iscsi_tcp_task *tcp_task;
+	struct iscsi_tcp_conn *tcp_conn;
+	struct iscsi_r2t_rsp *rhdr;
 	struct iscsi_r2t_info *r2t;
-	int r2tsn = be32_to_cpu(rhdr->r2tsn);
+	struct iscsi_task *task;
 	u32 data_length;
 	u32 data_offset;
+	int r2tsn;
 	int rc;
 
+	spin_lock(&session->back_lock);
+	task = iscsi_itt_to_ctask(conn, hdr->itt);
+	if (!task) {
+		spin_unlock(&session->back_lock);
+		return ISCSI_ERR_BAD_ITT;
+	} else if (task->sc->sc_data_direction != DMA_TO_DEVICE) {
+		spin_unlock(&session->back_lock);
+		return ISCSI_ERR_PROTO;
+	}
+	/*
+	 * A bad target might complete the cmd before we have handled R2Ts
+	 * so get a ref to the task that will be dropped in the xmit path.
+	 */
+	if (task->state != ISCSI_TASK_RUNNING) {
+		spin_unlock(&session->back_lock);
+		/* Let the path that got the early rsp complete it */
+		return 0;
+	}
+	task->last_xfer = jiffies;
+	__iscsi_get_task(task);
+
+	tcp_conn = conn->dd_data;
+	rhdr = (struct iscsi_r2t_rsp *)tcp_conn->in.hdr;
+	/* fill-in new R2T associated with the task */
+	iscsi_update_cmdsn(session, (struct iscsi_nopin *)rhdr);
+	spin_unlock(&session->back_lock);
+
 	if (tcp_conn->in.datalen) {
 		iscsi_conn_printk(KERN_ERR, conn,
 				  "invalid R2t with datalen %d\n",
 				  tcp_conn->in.datalen);
-		return ISCSI_ERR_DATALEN;
+		rc = ISCSI_ERR_DATALEN;
+		goto put_task;
 	}
 
+	tcp_task = task->dd_data;
+	r2tsn = be32_to_cpu(rhdr->r2tsn);
 	if (tcp_task->exp_datasn != r2tsn){
 		ISCSI_DBG_TCP(conn, "task->exp_datasn(%d) != rhdr->r2tsn(%d)\n",
 			      tcp_task->exp_datasn, r2tsn);
-		return ISCSI_ERR_R2TSN;
+		rc = ISCSI_ERR_R2TSN;
+		goto put_task;
 	}
 
-	/* fill-in new R2T associated with the task */
-	iscsi_update_cmdsn(session, (struct iscsi_nopin*)rhdr);
-
 	if (!task->sc || session->state != ISCSI_STATE_LOGGED_IN) {
 		iscsi_conn_printk(KERN_INFO, conn,
 				  "dropping R2T itt %d in recovery.\n",
 				  task->itt);
-		return 0;
+		rc = 0;
+		goto put_task;
 	}
 
 	data_length = be32_to_cpu(rhdr->data_length);
 	if (data_length == 0) {
 		iscsi_conn_printk(KERN_ERR, conn,
 				  "invalid R2T with zero data len\n");
-		return ISCSI_ERR_DATALEN;
+		rc = ISCSI_ERR_DATALEN;
+		goto put_task;
 	}
 
 	if (data_length > session->max_burst)
@@ -579,7 +610,8 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
 				  "invalid R2T with data len %u at offset %u "
 				  "and total length %d\n", data_length,
 				  data_offset, task->sc->sdb.length);
-		return ISCSI_ERR_DATALEN;
+		rc = ISCSI_ERR_DATALEN;
+		goto put_task;
 	}
 
 	spin_lock(&tcp_task->pool2queue);
@@ -589,7 +621,8 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
 				  "Target has sent more R2Ts than it "
 				  "negotiated for or driver has leaked.\n");
 		spin_unlock(&tcp_task->pool2queue);
-		return ISCSI_ERR_PROTO;
+		rc = ISCSI_ERR_PROTO;
+		goto put_task;
 	}
 
 	r2t->exp_statsn = rhdr->statsn;
@@ -607,6 +640,10 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
 
 	iscsi_requeue_task(task);
 	return 0;
+
+put_task:
+	iscsi_put_task(task);
+	return rc;
 }
 
 /*
@@ -730,20 +767,11 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
 		rc = iscsi_complete_pdu(conn, hdr, NULL, 0);
 		break;
 	case ISCSI_OP_R2T:
-		spin_lock(&conn->session->back_lock);
-		task = iscsi_itt_to_ctask(conn, hdr->itt);
-		spin_unlock(&conn->session->back_lock);
-		if (!task)
-			rc = ISCSI_ERR_BAD_ITT;
-		else if (ahslen)
+		if (ahslen) {
 			rc = ISCSI_ERR_AHSLEN;
-		else if (task->sc->sc_data_direction == DMA_TO_DEVICE) {
-			task->last_xfer = jiffies;
-			spin_lock(&conn->session->frwd_lock);
-			rc = iscsi_tcp_r2t_rsp(conn, task);
-			spin_unlock(&conn->session->frwd_lock);
-		} else
-			rc = ISCSI_ERR_PROTO;
+			break;
+		}
+		rc = iscsi_tcp_r2t_rsp(conn, hdr);
 		break;
 	case ISCSI_OP_LOGIN_RSP:
 	case ISCSI_OP_TEXT_RSP:
diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h
index b3bbd10..44a9554 100644
--- a/include/scsi/libiscsi.h
+++ b/include/scsi/libiscsi.h
@@ -187,7 +187,7 @@ struct iscsi_conn {
 	struct iscsi_task	*task;		/* xmit task in progress */
 
 	/* xmit */
-	spinlock_t		taskqueuelock;  /* protects the next three lists */
+	/* items must be added/deleted under frwd lock */
 	struct list_head	mgmtqueue;	/* mgmt (control) xmit queue */
 	struct list_head	cmdqueue;	/* data-path cmd queue */
 	struct list_head	requeue;	/* tasks needing another run */
@@ -332,7 +332,7 @@ struct iscsi_session {
 						 * cmdsn, queued_cmdsn     *
 						 * session resources:      *
 						 * - cmdpool kfifo_out ,   *
-						 * - mgmtpool,		   */
+						 * - mgmtpool, queues	   */
 	spinlock_t		back_lock;	/* protects cmdsn_exp      *
 						 * cmdsn_max,              *
 						 * cmdpool kfifo_in        */
-- 
1.8.3.1

[PATCH 3/6 V3] libiscsi: fix iscsi_task use after free

[Mike Christie]

The following bug was reported and debugged by wubo40@huawei.com:

When testing kernel 4.18 version, NULL pointer dereference problem
occurs
in iscsi_eh_cmd_timed_out function.

I think this bug in the upstream is still exists.

The analysis reasons are as follows:
1)  For some reason, I/O command did not complete within
    the timeout period. The block layer timer works,
    call scsi_times_out() to handle I/O timeout logic.
    At the same time the command just completes.

2)  scsi_times_out() call iscsi_eh_cmd_timed_out()
    to processing timeout logic.  although there is an NULL judgment
        for the task, the task has not been released yet now.

3)  iscsi_complete_task() call __iscsi_put_task(),
    The task reference count reaches zero, the conditions for free task
    is met, then iscsi_free_task () free the task,
    and let sc->SCp.ptr = NULL. After iscsi_eh_cmd_timed_out passes
    the task judgment check, there may be NULL dereference scenarios
    later.

   CPU0                                                CPU3

    |- scsi_times_out()                                 |-
iscsi_complete_task()
    |                                                   |
    |- iscsi_eh_cmd_timed_out()                         |-
__iscsi_put_task()
    |                                                   |
    |- task=sc->SCp.ptr, task is not NUL, check passed  |-
iscsi_free_task(task)
    |                                                   |
    |                                                   |-> sc->SCp.ptr
= NULL
    |                                                   |
    |- task is NULL now, NULL pointer dereference       |
    |                                                   |
   \|/                                                 \|/

Calltrace:
[380751.840862] BUG: unable to handle kernel NULL pointer dereference at
0000000000000138
[380751.843709] PGD 0 P4D 0
[380751.844770] Oops: 0000 [#1] SMP PTI
[380751.846283] CPU: 0 PID: 403 Comm: kworker/0:1H Kdump: loaded
Tainted: G
[380751.851467] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
[380751.856521] Workqueue: kblockd blk_mq_timeout_work
[380751.858527] RIP: 0010:iscsi_eh_cmd_timed_out+0x15e/0x2e0 [libiscsi]
[380751.861129] Code: 83 ea 01 48 8d 74 d0 08 48 8b 10 48 8b 4a 50 48 85
c9 74 2c 48 39 d5 74
[380751.868811] RSP: 0018:ffffc1e280a5fd58 EFLAGS: 00010246
[380751.870978] RAX: ffff9fd1e84e15e0 RBX: ffff9fd1e84e6dd0 RCX:
0000000116acc580
[380751.873791] RDX: ffff9fd1f97a9400 RSI: ffff9fd1e84e1800 RDI:
ffff9fd1e4d6d420
[380751.876059] RBP: ffff9fd1e4d49000 R08: 0000000116acc580 R09:
0000000116acc580
[380751.878284] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff9fd1e6e931e8
[380751.880500] R13: ffff9fd1e84e6ee0 R14: 0000000000000010 R15:
0000000000000003
[380751.882687] FS:  0000000000000000(0000) GS:ffff9fd1fac00000(0000)
knlGS:0000000000000000
[380751.885236] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[380751.887059] CR2: 0000000000000138 CR3: 000000011860a001 CR4:
00000000003606f0
[380751.889308] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[380751.891523] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[380751.893738] Call Trace:
[380751.894639]  scsi_times_out+0x60/0x1c0
[380751.895861]  blk_mq_check_expired+0x144/0x200
[380751.897302]  ? __switch_to_asm+0x35/0x70
[380751.898551]  blk_mq_queue_tag_busy_iter+0x195/0x2e0
[380751.900091]  ? __blk_mq_requeue_request+0x100/0x100
[380751.901611]  ? __switch_to_asm+0x41/0x70
[380751.902853]  ? __blk_mq_requeue_request+0x100/0x100
[380751.904398]  blk_mq_timeout_work+0x54/0x130
[380751.905740]  process_one_work+0x195/0x390
[380751.907228]  worker_thread+0x30/0x390
[380751.908713]  ? process_one_work+0x390/0x390
[380751.910350]  kthread+0x10d/0x130
[380751.911470]  ? kthread_flush_work_fn+0x10/0x10
[380751.913007]  ret_from_fork+0x35/0x40

crash> dis -l iscsi_eh_cmd_timed_out+0x15e
xxxxx/drivers/scsi/libiscsi.c: 2062

1970 enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd
*sc)
{
...
1984         spin_lock_bh(&session->frwd_lock);
1985         task = (struct iscsi_task *)sc->SCp.ptr;
1986         if (!task) {
1987                 /*
1988                  * Raced with completion. Blk layer has taken
ownership
1989                  * so let timeout code complete it now.
1990                  */
1991                 rc = BLK_EH_DONE;
1992                 goto done;
1993         }

...

2052         for (i = 0; i < conn->session->cmds_max; i++) {
2053                 running_task = conn->session->cmds[i];
2054                 if (!running_task->sc || running_task == task ||
2055                      running_task->state != ISCSI_TASK_RUNNING)
2056                         continue;
2057
2058                 /*
2059                  * Only check if cmds started before this one have
made
2060                  * progress, or this could never fail
2061                  */
2062                 if (time_after(running_task->sc->jiffies_at_alloc,
2063                                task->sc->jiffies_at_alloc))    <---
2064                         continue;
2065
...
}

carsh> struct scsi_cmnd ffff9fd1e6e931e8
struct scsi_cmnd {
  ...
  SCp = {
    ptr = 0x0,   <--- iscsi_task
    this_residual = 0,
    ...
  },
}

To prevent this, we take a ref to the cmd under the back (completion)
lock so if the completion side were to call iscsi_complete_task on the
task while the timer/eh paths are not holding the back_lock it will
not be freed from under us.

Note that this requires the previous patch, "libiscsi: drop
taskqueuelock" because bnx2i sleeps in its cleanup_task callout if the
cmd is aborted. If the EH/timer and completion path are racing we don't
know which path will do the last put. The previous patch moved the
operations we needed to do under the forward lock to cleanup_queued_task.
Once that has run we can drop the forward lock for the cmd and bnx2i no
longer has to worry about if the EH, timer or completion path did the
ast put and if the forward lock is held or not since it won't be.

Reported-by: Wu Bo <wubo40@huawei.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
---
 drivers/scsi/bnx2i/bnx2i_iscsi.c |  2 --
 drivers/scsi/libiscsi.c          | 71 +++++++++++++++++++++++++---------------
 2 files changed, 45 insertions(+), 28 deletions(-)

diff --git a/drivers/scsi/bnx2i/bnx2i_iscsi.c b/drivers/scsi/bnx2i/bnx2i_iscsi.c
index fdd4467..1e6d8f6 100644
--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c
+++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c
@@ -1171,10 +1171,8 @@ static void bnx2i_cleanup_task(struct iscsi_task *task)
 		bnx2i_send_cmd_cleanup_req(hba, task->dd_data);
 
 		spin_unlock_bh(&conn->session->back_lock);
-		spin_unlock_bh(&conn->session->frwd_lock);
 		wait_for_completion_timeout(&bnx2i_conn->cmd_cleanup_cmpl,
 				msecs_to_jiffies(ISCSI_CMD_CLEANUP_TIMEOUT));
-		spin_lock_bh(&conn->session->frwd_lock);
 		spin_lock_bh(&conn->session->back_lock);
 	}
 	bnx2i_iscsi_unmap_sg_list(task->dd_data);
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 5582e4f..796465e 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -587,9 +587,8 @@ static bool cleanup_queued_task(struct iscsi_task *task)
 }
 
 /*
- * session frwd_lock must be held and if not called for a task that is
- * still pending or from the xmit thread, then xmit thread must
- * be suspended.
+ * session frwd lock must be held and if not called for a task that is still
+ * pending or from the xmit thread, then xmit thread must be suspended
  */
 static void fail_scsi_task(struct iscsi_task *task, int err)
 {
@@ -597,16 +596,6 @@ static void fail_scsi_task(struct iscsi_task *task, int err)
 	struct scsi_cmnd *sc;
 	int state;
 
-	/*
-	 * if a command completes and we get a successful tmf response
-	 * we will hit this because the scsi eh abort code does not take
-	 * a ref to the task.
-	 */
-	sc = task->sc;
-	if (!sc)
-		return;
-
-	/* regular RX path uses back_lock */
 	spin_lock_bh(&conn->session->back_lock);
 	if (cleanup_queued_task(task)) {
 		spin_unlock_bh(&conn->session->back_lock);
@@ -626,6 +615,7 @@ static void fail_scsi_task(struct iscsi_task *task, int err)
 	else
 		state = ISCSI_TASK_ABRT_TMF;
 
+	sc = task->sc;
 	sc->result = err << 16;
 	scsi_set_resid(sc, scsi_bufflen(sc));
 	iscsi_complete_task(task, state);
@@ -1893,27 +1883,39 @@ static int iscsi_exec_task_mgmt_fn(struct iscsi_conn *conn,
 }
 
 /*
- * Fail commands. session lock held and recv side suspended and xmit
- * thread flushed
+ * Fail commands. session frwd lock held and xmit thread flushed.
  */
 static void fail_scsi_tasks(struct iscsi_conn *conn, u64 lun, int error)
 {
+	struct iscsi_session *session = conn->session;
 	struct iscsi_task *task;
 	int i;
 
-	for (i = 0; i < conn->session->cmds_max; i++) {
-		task = conn->session->cmds[i];
+	spin_lock_bh(&session->back_lock);
+	for (i = 0; i < session->cmds_max; i++) {
+		task = session->cmds[i];
 		if (!task->sc || task->state == ISCSI_TASK_FREE)
 			continue;
 
 		if (lun != -1 && lun != task->sc->device->lun)
 			continue;
 
-		ISCSI_DBG_SESSION(conn->session,
+		__iscsi_get_task(task);
+		spin_unlock_bh(&session->back_lock);
+
+		ISCSI_DBG_SESSION(session,
 				  "failing sc %p itt 0x%x state %d\n",
 				  task->sc, task->itt, task->state);
 		fail_scsi_task(task, error);
+
+		spin_unlock_bh(&session->frwd_lock);
+		iscsi_put_task(task);
+		spin_lock_bh(&session->frwd_lock);
+
+		spin_lock_bh(&session->back_lock);
 	}
+
+	spin_unlock_bh(&session->back_lock);
 }
 
 /**
@@ -1991,6 +1993,7 @@ enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
 	ISCSI_DBG_EH(session, "scsi cmd %p timedout\n", sc);
 
 	spin_lock_bh(&session->frwd_lock);
+	spin_lock(&session->back_lock);
 	task = (struct iscsi_task *)sc->SCp.ptr;
 	if (!task) {
 		/*
@@ -1998,8 +2001,11 @@ enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
 		 * so let timeout code complete it now.
 		 */
 		rc = BLK_EH_DONE;
+		spin_unlock(&session->back_lock);
 		goto done;
 	}
+	__iscsi_get_task(task);
+	spin_unlock(&session->back_lock);
 
 	if (session->state != ISCSI_STATE_LOGGED_IN) {
 		/*
@@ -2058,6 +2064,7 @@ enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
 		goto done;
 	}
 
+	spin_lock(&session->back_lock);
 	for (i = 0; i < conn->session->cmds_max; i++) {
 		running_task = conn->session->cmds[i];
 		if (!running_task->sc || running_task == task ||
@@ -2090,10 +2097,12 @@ enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
 				     "last xfer %lu/%lu. Last check %lu.\n",
 				     task->last_xfer, running_task->last_xfer,
 				     task->last_timeout);
+			spin_unlock(&session->back_lock);
 			rc = BLK_EH_RESET_TIMER;
 			goto done;
 		}
 	}
+	spin_unlock(&session->back_lock);
 
 	/* Assumes nop timeout is shorter than scsi cmd timeout */
 	if (task->have_checked_conn)
@@ -2115,9 +2124,12 @@ enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
 	rc = BLK_EH_RESET_TIMER;
 
 done:
-	if (task)
-		task->last_timeout = jiffies;
 	spin_unlock_bh(&session->frwd_lock);
+
+	if (task) {
+		task->last_timeout = jiffies;
+		iscsi_put_task(task);
+	}
 	ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ?
 		     "timer reset" : "shutdown or nh");
 	return rc;
@@ -2225,15 +2237,20 @@ int iscsi_eh_abort(struct scsi_cmnd *sc)
 	conn->eh_abort_cnt++;
 	age = session->age;
 
+	spin_lock(&session->back_lock);
 	task = (struct iscsi_task *)sc->SCp.ptr;
-	ISCSI_DBG_EH(session, "aborting [sc %p itt 0x%x]\n",
-		     sc, task->itt);
-
-	/* task completed before time out */
-	if (!task->sc) {
+	if (!task || !task->sc) {
+		/* task completed before time out */
 		ISCSI_DBG_EH(session, "sc completed while abort in progress\n");
-		goto success;
+
+		spin_unlock(&session->back_lock);
+		spin_unlock_bh(&session->frwd_lock);
+		mutex_unlock(&session->eh_mutex);
+		return SUCCESS;
 	}
+	ISCSI_DBG_EH(session, "aborting [sc %p itt 0x%x]\n", sc, task->itt);
+	__iscsi_get_task(task);
+	spin_unlock(&session->back_lock);
 
 	if (task->state == ISCSI_TASK_PENDING) {
 		fail_scsi_task(task, DID_ABORT);
@@ -2295,6 +2312,7 @@ int iscsi_eh_abort(struct scsi_cmnd *sc)
 success_unlocked:
 	ISCSI_DBG_EH(session, "abort success [sc %p itt 0x%x]\n",
 		     sc, task->itt);
+	iscsi_put_task(task);
 	mutex_unlock(&session->eh_mutex);
 	return SUCCESS;
 
@@ -2303,6 +2321,7 @@ int iscsi_eh_abort(struct scsi_cmnd *sc)
 failed_unlocked:
 	ISCSI_DBG_EH(session, "abort failed [sc %p itt 0x%x]\n", sc,
 		     task ? task->itt : 0);
+	iscsi_put_task(task);
 	mutex_unlock(&session->eh_mutex);
 	return FAILED;
 }
-- 
1.8.3.1

[PATCH 4/6 V3] libiscsi: add helper to calc max scsi cmds per session

[Mike Christie]

This patch just breaks out the code that calculates the number
of scsi cmds that will be used for a scsi session. It also adds
a check that we don't go over the host's can_queue value.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
---
 drivers/scsi/libiscsi.c | 81 ++++++++++++++++++++++++++++++-------------------
 include/scsi/libiscsi.h |  2 ++
 2 files changed, 51 insertions(+), 32 deletions(-)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 796465e..f1ade91 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2648,6 +2648,51 @@ void iscsi_pool_free(struct iscsi_pool *q)
 }
 EXPORT_SYMBOL_GPL(iscsi_pool_free);
 
+int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
+				 uint16_t requested_cmds_max)
+{
+	int scsi_cmds, total_cmds = requested_cmds_max;
+
+	if (!total_cmds)
+		total_cmds = ISCSI_DEF_XMIT_CMDS_MAX;
+	/*
+	 * The iscsi layer needs some tasks for nop handling and tmfs,
+	 * so the cmds_max must at least be greater than ISCSI_MGMT_CMDS_MAX
+	 * + 1 command for scsi IO.
+	 */
+	if (total_cmds < ISCSI_TOTAL_CMDS_MIN) {
+		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of two that is at least %d.\n",
+		       total_cmds, ISCSI_TOTAL_CMDS_MIN);
+		return -EINVAL;
+	}
+
+	if (total_cmds > ISCSI_TOTAL_CMDS_MAX) {
+		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2 less than or equal to %d.\n",
+		       requested_cmds_max, ISCSI_TOTAL_CMDS_MAX);
+		total_cmds = ISCSI_TOTAL_CMDS_MAX;
+	}
+
+	if (!is_power_of_2(total_cmds)) {
+		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2.\n",
+		       total_cmds);
+		total_cmds = rounddown_pow_of_two(total_cmds);
+		if (total_cmds < ISCSI_TOTAL_CMDS_MIN)
+			return -EINVAL;
+		printk(KERN_INFO "iscsi: Rounding can_queue to %d.\n",
+		       total_cmds);
+	}
+
+	scsi_cmds = total_cmds - ISCSI_MGMT_CMDS_MAX;
+	if (shost->can_queue && scsi_cmds > shost->can_queue) {
+		scsi_cmds = shost->can_queue - ISCSI_MGMT_CMDS_MAX;
+		printk(KERN_INFO "iscsi: requested cmds_max %u higher than driver limit. Using driver max %u\n",
+		       requested_cmds_max, shost->can_queue);
+	}
+
+	return scsi_cmds;
+}
+EXPORT_SYMBOL_GPL(iscsi_host_get_max_scsi_cmds);
+
 /**
  * iscsi_host_add - add host to system
  * @shost: scsi host
@@ -2800,7 +2845,7 @@ struct iscsi_cls_session *
 	struct iscsi_host *ihost = shost_priv(shost);
 	struct iscsi_session *session;
 	struct iscsi_cls_session *cls_session;
-	int cmd_i, scsi_cmds, total_cmds = cmds_max;
+	int cmd_i, scsi_cmds;
 	unsigned long flags;
 
 	spin_lock_irqsave(&ihost->lock, flags);
@@ -2811,37 +2856,9 @@ struct iscsi_cls_session *
 	ihost->num_sessions++;
 	spin_unlock_irqrestore(&ihost->lock, flags);
 
-	if (!total_cmds)
-		total_cmds = ISCSI_DEF_XMIT_CMDS_MAX;
-	/*
-	 * The iscsi layer needs some tasks for nop handling and tmfs,
-	 * so the cmds_max must at least be greater than ISCSI_MGMT_CMDS_MAX
-	 * + 1 command for scsi IO.
-	 */
-	if (total_cmds < ISCSI_TOTAL_CMDS_MIN) {
-		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue "
-		       "must be a power of two that is at least %d.\n",
-		       total_cmds, ISCSI_TOTAL_CMDS_MIN);
+	scsi_cmds = iscsi_host_get_max_scsi_cmds(shost, cmds_max);
+	if (scsi_cmds < 0)
 		goto dec_session_count;
-	}
-
-	if (total_cmds > ISCSI_TOTAL_CMDS_MAX) {
-		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue "
-		       "must be a power of 2 less than or equal to %d.\n",
-		       cmds_max, ISCSI_TOTAL_CMDS_MAX);
-		total_cmds = ISCSI_TOTAL_CMDS_MAX;
-	}
-
-	if (!is_power_of_2(total_cmds)) {
-		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue "
-		       "must be a power of 2.\n", total_cmds);
-		total_cmds = rounddown_pow_of_two(total_cmds);
-		if (total_cmds < ISCSI_TOTAL_CMDS_MIN)
-			goto dec_session_count;
-		printk(KERN_INFO "iscsi: Rounding can_queue to %d.\n",
-		       total_cmds);
-	}
-	scsi_cmds = total_cmds - ISCSI_MGMT_CMDS_MAX;
 
 	cls_session = iscsi_alloc_session(shost, iscsit,
 					  sizeof(struct iscsi_session) +
@@ -2857,7 +2874,7 @@ struct iscsi_cls_session *
 	session->lu_reset_timeout = 15;
 	session->abort_timeout = 10;
 	session->scsi_cmds_max = scsi_cmds;
-	session->cmds_max = total_cmds;
+	session->cmds_max = scsi_cmds + ISCSI_MGMT_CMDS_MAX;
 	session->queued_cmdsn = session->cmdsn = initial_cmdsn;
 	session->exp_cmdsn = initial_cmdsn + 1;
 	session->max_cmdsn = initial_cmdsn + 1;
diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h
index 44a9554..02f966e 100644
--- a/include/scsi/libiscsi.h
+++ b/include/scsi/libiscsi.h
@@ -395,6 +395,8 @@ extern struct Scsi_Host *iscsi_host_alloc(struct scsi_host_template *sht,
 extern void iscsi_host_remove(struct Scsi_Host *shost);
 extern void iscsi_host_free(struct Scsi_Host *shost);
 extern int iscsi_target_alloc(struct scsi_target *starget);
+extern int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
+					uint16_t requested_cmds_max);
 
 /*
  * session management
-- 
1.8.3.1

[PATCH 5/6 V3] iscsi_tcp: fix shost can_queue initialization

[Mike Christie]

We are setting the shost's can_queue after we add the host which is
too late, because scsi-ml will have allocated the tag set based on
the can_queue value at that time. This patch has us use the
iscsi_host_get_max_scsi_cmds helper to figure out the number of
scsi cmds, so we can set it properly. We should now not be limited
to 128 cmds per session.

It also fixes up the template can_queue so it reflects the max scsi
cmds we can support like how other drivers work.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
---
 drivers/scsi/iscsi_tcp.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index df47557..7a5aec7 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -847,6 +847,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
 	struct iscsi_session *session;
 	struct iscsi_sw_tcp_host *tcp_sw_host;
 	struct Scsi_Host *shost;
+	int rc;
 
 	if (ep) {
 		printk(KERN_ERR "iscsi_tcp: invalid ep %p.\n", ep);
@@ -864,6 +865,11 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
 	shost->max_channel = 0;
 	shost->max_cmd_len = SCSI_MAX_VARLEN_CDB_SIZE;
 
+	rc = iscsi_host_get_max_scsi_cmds(shost, cmds_max);
+	if (rc < 0)
+		goto free_host;
+	shost->can_queue = rc;
+
 	if (iscsi_host_add(shost, NULL))
 		goto free_host;
 
@@ -878,7 +884,6 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
 	tcp_sw_host = iscsi_host_priv(shost);
 	tcp_sw_host->session = session;
 
-	shost->can_queue = session->scsi_cmds_max;
 	if (iscsi_tcp_r2tpool_alloc(session))
 		goto remove_session;
 	return cls_session;
@@ -981,7 +986,7 @@ static int iscsi_sw_tcp_slave_configure(struct scsi_device *sdev)
 	.name			= "iSCSI Initiator over TCP/IP",
 	.queuecommand           = iscsi_queuecommand,
 	.change_queue_depth	= scsi_change_queue_depth,
-	.can_queue		= ISCSI_DEF_XMIT_CMDS_MAX - 1,
+	.can_queue		= ISCSI_TOTAL_CMDS_MAX - ISCSI_MGMT_CMDS_MAX,
 	.sg_tablesize		= 4096,
 	.max_sectors		= 0xFFFF,
 	.cmd_per_lun		= ISCSI_DEF_CMD_PER_LUN,
-- 
1.8.3.1

[PATCH 6/6 V3] libiscsi: reset max/exp cmdsn during recovery

[Mike Christie]

If we lose the session then relogin, but the new cmdsn window has
shrunk (due to something like an admin changing a setting) we will
have the old exp/max_cmdsn values and will never be able to update
them. For example, max_cmdsn would be 64, but if on the target the
user set the window to be smaller then the target could try to return
the max_cmdsn as 32. We will see that new max_cmdsn in the rsp but
because it's lower than the old max_cmdsn when the window was larger
we will not update it.

So this patch has us reset the windown values during session
cleanup so they can be updated after a new login.

Signed-off-by: Mike Christie <michael.christie@oracle.com>
---
 drivers/scsi/libiscsi.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index f1ade91..ff6ba78 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -3268,6 +3268,13 @@ int iscsi_conn_bind(struct iscsi_cls_session *cls_session,
 	spin_unlock_bh(&session->frwd_lock);
 
 	/*
+	 * The target could have reduced it's window size between logins, so
+	 * we have to reset max/exp cmdsn so we can see the new values.
+	 */
+	spin_lock_bh(&session->back_lock);
+	session->max_cmdsn = session->exp_cmdsn = session->cmdsn + 1;
+	spin_unlock_bh(&session->back_lock);
+	/*
 	 * Unblock xmitworker(), Login Phase will pass through.
 	 */
 	clear_bit(ISCSI_SUSPEND_BIT, &conn->suspend_rx);
-- 
1.8.3.1

Re: [PATCH 4/6 V3] libiscsi: add helper to calc max scsi cmds per session

[Lee Duncan]

On 12/20/20 6:37 PM, Mike Christie wrote:
> This patch just breaks out the code that calculates the number
> of scsi cmds that will be used for a scsi session. It also adds
> a check that we don't go over the host's can_queue value.

I'm curious. It's a "good thing" to check the command count in a better
way now, but was there any known instance of the count miscalculation in
the current code causing issues?

> 
> Signed-off-by: Mike Christie <michael.christie@oracle.com>
> ---
>  drivers/scsi/libiscsi.c | 81 ++++++++++++++++++++++++++++++-------------------
>  include/scsi/libiscsi.h |  2 ++
>  2 files changed, 51 insertions(+), 32 deletions(-)
> 
> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
> index 796465e..f1ade91 100644
> --- a/drivers/scsi/libiscsi.c
> +++ b/drivers/scsi/libiscsi.c
> @@ -2648,6 +2648,51 @@ void iscsi_pool_free(struct iscsi_pool *q)
>  }
>  EXPORT_SYMBOL_GPL(iscsi_pool_free);
>  
> +int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
> +				 uint16_t requested_cmds_max)
> +{
> +	int scsi_cmds, total_cmds = requested_cmds_max;
> +
> +	if (!total_cmds)
> +		total_cmds = ISCSI_DEF_XMIT_CMDS_MAX;
> +	/*
> +	 * The iscsi layer needs some tasks for nop handling and tmfs,
> +	 * so the cmds_max must at least be greater than ISCSI_MGMT_CMDS_MAX
> +	 * + 1 command for scsi IO.
> +	 */
> +	if (total_cmds < ISCSI_TOTAL_CMDS_MIN) {
> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of two that is at least %d.\n",
> +		       total_cmds, ISCSI_TOTAL_CMDS_MIN);
> +		return -EINVAL;
> +	}
> +
> +	if (total_cmds > ISCSI_TOTAL_CMDS_MAX) {
> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2 less than or equal to %d.\n",
> +		       requested_cmds_max, ISCSI_TOTAL_CMDS_MAX);
> +		total_cmds = ISCSI_TOTAL_CMDS_MAX;
> +	}
> +
> +	if (!is_power_of_2(total_cmds)) {
> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2.\n",
> +		       total_cmds);
> +		total_cmds = rounddown_pow_of_two(total_cmds);
> +		if (total_cmds < ISCSI_TOTAL_CMDS_MIN)
> +			return -EINVAL;
> +		printk(KERN_INFO "iscsi: Rounding can_queue to %d.\n",
> +		       total_cmds);
> +	}
> +
> +	scsi_cmds = total_cmds - ISCSI_MGMT_CMDS_MAX;
> +	if (shost->can_queue && scsi_cmds > shost->can_queue) {
> +		scsi_cmds = shost->can_queue - ISCSI_MGMT_CMDS_MAX;
> +		printk(KERN_INFO "iscsi: requested cmds_max %u higher than driver limit. Using driver max %u\n",
> +		       requested_cmds_max, shost->can_queue);
> +	}

If the device can queue, what if "can_queue" is equal to or less than
ISCSI_MGMT_CMDS_MAX?

> +
> +	return scsi_cmds;
> +}
> +EXPORT_SYMBOL_GPL(iscsi_host_get_max_scsi_cmds);
> +
>  /**
>   * iscsi_host_add - add host to system
>   * @shost: scsi host
> @@ -2800,7 +2845,7 @@ struct iscsi_cls_session *
>  	struct iscsi_host *ihost = shost_priv(shost);
>  	struct iscsi_session *session;
>  	struct iscsi_cls_session *cls_session;
> -	int cmd_i, scsi_cmds, total_cmds = cmds_max;
> +	int cmd_i, scsi_cmds;
>  	unsigned long flags;
>  
>  	spin_lock_irqsave(&ihost->lock, flags);
> @@ -2811,37 +2856,9 @@ struct iscsi_cls_session *
>  	ihost->num_sessions++;
>  	spin_unlock_irqrestore(&ihost->lock, flags);
>  
> -	if (!total_cmds)
> -		total_cmds = ISCSI_DEF_XMIT_CMDS_MAX;
> -	/*
> -	 * The iscsi layer needs some tasks for nop handling and tmfs,
> -	 * so the cmds_max must at least be greater than ISCSI_MGMT_CMDS_MAX
> -	 * + 1 command for scsi IO.
> -	 */
> -	if (total_cmds < ISCSI_TOTAL_CMDS_MIN) {
> -		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue "
> -		       "must be a power of two that is at least %d.\n",
> -		       total_cmds, ISCSI_TOTAL_CMDS_MIN);
> +	scsi_cmds = iscsi_host_get_max_scsi_cmds(shost, cmds_max);
> +	if (scsi_cmds < 0)
>  		goto dec_session_count;

Should this be "scsi_cmds <= 0" ? Having zero commands doesn't seem good.

> -	}
> -
> -	if (total_cmds > ISCSI_TOTAL_CMDS_MAX) {
> -		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue "
> -		       "must be a power of 2 less than or equal to %d.\n",
> -		       cmds_max, ISCSI_TOTAL_CMDS_MAX);
> -		total_cmds = ISCSI_TOTAL_CMDS_MAX;
> -	}
> -
> -	if (!is_power_of_2(total_cmds)) {
> -		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue "
> -		       "must be a power of 2.\n", total_cmds);
> -		total_cmds = rounddown_pow_of_two(total_cmds);
> -		if (total_cmds < ISCSI_TOTAL_CMDS_MIN)
> -			goto dec_session_count;
> -		printk(KERN_INFO "iscsi: Rounding can_queue to %d.\n",
> -		       total_cmds);
> -	}
> -	scsi_cmds = total_cmds - ISCSI_MGMT_CMDS_MAX;
>  
>  	cls_session = iscsi_alloc_session(shost, iscsit,
>  					  sizeof(struct iscsi_session) +
> @@ -2857,7 +2874,7 @@ struct iscsi_cls_session *
>  	session->lu_reset_timeout = 15;
>  	session->abort_timeout = 10;
>  	session->scsi_cmds_max = scsi_cmds;
> -	session->cmds_max = total_cmds;
> +	session->cmds_max = scsi_cmds + ISCSI_MGMT_CMDS_MAX;
>  	session->queued_cmdsn = session->cmdsn = initial_cmdsn;
>  	session->exp_cmdsn = initial_cmdsn + 1;
>  	session->max_cmdsn = initial_cmdsn + 1;
> diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h
> index 44a9554..02f966e 100644
> --- a/include/scsi/libiscsi.h
> +++ b/include/scsi/libiscsi.h
> @@ -395,6 +395,8 @@ extern struct Scsi_Host *iscsi_host_alloc(struct scsi_host_template *sht,
>  extern void iscsi_host_remove(struct Scsi_Host *shost);
>  extern void iscsi_host_free(struct Scsi_Host *shost);
>  extern int iscsi_target_alloc(struct scsi_target *starget);
> +extern int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
> +					uint16_t requested_cmds_max);
>  
>  /*
>   * session management
> 

Re: [PATCH 5/6 V3] iscsi_tcp: fix shost can_queue initialization

[Lee Duncan]

On 12/20/20 6:37 PM, Mike Christie wrote:
> We are setting the shost's can_queue after we add the host which is
> too late, because scsi-ml will have allocated the tag set based on
> the can_queue value at that time. This patch has us use the
> iscsi_host_get_max_scsi_cmds helper to figure out the number of
> scsi cmds, so we can set it properly. We should now not be limited
> to 128 cmds per session.
> 
> It also fixes up the template can_queue so it reflects the max scsi
> cmds we can support like how other drivers work.
> 
> Signed-off-by: Mike Christie <michael.christie@oracle.com>
> ---
>  drivers/scsi/iscsi_tcp.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
> index df47557..7a5aec7 100644
> --- a/drivers/scsi/iscsi_tcp.c
> +++ b/drivers/scsi/iscsi_tcp.c
> @@ -847,6 +847,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
>  	struct iscsi_session *session;
>  	struct iscsi_sw_tcp_host *tcp_sw_host;
>  	struct Scsi_Host *shost;
> +	int rc;
>  
>  	if (ep) {
>  		printk(KERN_ERR "iscsi_tcp: invalid ep %p.\n", ep);
> @@ -864,6 +865,11 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
>  	shost->max_channel = 0;
>  	shost->max_cmd_len = SCSI_MAX_VARLEN_CDB_SIZE;
>  
> +	rc = iscsi_host_get_max_scsi_cmds(shost, cmds_max);
> +	if (rc < 0)
> +		goto free_host;

Same question as in Patch 4: Is having "0" max scsi commands ok?

> +	shost->can_queue = rc;
> +
>  	if (iscsi_host_add(shost, NULL))
>  		goto free_host;
>  
> @@ -878,7 +884,6 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
>  	tcp_sw_host = iscsi_host_priv(shost);
>  	tcp_sw_host->session = session;
>  
> -	shost->can_queue = session->scsi_cmds_max;
>  	if (iscsi_tcp_r2tpool_alloc(session))
>  		goto remove_session;
>  	return cls_session;
> @@ -981,7 +986,7 @@ static int iscsi_sw_tcp_slave_configure(struct scsi_device *sdev)
>  	.name			= "iSCSI Initiator over TCP/IP",
>  	.queuecommand           = iscsi_queuecommand,
>  	.change_queue_depth	= scsi_change_queue_depth,
> -	.can_queue		= ISCSI_DEF_XMIT_CMDS_MAX - 1,
> +	.can_queue		= ISCSI_TOTAL_CMDS_MAX - ISCSI_MGMT_CMDS_MAX,
>  	.sg_tablesize		= 4096,
>  	.max_sectors		= 0xFFFF,
>  	.cmd_per_lun		= ISCSI_DEF_CMD_PER_LUN,
> 

Re: [PATCH 6/6 V3] libiscsi: reset max/exp cmdsn during recovery

[Lee Duncan]

On 12/20/20 6:37 PM, Mike Christie wrote:
> If we lose the session then relogin, but the new cmdsn window has
> shrunk (due to something like an admin changing a setting) we will
> have the old exp/max_cmdsn values and will never be able to update
> them. For example, max_cmdsn would be 64, but if on the target the
> user set the window to be smaller then the target could try to return
> the max_cmdsn as 32. We will see that new max_cmdsn in the rsp but
> because it's lower than the old max_cmdsn when the window was larger
> we will not update it.
> 
> So this patch has us reset the windown values during session
> cleanup so they can be updated after a new login.
> 
> Signed-off-by: Mike Christie <michael.christie@oracle.com>
> ---
>  drivers/scsi/libiscsi.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
> index f1ade91..ff6ba78 100644
> --- a/drivers/scsi/libiscsi.c
> +++ b/drivers/scsi/libiscsi.c
> @@ -3268,6 +3268,13 @@ int iscsi_conn_bind(struct iscsi_cls_session *cls_session,
>  	spin_unlock_bh(&session->frwd_lock);
>  
>  	/*
> +	 * The target could have reduced it's window size between logins, so
> +	 * we have to reset max/exp cmdsn so we can see the new values.
> +	 */
> +	spin_lock_bh(&session->back_lock);
> +	session->max_cmdsn = session->exp_cmdsn = session->cmdsn + 1;
> +	spin_unlock_bh(&session->back_lock);
> +	/*
>  	 * Unblock xmitworker(), Login Phase will pass through.
>  	 */
>  	clear_bit(ISCSI_SUSPEND_BIT, &conn->suspend_rx);
> 

Reviewed-by: Lee Duncan <lduncan@suse.com>

Re: [PATCH 4/6 V3] libiscsi: add helper to calc max scsi cmds per session

[Mike Christie]

On 1/5/21 4:53 PM, Lee Duncan wrote:
> On 12/20/20 6:37 PM, Mike Christie wrote:
>> This patch just breaks out the code that calculates the number
>> of scsi cmds that will be used for a scsi session. It also adds
>> a check that we don't go over the host's can_queue value.
> 
> I'm curious. It's a "good thing" to check the command count in a better
> way now, but was there any known instance of the count miscalculation in
> the current code causing issues?

No one has hit any issues. It's so userspace knows it's not going to
get the requested value.

> 
>>
>> Signed-off-by: Mike Christie <michael.christie@oracle.com>
>> ---
>>  drivers/scsi/libiscsi.c | 81 ++++++++++++++++++++++++++++++-------------------
>>  include/scsi/libiscsi.h |  2 ++
>>  2 files changed, 51 insertions(+), 32 deletions(-)
>>
>> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
>> index 796465e..f1ade91 100644
>> --- a/drivers/scsi/libiscsi.c
>> +++ b/drivers/scsi/libiscsi.c
>> @@ -2648,6 +2648,51 @@ void iscsi_pool_free(struct iscsi_pool *q)
>>  }
>>  EXPORT_SYMBOL_GPL(iscsi_pool_free);
>>  
>> +int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
>> +				 uint16_t requested_cmds_max)
>> +{
>> +	int scsi_cmds, total_cmds = requested_cmds_max;
>> +
>> +	if (!total_cmds)
>> +		total_cmds = ISCSI_DEF_XMIT_CMDS_MAX;
>> +	/*
>> +	 * The iscsi layer needs some tasks for nop handling and tmfs,
>> +	 * so the cmds_max must at least be greater than ISCSI_MGMT_CMDS_MAX
>> +	 * + 1 command for scsi IO.
>> +	 */
>> +	if (total_cmds < ISCSI_TOTAL_CMDS_MIN) {
>> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of two that is at least %d.\n",
>> +		       total_cmds, ISCSI_TOTAL_CMDS_MIN);
>> +		return -EINVAL;
>> +	}
>> +
>> +	if (total_cmds > ISCSI_TOTAL_CMDS_MAX) {
>> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2 less than or equal to %d.\n",
>> +		       requested_cmds_max, ISCSI_TOTAL_CMDS_MAX);
>> +		total_cmds = ISCSI_TOTAL_CMDS_MAX;
>> +	}
>> +
>> +	if (!is_power_of_2(total_cmds)) {
>> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2.\n",
>> +		       total_cmds);
>> +		total_cmds = rounddown_pow_of_two(total_cmds);
>> +		if (total_cmds < ISCSI_TOTAL_CMDS_MIN)
>> +			return -EINVAL;
>> +		printk(KERN_INFO "iscsi: Rounding can_queue to %d.\n",
>> +		       total_cmds);
>> +	}
>> +
>> +	scsi_cmds = total_cmds - ISCSI_MGMT_CMDS_MAX;
>> +	if (shost->can_queue && scsi_cmds > shost->can_queue) {
>> +		scsi_cmds = shost->can_queue - ISCSI_MGMT_CMDS_MAX;
>> +		printk(KERN_INFO "iscsi: requested cmds_max %u higher than driver limit. Using driver max %u\n",
>> +		       requested_cmds_max, shost->can_queue);
>> +	}
> 
> If the device can queue, what if "can_queue" is equal to or less than
> ISCSI_MGMT_CMDS_MAX?
>

It wouldn't be possible, because the drivers set their can_queue a lot higher
than ISCSI_MGMT_CMDS_MAX, but for this and the other comment I'll fix up the
check/code.

Re: [PATCH 5/6 V3] iscsi_tcp: fix shost can_queue initialization

[Mike Christie]

On 1/5/21 4:55 PM, Lee Duncan wrote:
> On 12/20/20 6:37 PM, Mike Christie wrote:
>> We are setting the shost's can_queue after we add the host which is
>> too late, because scsi-ml will have allocated the tag set based on
>> the can_queue value at that time. This patch has us use the
>> iscsi_host_get_max_scsi_cmds helper to figure out the number of
>> scsi cmds, so we can set it properly. We should now not be limited
>> to 128 cmds per session.
>>
>> It also fixes up the template can_queue so it reflects the max scsi
>> cmds we can support like how other drivers work.
>>
>> Signed-off-by: Mike Christie <michael.christie@oracle.com>
>> ---
>>  drivers/scsi/iscsi_tcp.c | 9 +++++++--
>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
>> index df47557..7a5aec7 100644
>> --- a/drivers/scsi/iscsi_tcp.c
>> +++ b/drivers/scsi/iscsi_tcp.c
>> @@ -847,6 +847,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
>>  	struct iscsi_session *session;
>>  	struct iscsi_sw_tcp_host *tcp_sw_host;
>>  	struct Scsi_Host *shost;
>> +	int rc;
>>  
>>  	if (ep) {
>>  		printk(KERN_ERR "iscsi_tcp: invalid ep %p.\n", ep);
>> @@ -864,6 +865,11 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
>>  	shost->max_channel = 0;
>>  	shost->max_cmd_len = SCSI_MAX_VARLEN_CDB_SIZE;
>>  
>> +	rc = iscsi_host_get_max_scsi_cmds(shost, cmds_max);
>> +	if (rc < 0)
>> +		goto free_host;
> 
> Same question as in Patch 4: Is having "0" max scsi commands ok?
> 

This could hit zero. I think before we would end up where no cmds
would be executed. They would just be stuck in the queues because
the target->can_queue limit would always be hit. I'll fix that up too.

Re: [PATCH 4/6 V3] libiscsi: add helper to calc max scsi cmds per session

[Mike Christie]

On 1/5/21 5:18 PM, Mike Christie wrote:
> On 1/5/21 4:53 PM, Lee Duncan wrote:
>> On 12/20/20 6:37 PM, Mike Christie wrote:
>>> This patch just breaks out the code that calculates the number
>>> of scsi cmds that will be used for a scsi session. It also adds
>>> a check that we don't go over the host's can_queue value.
>>
>> I'm curious. It's a "good thing" to check the command count in a better
>> way now, but was there any known instance of the count miscalculation in
>> the current code causing issues?
> 
> No one has hit any issues. It's so userspace knows it's not going to
> get the requested value.
> 
>>
>>>
>>> Signed-off-by: Mike Christie <michael.christie@oracle.com>
>>> ---
>>>  drivers/scsi/libiscsi.c | 81 ++++++++++++++++++++++++++++++-------------------
>>>  include/scsi/libiscsi.h |  2 ++
>>>  2 files changed, 51 insertions(+), 32 deletions(-)
>>>
>>> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
>>> index 796465e..f1ade91 100644
>>> --- a/drivers/scsi/libiscsi.c
>>> +++ b/drivers/scsi/libiscsi.c
>>> @@ -2648,6 +2648,51 @@ void iscsi_pool_free(struct iscsi_pool *q)
>>>  }
>>>  EXPORT_SYMBOL_GPL(iscsi_pool_free);
>>>  
>>> +int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost,
>>> +				 uint16_t requested_cmds_max)
>>> +{
>>> +	int scsi_cmds, total_cmds = requested_cmds_max;
>>> +
>>> +	if (!total_cmds)
>>> +		total_cmds = ISCSI_DEF_XMIT_CMDS_MAX;
>>> +	/*
>>> +	 * The iscsi layer needs some tasks for nop handling and tmfs,
>>> +	 * so the cmds_max must at least be greater than ISCSI_MGMT_CMDS_MAX
>>> +	 * + 1 command for scsi IO.
>>> +	 */
>>> +	if (total_cmds < ISCSI_TOTAL_CMDS_MIN) {
>>> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of two that is at least %d.\n",
>>> +		       total_cmds, ISCSI_TOTAL_CMDS_MIN);
>>> +		return -EINVAL;
>>> +	}
>>> +
>>> +	if (total_cmds > ISCSI_TOTAL_CMDS_MAX) {
>>> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2 less than or equal to %d.\n",
>>> +		       requested_cmds_max, ISCSI_TOTAL_CMDS_MAX);
>>> +		total_cmds = ISCSI_TOTAL_CMDS_MAX;
>>> +	}
>>> +
>>> +	if (!is_power_of_2(total_cmds)) {
>>> +		printk(KERN_ERR "iscsi: invalid can_queue of %d. can_queue must be a power of 2.\n",
>>> +		       total_cmds);
>>> +		total_cmds = rounddown_pow_of_two(total_cmds);
>>> +		if (total_cmds < ISCSI_TOTAL_CMDS_MIN)
>>> +			return -EINVAL;
>>> +		printk(KERN_INFO "iscsi: Rounding can_queue to %d.\n",
>>> +		       total_cmds);
>>> +	}
>>> +
>>> +	scsi_cmds = total_cmds - ISCSI_MGMT_CMDS_MAX;
>>> +	if (shost->can_queue && scsi_cmds > shost->can_queue) {
>>> +		scsi_cmds = shost->can_queue - ISCSI_MGMT_CMDS_MAX;
>>> +		printk(KERN_INFO "iscsi: requested cmds_max %u higher than driver limit. Using driver max %u\n",
>>> +		       requested_cmds_max, shost->can_queue);
>>> +	}
>>
>> If the device can queue, what if "can_queue" is equal to or less than
>> ISCSI_MGMT_CMDS_MAX?
>>
> 
> It wouldn't be possible,

Correction on that. With he current code we can hit zero for iscsi_tcp
and old tools with iser. I mentioned in the other email I'll fix that
up.

Re: [PATCH 2/6 V3] libiscsi: drop taskqueuelock

[Lee Duncan]

Hi Mike:

Just one "nit" comment about a comment.

On 12/20/20 6:37 PM, Mike Christie wrote:
> The purpose of the taskqueuelock was to handle the issue where a bad
> target decides to send a R2T and before it's data has been sent
> decides to send a cmd response to complete the cmd. The following
> patches fix up the frwd/back locks so they are taken from the
> queue/xmit (frwd) and completion (back) paths again. To get there
> this patch removes the taskqueuelock which for iscsi xmit wq based
> drivers was taken in the queue, xmit and completion paths.
> 
> Instead of the lock, we just make sure we have a ref to the task
> when we queue a R2T, and then we always remove the task from the
> requeue list in the xmit path or the forced cleanup paths.
> 
> Signed-off-by: Mike Christie <michael.christie@oracle.com>
> ---
>  drivers/scsi/libiscsi.c     | 178 ++++++++++++++++++++++++++++----------------
>  drivers/scsi/libiscsi_tcp.c |  84 ++++++++++++++-------
>  include/scsi/libiscsi.h     |   4 +-
>  3 files changed, 171 insertions(+), 95 deletions(-)
> 
> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
> index ee0786b..5582e4f 100644
> --- a/drivers/scsi/libiscsi.c
> +++ b/drivers/scsi/libiscsi.c
> @@ -523,16 +523,6 @@ static void iscsi_complete_task(struct iscsi_task *task, int state)
>  	WARN_ON_ONCE(task->state == ISCSI_TASK_FREE);
>  	task->state = state;
>  
> -	spin_lock_bh(&conn->taskqueuelock);
> -	if (!list_empty(&task->running)) {
> -		pr_debug_once("%s while task on list", __func__);
> -		list_del_init(&task->running);
> -	}
> -	spin_unlock_bh(&conn->taskqueuelock);
> -
> -	if (conn->task == task)
> -		conn->task = NULL;
> -
>  	if (READ_ONCE(conn->ping_task) == task)
>  		WRITE_ONCE(conn->ping_task, NULL);
>  
> @@ -564,9 +554,40 @@ void iscsi_complete_scsi_task(struct iscsi_task *task,
>  }
>  EXPORT_SYMBOL_GPL(iscsi_complete_scsi_task);
>  
> +/*
> + * Must be called with back and frwd lock
> + */
> +static bool cleanup_queued_task(struct iscsi_task *task)
> +{
> +	struct iscsi_conn *conn = task->conn;
> +	bool early_complete = false;
> +
> +	/* Bad target might have completed task while it was still running */
> +	if (task->state == ISCSI_TASK_COMPLETED)
> +		early_complete = true;
> +
> +	if (!list_empty(&task->running)) {
> +		list_del_init(&task->running);
> +		/*
> +		 * If it's on a list but still running, this could be from
> +		 * a bad target sending a rsp early, cleanup from a TMF, or
> +		 * session recovery.
> +		 */
> +		if (task->state == ISCSI_TASK_RUNNING ||
> +		    task->state == ISCSI_TASK_COMPLETED)
> +			__iscsi_put_task(task);
> +	}
> +
> +	if (conn->task == task) {
> +		conn->task = NULL;
> +		__iscsi_put_task(task);
> +	}
> +
> +	return early_complete;
> +}
>  
>  /*
> - * session back_lock must be held and if not called for a task that is
> + * session frwd_lock must be held and if not called for a task that is
>   * still pending or from the xmit thread, then xmit thread must
>   * be suspended.
>   */
> @@ -585,6 +606,13 @@ static void fail_scsi_task(struct iscsi_task *task, int err)
>  	if (!sc)
>  		return;
>  
> +	/* regular RX path uses back_lock */
> +	spin_lock_bh(&conn->session->back_lock);
> +	if (cleanup_queued_task(task)) {
> +		spin_unlock_bh(&conn->session->back_lock);
> +		return;
> +	}
> +
>  	if (task->state == ISCSI_TASK_PENDING) {
>  		/*
>  		 * cmd never made it to the xmit thread, so we should not count
> @@ -600,9 +628,6 @@ static void fail_scsi_task(struct iscsi_task *task, int err)
>  
>  	sc->result = err << 16;
>  	scsi_set_resid(sc, scsi_bufflen(sc));
> -
> -	/* regular RX path uses back_lock */
> -	spin_lock_bh(&conn->session->back_lock);
>  	iscsi_complete_task(task, state);
>  	spin_unlock_bh(&conn->session->back_lock);
>  }
> @@ -748,9 +773,7 @@ static int iscsi_prep_mgmt_task(struct iscsi_conn *conn,
>  		if (session->tt->xmit_task(task))
>  			goto free_task;
>  	} else {
> -		spin_lock_bh(&conn->taskqueuelock);
>  		list_add_tail(&task->running, &conn->mgmtqueue);
> -		spin_unlock_bh(&conn->taskqueuelock);
>  		iscsi_conn_queue_work(conn);
>  	}
>  
> @@ -1411,31 +1434,61 @@ static int iscsi_check_cmdsn_window_closed(struct iscsi_conn *conn)
>  	return 0;
>  }
>  
> -static int iscsi_xmit_task(struct iscsi_conn *conn)
> +static int iscsi_xmit_task(struct iscsi_conn *conn, struct iscsi_task *task,
> +			   bool was_requeue)
>  {
> -	struct iscsi_task *task = conn->task;
>  	int rc;
>  
> -	if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx))
> -		return -ENODATA;
> -
>  	spin_lock_bh(&conn->session->back_lock);
> -	if (conn->task == NULL) {
> +
> +	if (!conn->task) {
> +		/* Take a ref so we can access it after xmit_task() */
> +		__iscsi_get_task(task);
> +	} else {
> +		/* Already have a ref from when we failed to send it last call */
> +		conn->task = NULL;
> +	}
> +
> +	/*
> +	 * If this was a requeue for a R2T we have an extra ref on the task in
> +	 * case a bad target sends a cmd rsp before we have handled the task.
> +	 */
> +	if (was_requeue)
> +		__iscsi_put_task(task);
> +
> +	/*
> +	 * Do this after dropping the extra ref because if this was a requeue
> +	 * it's removed from that list and cleanup_queued_task would miss it.
> +	 */
> +	if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
> +		/*
> +		 * Save the task and ref in case we weren't cleaning up this
> +		 * task and get woken up again.
> +		 */
> +		conn->task = task;
>  		spin_unlock_bh(&conn->session->back_lock);
>  		return -ENODATA;
>  	}
> -	__iscsi_get_task(task);
>  	spin_unlock_bh(&conn->session->back_lock);
> +
>  	spin_unlock_bh(&conn->session->frwd_lock);
>  	rc = conn->session->tt->xmit_task(task);
>  	spin_lock_bh(&conn->session->frwd_lock);
>  	if (!rc) {
>  		/* done with this task */
>  		task->last_xfer = jiffies;
> -		conn->task = NULL;
>  	}
>  	/* regular RX path uses back_lock */
>  	spin_lock(&conn->session->back_lock);
> +	if (rc && task->state == ISCSI_TASK_RUNNING) {
> +		/*
> +		 * get an extra ref that is released next time we access it
> +		 * as conn->task above.
> +		 */
> +		__iscsi_get_task(task);
> +		conn->task = task;
> +	}
> +
>  	__iscsi_put_task(task);
>  	spin_unlock(&conn->session->back_lock);
>  	return rc;
> @@ -1445,9 +1498,7 @@ static int iscsi_xmit_task(struct iscsi_conn *conn)
>   * iscsi_requeue_task - requeue task to run from session workqueue
>   * @task: task to requeue
>   *
> - * LLDs that need to run a task from the session workqueue should call
> - * this. The session frwd_lock must be held. This should only be called
> - * by software drivers.
> + * Callers must have taken a ref to the task that is going to be requeued.
>   */
>  void iscsi_requeue_task(struct iscsi_task *task)
>  {
> @@ -1457,11 +1508,18 @@ void iscsi_requeue_task(struct iscsi_task *task)
>  	 * this may be on the requeue list already if the xmit_task callout
>  	 * is handling the r2ts while we are adding new ones
>  	 */
> -	spin_lock_bh(&conn->taskqueuelock);
> -	if (list_empty(&task->running))
> +	spin_lock_bh(&conn->session->frwd_lock);
> +	if (list_empty(&task->running)) {
>  		list_add_tail(&task->running, &conn->requeue);
> -	spin_unlock_bh(&conn->taskqueuelock);
> +	} else {
> +		/*
> +		 * Don't need the extra ref since it's already requeued and
> +		 * has a ref.
> +		 */
> +		iscsi_put_task(task);
> +	}
>  	iscsi_conn_queue_work(conn);
> +	spin_unlock_bh(&conn->session->frwd_lock);
>  }
>  EXPORT_SYMBOL_GPL(iscsi_requeue_task);
>  
> @@ -1487,7 +1545,7 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
>  	}
>  
>  	if (conn->task) {
> -		rc = iscsi_xmit_task(conn);
> +		rc = iscsi_xmit_task(conn, conn->task, false);
>  	        if (rc)
>  		        goto done;
>  	}
> @@ -1497,49 +1555,41 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
>  	 * only have one nop-out as a ping from us and targets should not
>  	 * overflow us with nop-ins
>  	 */
> -	spin_lock_bh(&conn->taskqueuelock);
>  check_mgmt:
>  	while (!list_empty(&conn->mgmtqueue)) {
> -		conn->task = list_entry(conn->mgmtqueue.next,
> -					 struct iscsi_task, running);
> -		list_del_init(&conn->task->running);
> -		spin_unlock_bh(&conn->taskqueuelock);
> -		if (iscsi_prep_mgmt_task(conn, conn->task)) {
> +		task = list_entry(conn->mgmtqueue.next, struct iscsi_task,
> +				  running);
> +		list_del_init(&task->running);
> +		if (iscsi_prep_mgmt_task(conn, task)) {
>  			/* regular RX path uses back_lock */
>  			spin_lock_bh(&conn->session->back_lock);
> -			__iscsi_put_task(conn->task);
> +			__iscsi_put_task(task);
>  			spin_unlock_bh(&conn->session->back_lock);
> -			conn->task = NULL;
> -			spin_lock_bh(&conn->taskqueuelock);
>  			continue;
>  		}
> -		rc = iscsi_xmit_task(conn);
> +		rc = iscsi_xmit_task(conn, task, false);
>  		if (rc)
>  			goto done;
> -		spin_lock_bh(&conn->taskqueuelock);
>  	}
>  
>  	/* process pending command queue */
>  	while (!list_empty(&conn->cmdqueue)) {
> -		conn->task = list_entry(conn->cmdqueue.next, struct iscsi_task,
> -					running);
> -		list_del_init(&conn->task->running);
> -		spin_unlock_bh(&conn->taskqueuelock);
> +		task = list_entry(conn->cmdqueue.next, struct iscsi_task,
> +				  running);
> +		list_del_init(&task->running);
>  		if (conn->session->state == ISCSI_STATE_LOGGING_OUT) {
> -			fail_scsi_task(conn->task, DID_IMM_RETRY);
> -			spin_lock_bh(&conn->taskqueuelock);
> +			fail_scsi_task(task, DID_IMM_RETRY);
>  			continue;
>  		}
> -		rc = iscsi_prep_scsi_cmd_pdu(conn->task);
> +		rc = iscsi_prep_scsi_cmd_pdu(task);
>  		if (rc) {
>  			if (rc == -ENOMEM || rc == -EACCES)
> -				fail_scsi_task(conn->task, DID_IMM_RETRY);
> +				fail_scsi_task(task, DID_IMM_RETRY);
>  			else
> -				fail_scsi_task(conn->task, DID_ABORT);
> -			spin_lock_bh(&conn->taskqueuelock);
> +				fail_scsi_task(task, DID_ABORT);
>  			continue;
>  		}
> -		rc = iscsi_xmit_task(conn);
> +		rc = iscsi_xmit_task(conn, task, false);
>  		if (rc)
>  			goto done;
>  		/*
> @@ -1547,7 +1597,6 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
>  		 * we need to check the mgmt queue for nops that need to
>  		 * be sent to aviod starvation
>  		 */
> -		spin_lock_bh(&conn->taskqueuelock);
>  		if (!list_empty(&conn->mgmtqueue))
>  			goto check_mgmt;
>  	}
> @@ -1561,21 +1610,17 @@ static int iscsi_data_xmit(struct iscsi_conn *conn)
>  
>  		task = list_entry(conn->requeue.next, struct iscsi_task,
>  				  running);
> +
>  		if (iscsi_check_tmf_restrictions(task, ISCSI_OP_SCSI_DATA_OUT))
>  			break;
>  
> -		conn->task = task;
> -		list_del_init(&conn->task->running);
> -		conn->task->state = ISCSI_TASK_RUNNING;
> -		spin_unlock_bh(&conn->taskqueuelock);
> -		rc = iscsi_xmit_task(conn);
> +		list_del_init(&task->running);
> +		rc = iscsi_xmit_task(conn, task, true);
>  		if (rc)
>  			goto done;
> -		spin_lock_bh(&conn->taskqueuelock);
>  		if (!list_empty(&conn->mgmtqueue))
>  			goto check_mgmt;
>  	}
> -	spin_unlock_bh(&conn->taskqueuelock);
>  	spin_unlock_bh(&conn->session->frwd_lock);
>  	return -ENODATA;
>  
> @@ -1741,9 +1786,7 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc)
>  			goto prepd_reject;
>  		}
>  	} else {
> -		spin_lock_bh(&conn->taskqueuelock);
>  		list_add_tail(&task->running, &conn->cmdqueue);
> -		spin_unlock_bh(&conn->taskqueuelock);
>  		iscsi_conn_queue_work(conn);
>  	}
>  
> @@ -2914,7 +2957,6 @@ struct iscsi_cls_conn *
>  	INIT_LIST_HEAD(&conn->mgmtqueue);
>  	INIT_LIST_HEAD(&conn->cmdqueue);
>  	INIT_LIST_HEAD(&conn->requeue);
> -	spin_lock_init(&conn->taskqueuelock);
>  	INIT_WORK(&conn->xmitwork, iscsi_xmitworker);
>  
>  	/* allocate login_task used for the login/text sequences */
> @@ -3080,10 +3122,16 @@ int iscsi_conn_start(struct iscsi_cls_conn *cls_conn)
>  		ISCSI_DBG_SESSION(conn->session,
>  				  "failing mgmt itt 0x%x state %d\n",
>  				  task->itt, task->state);
> +
> +		spin_lock_bh(&session->back_lock);
> +		if (cleanup_queued_task(task)) {
> +			spin_unlock_bh(&session->back_lock);
> +			continue;
> +		}
> +
>  		state = ISCSI_TASK_ABRT_SESS_RECOV;
>  		if (task->state == ISCSI_TASK_PENDING)
>  			state = ISCSI_TASK_COMPLETED;
> -		spin_lock_bh(&session->back_lock);
>  		iscsi_complete_task(task, state);
>  		spin_unlock_bh(&session->back_lock);
>  	}
> diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c
> index 83f14b2..14c9169 100644
> --- a/drivers/scsi/libiscsi_tcp.c
> +++ b/drivers/scsi/libiscsi_tcp.c
> @@ -524,48 +524,79 @@ static int iscsi_tcp_data_in(struct iscsi_conn *conn, struct iscsi_task *task)
>  /**
>   * iscsi_tcp_r2t_rsp - iSCSI R2T Response processing
>   * @conn: iscsi connection
> - * @task: scsi command task
> + * @hdr: PDU header
>   */
> -static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
> +static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_hdr *hdr)
>  {
>  	struct iscsi_session *session = conn->session;
> -	struct iscsi_tcp_task *tcp_task = task->dd_data;
> -	struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
> -	struct iscsi_r2t_rsp *rhdr = (struct iscsi_r2t_rsp *)tcp_conn->in.hdr;
> +	struct iscsi_tcp_task *tcp_task;
> +	struct iscsi_tcp_conn *tcp_conn;
> +	struct iscsi_r2t_rsp *rhdr;
>  	struct iscsi_r2t_info *r2t;
> -	int r2tsn = be32_to_cpu(rhdr->r2tsn);
> +	struct iscsi_task *task;
>  	u32 data_length;
>  	u32 data_offset;
> +	int r2tsn;
>  	int rc;
>  
> +	spin_lock(&session->back_lock);
> +	task = iscsi_itt_to_ctask(conn, hdr->itt);
> +	if (!task) {
> +		spin_unlock(&session->back_lock);
> +		return ISCSI_ERR_BAD_ITT;
> +	} else if (task->sc->sc_data_direction != DMA_TO_DEVICE) {
> +		spin_unlock(&session->back_lock);
> +		return ISCSI_ERR_PROTO;
> +	}
> +	/*
> +	 * A bad target might complete the cmd before we have handled R2Ts
> +	 * so get a ref to the task that will be dropped in the xmit path.
> +	 */

Nit: For me, this comment seems to go with the __iscsi_get_task() a few
lines below, and doesn't mention the state check. But certainly no
functional objection here.

> +	if (task->state != ISCSI_TASK_RUNNING) {
> +		spin_unlock(&session->back_lock);
> +		/* Let the path that got the early rsp complete it */
> +		return 0;
> +	}
> +	task->last_xfer = jiffies;
> +	__iscsi_get_task(task);
> +
> +	tcp_conn = conn->dd_data;
> +	rhdr = (struct iscsi_r2t_rsp *)tcp_conn->in.hdr;
> +	/* fill-in new R2T associated with the task */
> +	iscsi_update_cmdsn(session, (struct iscsi_nopin *)rhdr);
> +	spin_unlock(&session->back_lock);
> +
>  	if (tcp_conn->in.datalen) {
>  		iscsi_conn_printk(KERN_ERR, conn,
>  				  "invalid R2t with datalen %d\n",
>  				  tcp_conn->in.datalen);
> -		return ISCSI_ERR_DATALEN;
> +		rc = ISCSI_ERR_DATALEN;
> +		goto put_task;
>  	}
>  
> +	tcp_task = task->dd_data;
> +	r2tsn = be32_to_cpu(rhdr->r2tsn);
>  	if (tcp_task->exp_datasn != r2tsn){
>  		ISCSI_DBG_TCP(conn, "task->exp_datasn(%d) != rhdr->r2tsn(%d)\n",
>  			      tcp_task->exp_datasn, r2tsn);
> -		return ISCSI_ERR_R2TSN;
> +		rc = ISCSI_ERR_R2TSN;
> +		goto put_task;
>  	}
>  
> -	/* fill-in new R2T associated with the task */
> -	iscsi_update_cmdsn(session, (struct iscsi_nopin*)rhdr);
> -
>  	if (!task->sc || session->state != ISCSI_STATE_LOGGED_IN) {
>  		iscsi_conn_printk(KERN_INFO, conn,
>  				  "dropping R2T itt %d in recovery.\n",
>  				  task->itt);
> -		return 0;
> +		rc = 0;
> +		goto put_task;
>  	}
>  
>  	data_length = be32_to_cpu(rhdr->data_length);
>  	if (data_length == 0) {
>  		iscsi_conn_printk(KERN_ERR, conn,
>  				  "invalid R2T with zero data len\n");
> -		return ISCSI_ERR_DATALEN;
> +		rc = ISCSI_ERR_DATALEN;
> +		goto put_task;
>  	}
>  
>  	if (data_length > session->max_burst)
> @@ -579,7 +610,8 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
>  				  "invalid R2T with data len %u at offset %u "
>  				  "and total length %d\n", data_length,
>  				  data_offset, task->sc->sdb.length);
> -		return ISCSI_ERR_DATALEN;
> +		rc = ISCSI_ERR_DATALEN;
> +		goto put_task;
>  	}
>  
>  	spin_lock(&tcp_task->pool2queue);
> @@ -589,7 +621,8 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
>  				  "Target has sent more R2Ts than it "
>  				  "negotiated for or driver has leaked.\n");
>  		spin_unlock(&tcp_task->pool2queue);
> -		return ISCSI_ERR_PROTO;
> +		rc = ISCSI_ERR_PROTO;
> +		goto put_task;
>  	}
>  
>  	r2t->exp_statsn = rhdr->statsn;
> @@ -607,6 +640,10 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
>  
>  	iscsi_requeue_task(task);
>  	return 0;
> +
> +put_task:
> +	iscsi_put_task(task);
> +	return rc;
>  }
>  
>  /*
> @@ -730,20 +767,11 @@ static int iscsi_tcp_r2t_rsp(struct iscsi_conn *conn, struct iscsi_task *task)
>  		rc = iscsi_complete_pdu(conn, hdr, NULL, 0);
>  		break;
>  	case ISCSI_OP_R2T:
> -		spin_lock(&conn->session->back_lock);
> -		task = iscsi_itt_to_ctask(conn, hdr->itt);
> -		spin_unlock(&conn->session->back_lock);
> -		if (!task)
> -			rc = ISCSI_ERR_BAD_ITT;
> -		else if (ahslen)
> +		if (ahslen) {
>  			rc = ISCSI_ERR_AHSLEN;
> -		else if (task->sc->sc_data_direction == DMA_TO_DEVICE) {
> -			task->last_xfer = jiffies;
> -			spin_lock(&conn->session->frwd_lock);
> -			rc = iscsi_tcp_r2t_rsp(conn, task);
> -			spin_unlock(&conn->session->frwd_lock);
> -		} else
> -			rc = ISCSI_ERR_PROTO;
> +			break;
> +		}
> +		rc = iscsi_tcp_r2t_rsp(conn, hdr);
>  		break;
>  	case ISCSI_OP_LOGIN_RSP:
>  	case ISCSI_OP_TEXT_RSP:
> diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h
> index b3bbd10..44a9554 100644
> --- a/include/scsi/libiscsi.h
> +++ b/include/scsi/libiscsi.h
> @@ -187,7 +187,7 @@ struct iscsi_conn {
>  	struct iscsi_task	*task;		/* xmit task in progress */
>  
>  	/* xmit */
> -	spinlock_t		taskqueuelock;  /* protects the next three lists */
> +	/* items must be added/deleted under frwd lock */
>  	struct list_head	mgmtqueue;	/* mgmt (control) xmit queue */
>  	struct list_head	cmdqueue;	/* data-path cmd queue */
>  	struct list_head	requeue;	/* tasks needing another run */
> @@ -332,7 +332,7 @@ struct iscsi_session {
>  						 * cmdsn, queued_cmdsn     *
>  						 * session resources:      *
>  						 * - cmdpool kfifo_out ,   *
> -						 * - mgmtpool,		   */
> +						 * - mgmtpool, queues	   */
>  	spinlock_t		back_lock;	/* protects cmdsn_exp      *
>  						 * cmdsn_max,              *
>  						 * cmdpool kfifo_in        */
> 

Reviewed-by: Lee Duncan <lduncan@suse.com>