1. 03 Feb, 2016 2 commits
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active TMR descriptor handling · a6d9bb1c
      Nicholas Bellinger authored
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active TMRs,
      triggered during se_cmd + se_tmr_req descriptor
      shutdown + release via core_tmr_drain_tmr_list().
      
      To address this bug, go ahead and obtain a local
      kref_get_unless_zero(&se_cmd->cmd_kref) for active I/O
      to set CMD_T_ABORTED, and transport_wait_for_tasks()
      followed by the final target_put_sess_cmd() to drop
      the local ->cmd_kref.
      
      Also add two new checks within target_tmr_work() to
      avoid CMD_T_ABORTED -> TFO->queue_tm_rsp() callbacks
      ahead of invoking the backend -> fabric put in
      transport_cmd_check_stop_to_fabric().
      
      For good measure, also change core_tmr_release_req()
      to use list_del_init() ahead of se_tmr_req memory
      free.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      a6d9bb1c
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active I/O handling for ACK_KREF · febe562c
      Nicholas Bellinger authored
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active se_cmd
      I/O, that can be triggered during se_cmd descriptor
      shutdown + release via core_tmr_drain_state_list() code.
      
      To address this bug, add common __target_check_io_state()
      helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
      checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
      both cases ahead of last target_put_sess_cmd() after
      TFO->aborted_task() -> transport_cmd_finish_abort()
      callback has completed.
      
      It also introduces SCF_ACK_KREF to determine when
      transport_cmd_finish_abort() needs to drop the second
      extra reference, ahead of calling target_put_sess_cmd()
      for the final kref_put(&se_cmd->cmd_kref).
      
      It also updates transport_cmd_check_stop() to avoid
      holding se_cmd->t_state_lock while dropping se_cmd
      device state via target_remove_from_state_list(), now
      that core_tmr_drain_state_list() is holding the
      se_device lock while checking se_cmd state from
      within TMR logic.
      
      Finally, move transport_put_cmd() release of SGL +
      TMR + extended CDB memory into target_free_cmd_mem()
      in order to avoid potential resource leaks in TMR
      ABORT_TASK + LUN_RESET code-paths.  Also update
      target_release_cmd_kref() accordingly.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      febe562c
  2. 30 Jan, 2016 3 commits
    • Quinn Tran's avatar
      qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM · a07100e0
      Quinn Tran authored
      During lun reset, TMR thread from TCM would issue abort
      to qla driver.  At abort time, each command is in different
      state.  Depending on the state, qla will use the TMR thread
      to trigger a command free(cmd_kref--) if command is not
      down at firmware.
      Signed-off-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      a07100e0
    • Himanshu Madhani's avatar
      qla2xxx: Fix warning reported by static checker · dacb5822
      Himanshu Madhani authored
      This patch fixes following warning
      
      drivers/scsi/qla2xxx/qla_target.c:3587 qlt_do_ctio_completion()
      warn: impossible condition '(logged_out == 41) => (0-1 == 41)'
      
      drivers/scsi/qla2xxx/qla_target.c
       3580                  case CTIO_PORT_LOGGED_OUT:
       3581                  case CTIO_PORT_UNAVAILABLE:
       3582                  {
       3583                          bool logged_out = (status & 0xFFFF);
       3584                          ql_dbg(ql_dbg_tgt_mgt, vha, 0xf059,
       3585                              "qla_target(%d): CTIO with %s status %x "
       3586                              "received (state %x, se_cmd %p)\n", vha->vp_idx,
       3587                              (logged_out == CTIO_PORT_LOGGED_OUT) ?
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                          Bool cannot equal 0x26.
       3588                              "PORT LOGGED OUT" : "PORT UNAVAILABLE",
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarGiridhar Malavali <giridhar.malavali@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      dacb5822
    • Mike Christie's avatar
      target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors · 8a9ebe71
      Mike Christie authored
      In a couple places we are not converting to/from the Linux
      block layer 512 bytes sectors.
      
      1.
      
      The request queue values and what we do are a mismatch of
      things:
      
      max_discard_sectors - This is in linux block layer 512 byte
      sectors. We are just copying this to max_unmap_lba_count.
      
      discard_granularity - This is in bytes. We are converting it
      to Linux block layer 512 byte sectors.
      
      discard_alignment - This is in bytes. We are just copying
      this over.
      
      The problem is that the core LIO code exports these values in
      spc_emulate_evpd_b0 and we use them to test request arguments
      in sbc_execute_unmap, but we never convert to the block size
      we export to the initiator. If we are not using 512 byte sectors
      then we are exporting the wrong values or are checks are off.
      And, for the discard_alignment/bytes case we are just plain messed
      up.
      
      2.
      
      blkdev_issue_discard's start and number of sector arguments
      are supposed to be in linux block layer 512 byte sectors. We are
      currently passing in the values we get from the initiator which
      might be based on some other sector size.
      
      There is a similar problem in iblock_execute_write_same where
      the bio functions want values in 512 byte sectors but we are
      passing in what we got from the initiator.
      Signed-off-by: default avatarMike Christie <mchristi@redhat.com>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      8a9ebe71
  3. 24 Jan, 2016 35 commits