aboutsummaryrefslogtreecommitdiff
path: root/drivers/target
AgeCommit message (Collapse)Author
2014-06-26iscsi-target: Reject mutual authentication with reflected CHAP_CNicholas Bellinger
commit 1d2b60a5545942b1376cb48c1d55843d71e3a08f upstream. This patch adds an explicit check in chap_server_compute_md5() to ensure the CHAP_C value received from the initiator during mutual authentication does not match the original CHAP_C provided by the target. This is in line with RFC-3720, section 8.2.1: Originators MUST NOT reuse the CHAP challenge sent by the Responder for the other direction of a bidirectional authentication. Responders MUST check for this condition and close the iSCSI TCP connection if it occurs. Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-26target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmdNicholas Bellinger
commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream. This patch fixes a NULL pointer dereference regression bug that was introduced with: commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c Author: Mikulas Patocka <mpatocka@redhat.com> Date: Sat May 17 06:49:22 2014 -0400 target: fix memory leak on XCOPY Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is called with a valid se_cmd->cmd_kref, a NULL pointer dereference is triggered because the XCOPY passthrough commands don't have an associated se_session pointer. To address this bug, go ahead and checking for a NULL se_sess pointer within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd() to release the XCOPY's xcopy_pt_cmd memory. Reported-by: Thomas Glanzmann <thomas@glanzmann.de> Cc: Thomas Glanzmann <thomas@glanzmann.de> Cc: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-06target: Fix alua_access_state attribute OOPs for un-configured devicesNicholas Bellinger
This patch fixes a OOPs where an attempt to write to the per-device alua_access_state configfs attribute at: /sys/kernel/config/target/core/$HBA/$DEV/alua/$TG_PT_GP/alua_access_state results in an NULL pointer dereference when the backend device has not yet been configured. This patch adds an explicit check for DF_CONFIGURED, and fails with -ENODEV to avoid this case. Reported-by: Chris Boot <crb@tiger-computing.co.uk> Reported-by: Philip Gaw <pgaw@darktech.org.uk> Cc: Chris Boot <crb@tiger-computing.co.uk> Cc: Philip Gaw <pgaw@darktech.org.uk> Cc: stable@vger.kernel.org # 3.8+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-06target: Allow READ_CAPACITY opcode in ALUA Standby access stateNicholas Bellinger
This patch allows READ_CAPACITY + SAI_READ_CAPACITY_16 opcode processing to occur while the associated ALUA group is in Standby access state. This is required to avoid host side LUN probe failures during the initial scan if an ALUA group has already implicitly changed into Standby access state. This addresses a bug reported by Chris + Philip using dm-multipath + ESX hosts configured with ALUA multipath. Reported-by: Chris Boot <crb@tiger-computing.co.uk> Reported-by: Philip Gaw <pgaw@darktech.org.uk> Cc: Chris Boot <crb@tiger-computing.co.uk> Cc: Philip Gaw <pgaw@darktech.org.uk> Cc: Hannes Reinecke <hare@suse.de> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-03iser-target: Fix multi network portal shutdown regressionNicholas Bellinger
This patch fixes a iser-target specific regression introduced in v3.15-rc6 with: commit 14f4b54fe38f3a8f8392a50b951c8aa43b63687a Author: Sagi Grimberg <sagig@mellanox.com> Date: Tue Apr 29 13:13:47 2014 +0300 Target/iscsi,iser: Avoid accepting transport connections during stop stage where the change to set iscsi_np->enabled = false within iscsit_clear_tpg_np_login_thread() meant that a iscsi_np with two iscsi_tpg_np exports would have it's parent iscsi_np set to a disabled state, even if other iscsi_tpg_np exports still existed. This patch changes iscsit_clear_tpg_np_login_thread() to only set iscsi_np->enabled = false when shutdown = true, and also changes iscsit_del_np() to set iscsi_np->enabled = true when iscsi_np->np_exports is non zero. Cc: Sagi Grimberg <sagig@dev.mellanox.co.il> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-03iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value()Roland Dreier
In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls iscsi_change_param_value() with the buffer it uses to hold the login PDU, not a temporary buffer. This leads to the login header getting corrupted and login failing for non-leading connections in MC/S. Fix this by adding a wrapper iscsi_change_param_sprintf() that handles the temporary buffer itself to avoid confusion. Also handle sending a reject in case of failure in the wrapper, which lets the calling code get quite a bit smaller and easier to read. Finally, bump the size of the temporary buffer from 32 to 64 bytes to be safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't the default but we don't need to run right at the ragged edge here) Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-17target: fix memory leak on XCOPYMikulas Patocka
On each processed XCOPY command, two "kmalloc-512" memory objects are leaked. These represent two allocations of struct xcopy_pt_cmd in target_core_xcopy.c. The reason for the memory leak is that the cmd_kref field is not initialized (thus, it is zero because the allocations were done with kzalloc). When we decrement zero kref in target_put_sess_cmd, the result is not zero, thus target_release_cmd_kref is not called. This patch fixes the bug by moving kref initialization from target_get_sess_cmd to transport_init_se_cmd (this function is called from target_core_xcopy.c, so it will correctly initialize cmd_kref). It can be easily verified that all code that calls target_get_sess_cmd also calls transport_init_se_cmd earlier, thus moving kref_init shouldn't introduce any new problems. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-15target: Don't allow setting WC emulation if device doesn't supportAndy Grover
Just like for pSCSI, if the transport sets get_write_cache, then it is not valid to enable write cache emulation for it. Return an error. see https://bugzilla.redhat.com/show_bug.cgi?id=1082675 Reviewed-by: Chris Leech <cleech@redhat.com> Signed-off-by: Andy Grover <agrover@redhat.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-15iscsi-target: Disable Immediate + Unsolicited Data with ISER ProtectionNicholas Bellinger
This patch explicitly disables Immediate + Unsolicited Data for ISER connections during login in iscsi_login_zero_tsih_s2() when protection has been enabled for the session by the underlying hardware. This is currently required because protection / signature memory regions (MRs) expect T10 PI to occur on RDMA READs + RDMA WRITEs transfers, and not on a immediate data payload associated with ISCSI_OP_SCSI_CMD, or unsolicited data-out associated with a ISCSI_OP_SCSI_DATA_OUT. v2 changes: - Add TARGET_PROT_DOUT_INSERT check (Sagi) - Add pr_debug noisemaker (Sagi) - Add goto to avoid early return from MRDSL check (nab) Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-15tcm_fc: Fix free-after-use regression in ft_free_cmdNicholas Bellinger
This patch fixes a free-after-use regression in ft_free_cmd(), where ft_sess_put() is called with cmd->sess after percpu_ida_free() has already released the tag. Fix this bug by saving the ft_sess pointer ahead of percpu_ida_free(), and pass it directly to ft_sess_put(). The regression was originally introduced in v3.13-rc1 commit: commit 5f544cfac956971099e906f94568bc3fd1a7108a Author: Nicholas Bellinger <nab@daterainc.com> Date: Mon Sep 23 12:12:42 2013 -0700 tcm_fc: Convert to per-cpu command map pre-allocation of ft_cmd Reported-by: Jun Wu <jwu@stormojo.com> Cc: Mark Rustad <mark.d.rustad@intel.com> Cc: Robert Love <robert.w.love@intel.com> Cc: <stable@vger.kernel.org> #3.13+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-15iscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_outNicholas Bellinger
This patch changes an incorrect use of BUG_ON to instead generate a REJECT + PROTOCOL_ERROR in iscsit_process_nop_out() code. This case can occur with traditional TCP where a flood of zeros in the data stream can reach this block for what is presumed to be a NOP-OUT with a solicited reply, but without a valid iscsi_cmd pointer. This incorrect BUG_ON was introduced during the v3.11-rc timeframe with the following commit: commit 778de368964c5b7e8100cde9f549992d521e9c89 Author: Nicholas Bellinger <nab@linux-iscsi.org> Date: Fri Jun 14 16:07:47 2013 -0700 iscsi/isert-target: Refactor ISCSI_OP_NOOP RX handling Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Cc: stable@vger.kernel.org # 3.11+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-15Target/iscsi,iser: Avoid accepting transport connections during stop stageSagi Grimberg
When the target is in stop stage, iSER transport initiates RDMA disconnects. The iSER initiator may wish to establish a new connection over the still existing network portal. In this case iSER transport should not accept and resume new RDMA connections. In order to learn that, iscsi_np is added with enabled flag so the iSER transport can check when deciding weather to accept and resume a new connection request. The iscsi_np is enabled after successful transport setup, and disabled before iscsi_np login threads are cleaned up. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-05-15target: Allow non-supporting backends to set pi_prot_type to 0Andy Grover
Userspace tools assume if a value is read from configfs, it is valid and will not cause an error if the same value is written back. The only valid value for pi_prot_type for backends not supporting DIF is 0, so allow this particular value to be set without returning an error. Reported-by: Krzysztof Chojnowski <frirajder@gmail.com> Signed-off-by: Andy Grover <agrover@redhat.com> Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: stable@vger.kernel.org # 3.14+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-12Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds
Pull yet more networking updates from David Miller: 1) Various fixes to the new Redpine Signals wireless driver, from Fariya Fatima. 2) L2TP PPP connect code takes PMTU from the wrong socket, fix from Dmitry Petukhov. 3) UFO and TSO packets differ in whether they include the protocol header in gso_size, account for that in skb_gso_transport_seglen(). From Florian Westphal. 4) If VLAN untagging fails, we double free the SKB in the bridging output path. From Toshiaki Makita. 5) Several call sites of sk->sk_data_ready() were referencing an SKB just added to the socket receive queue in order to calculate the second argument via skb->len. This is dangerous because the moment the skb is added to the receive queue it can be consumed in another context and freed up. It turns out also that none of the sk->sk_data_ready() implementations even care about this second argument. So just kill it off and thus fix all these use-after-free bugs as a side effect. 6) Fix inverted test in tcp_v6_send_response(), from Lorenzo Colitti. 7) pktgen needs to do locking properly for LLTX devices, from Daniel Borkmann. 8) xen-netfront driver initializes TX array entries in RX loop :-) From Vincenzo Maffione. 9) After refactoring, some tunnel drivers allow a tunnel to be configured on top itself. Fix from Nicolas Dichtel. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits) vti: don't allow to add the same tunnel twice gre: don't allow to add the same tunnel twice drivers: net: xen-netfront: fix array initialization bug pktgen: be friendly to LLTX devices r8152: check RTL8152_UNPLUG net: sun4i-emac: add promiscuous support net/apne: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO net: ipv6: Fix oif in TCP SYN+ACK route lookup. drivers: net: cpsw: enable interrupts after napi enable and clearing previous interrupts drivers: net: cpsw: discard all packets received when interface is down net: Fix use after free by removing length arg from sk_data_ready callbacks. Drivers: net: hyperv: Address UDP checksum issues Drivers: net: hyperv: Negotiate suitable ndis version for offload support Drivers: net: hyperv: Allocate memory for all possible per-pecket information bridge: Fix double free and memory leak around br_allowed_ingress bonding: Remove debug_fs files when module init fails i40evf: program RSS LUT correctly i40evf: remove open-coded skb_cow_head ixgb: remove open-coded skb_cow_head igbvf: remove open-coded skb_cow_head ...
2014-04-11target/tcm_fc: Rename ft_tport_create to ft_tport_getAndy Grover
Because it doesn't always create, if there's an existing one it just returns it. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11target/tcm_fc: Rename ft_{add,del}_lport to {add,del}_wwnAndy Grover
These functions are not adding or deleting an lport. They are adding a wwn that may match with an lport that is present on the system. Renaming ft_del_lport also means we won't have functions named both ft_del_lport and ft_lport_del any more. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11target/tcm_fc: Rename structs and list members for clarityAndy Grover
Rename struct ft_lport_acl to ft_lport_wwn. "acl" is associated with something different in LIO terms. Really, ft_lport_wwn is the fabric-specific wrapper for the struct se_wwn. Rename "lacl" local variables to "ft_wwn" as well. Rename list_heads used as list members to make it clear they're nodes, not heads. Rename lport_node to ft_wwn_node. Rename ft_lport_list to ft_wwn_list Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11target/tcm_fc: Limit to 1 TPG per wwnAndy Grover
tcm_fc doesn't support multiple TPGs per wwn. For proof, see ft_lport_find_tpg. Enforce this in the code. Replace ft_lport_wwn.tpg_list with a single pointer. We can't fold ft_tpg into ft_lport_wwn because they can have different lifetimes. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11target/tcm_fc: Don't export ft_lport_listAndy Grover
Nobody outside tfc_conf.c uses it. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11target/tcm_fc: Fix use-after-free of ft_tpgAndy Grover
ft_del_tpg checks tpg->tport is set before unlinking the tpg from the tport when the tpg is being removed. Set this pointer in ft_tport_create, or the unlinking won't happen in ft_del_tpg and tport->tpg will reference a deleted object. This patch sets tpg->tport in ft_tport_create, because that's what ft_del_tpg checks, and is the only way to get back to the tport to clear tport->tpg. The bug was occuring when: - lport created, tport (our per-lport, per-provider context) is allocated. tport->tpg = NULL - tpg created - a PRLI is received. ft_tport_create is called, tpg is found and tport->tpg is set - tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not set, tport->tpg is not cleared and points at freed memory - Future calls to ft_tport_create return tport via first conditional, instead of searching for new tpg by calling ft_lport_find_tpg. tport->tpg is still invalid, and will access freed memory. see https://bugzilla.redhat.com/show_bug.cgi?id=1071340 Cc: stable@vger.kernel.org # 3.0+ Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11target: Add check to prevent Abort Task from aborting itselfAlex Leung
This patch addresses an issue that occurs when an ABTS is received for an se_cmd that completes just before the sess_cmd_list is searched in core_tmr_abort_task(). When the sess_cmd_list is searched, since the ABTS and the FCP_CMND being aborted (that just completed) both have the same OXID, TFO->get_task_tag(TMR) returns a value that matches tmr->ref_task_tag (from TFO->get_task_tag(FCP_CMND)), and the Abort Task tries to abort itself. When this occurs, transport_wait_for_tasks() hangs forever since the TMR is waiting for itself to finish. This patch adds a check to core_tmr_abort_task() to make sure the TMR does not attempt to abort itself. Signed-off-by: Alex Leung <alex.leung@emulex.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-11net: Fix use after free by removing length arg from sk_data_ready callbacks.David S. Miller
Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-07target: Enable READ_STRIP emulation in target_complete_ok_workNicholas Bellinger
This patch enables the use of READ_STRIP software emulation in target_complete_ok_work() code for I/O READs. This is useful when the fabric does not support READ_STRIP hardware offload, but would still like to interact with backend device that have T10 PI enabled. v2 changes: - Move TARGET_PROT_DIN_STRIP check from target_check_read_strip() into target_complete_ok_work() (Sagi) Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/sbc: Add sbc_dif_read_strip software emulationNicholas Bellinger
Split up __sbc_dif_verify_read() so that VERIFY READ emulation can perform target-core specific READ_STRIP, seperate from the existing FILEIO/RAMDISK backend emulation code. Also add sbc_dif_read_strip() in order to determine number of sectors using cmd->prot_length, and skip the extra sbc_dif_copy_prot(). Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target: Enable WRITE_INSERT emulation in target_execute_cmdNicholas Bellinger
This patch enables WRITE_INSERT emulation in target_execute_cmd() in order to locally generate DIF PI before submitting the WRITE to the underlying backend device. This is required for fabric drivers that currently don't support DIF over-the-wire, in order to inact with backend devices that have hardware (IBLOCK) or software (FILEIO + RAMDISK) support for handling T10 PI. v2 changes: - Convert to sbc_dif_generate() usage (Sagi) Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/sbc: Add sbc_dif_generate software emulationNicholas Bellinger
This patch adds WRITE_INSERT emulation within target-core using TYPE1 / TYPE3 PI modes in sbc_dif_generate() code. This is useful in order for existing legacy fabrics that do not support protection offloads to interact with backend devices that currently have T10 PI enabled. v2 changes: - Rename to sbc_dif_generate() (Sagi) Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/sbc: Only expose PI read_cap16 bits when supported by fabricNicholas Bellinger
Only expose the PI protection type bits in READ_CAPACITY_16 if the session + fabric support DIX PASS operations. Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/spc: Only expose PI mode page bits when supported by fabricNicholas Bellinger
Only expose the control modepage bit for Application Tag Owner (ATO) if the session + fabric support DIX PASS operations. Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/spc: Only expose PI inquiry bits when supported by fabricNicholas Bellinger
Only expose standard INQUIRY PROTECT=1 and EVPD=0x86 TYPE1/TYPE3 PI control bits if the session + fabric support DIX PASS operations. Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target: Pass in transport supported PI at session initializationNicholas Bellinger
In order to support local WRITE_INSERT + READ_STRIP operations for non PI enabled fabrics, the fabric driver needs to be able signal what protection offload operations are supported. This is done at session initialization time so the modes can be signaled by individual se_wwn + se_portal_group endpoints, as well as optionally across different transports on the same endpoint. For iser-target, set TARGET_PROT_ALL if the underlying ib_device has already signaled PI offload support, and allow this to be exposed via a new iscsit_transport->iscsit_get_sup_prot_ops() callback. For loopback, set TARGET_PROT_ALL to signal SCSI initiator mode operation. For all other drivers, set TARGET_PROT_NORMAL to disable fabric level PI. Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/iblock: Fix double bioset_integrity_free bugNicholas Bellinger
This patch fixes a double free bug during IBLOCK backend shutdown where bioset_integrity_free() was incorrectly called ahead of bioset_free(), who is already making the same call directly. This bug was introduced with commit ecebbf6cc, and will end up triggering a general protection fault in iblock_free_device() Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Cc: <stable@vger.kernel.org> #3.14+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/sbc: Initialize COMPARE_AND_WRITE write_sg scatterlistMartin Svec
When compiled with CONFIG_DEBUG_SG set, uninitialized SGL leads to BUG() in compare_and_write_callback(). Signed-off-by: Martin Svec <martin.svec@zoner.cz> Cc: <stable@vger.kernel.org> #3.12+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target/rd: T10-Dif: RAM disk is allocating more space than required.Quinn Tran
Ram disk is allocating 8x more space than required for diff data. For large RAM disk test, there is small potential for memory starvation. (Use block_size when calculating total_sg_needed - sagi + nab) Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: Quinn Tran <quinn.tran@qlogic.com> Cc: <stable@vger.kernel.org> #3.14+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bugNicholas Bellinger
This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message() where during ERL=2 connection recovery, a bogus conn_p pointer could end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION notifying the initiator that cmd->logout_cid has failed. The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with a bogus conn_p pointer in iscsit_build_conn_drop_async_message(). Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Reported-by: santosh kulkarni <santosh.kulkarni@calsoftinc.com> Cc: <stable@vger.kernel.org> #3.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target: Add TFO->abort_task for aborted task resources releaseNicholas Bellinger
Now that TASK_ABORTED status is not generated for all cases by TMR ABORT_TASK + LUN_RESET, a new TFO->abort_task() caller is necessary in order to give fabric drivers a chance to unmap hardware / software resources before the se_cmd descriptor is released via the normal TFO->release_cmd() codepath. This patch adds TFO->aborted_task() in core_tmr_abort_task() in place of the original transport_send_task_abort(), and also updates all fabric drivers to implement this caller. The fabric drivers that include changes to perform cleanup via ->aborted_task() are: - iscsi-target - iser-target - srpt - tcm_qla2xxx The fabric drivers that currently set ->aborted_task() to NOPs are: - loopback - tcm_fc - usb-gadget - sbp-target - vhost-scsi For the latter five, there appears to be no additional cleanup required before invoking TFO->release_cmd() to release the se_cmd descriptor. v2 changes: - Move ->aborted_task() call into transport_cmd_finish_abort (Alex) Cc: Alex Leung <amleung21@yahoo.com> Cc: Mark Rustad <mark.d.rustad@intel.com> Cc: Roland Dreier <roland@kernel.org> Cc: Vu Pham <vu@mellanox.com> Cc: Chris Boot <bootc@bootc.net> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Cc: Saurav Kashyap <saurav.kashyap@qlogic.com> Cc: Quinn Tran <quinn.tran@qlogic.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07target: Fix Task Aborted Status (TAS) handlingAlex Leung
This patch addresses three of long standing issues wrt to Task Aborted Status (TAS) handling. The first is the incorrect assumption in core_tmr_handle_tas_abort() that TASK_ABORTED status is sent for the task referenced by TMR ABORT_TASK, and sending TASK_ABORTED status for TMR LUN_RESET on the same nexus the LUN_RESET was received. The second is to ensure the lun reference count is dropped within transport_cmd_finish_abort() by calling transport_lun_remove_cmd() before invoking transport_cmd_check_stop_to_fabric(). The last is to fix the delayed TAS handling to allow outstanding WRITEs to complete before sending the TASK_ABORTED status. This includes changing transport_check_aborted_status() to avoid processing when SCF_SEND_DELAYED_TAS has not be set, and updating transport_send_task_abort() to drop the SCF_SENT_DELAYED_TAS check. Signed-off-by: Alex Leung <amleung21@yahoo.com> Cc: Alex Leung <amleung21@yahoo.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07iscsi-target: Add missing NopOUT->flag (LMB) sanity checkArshad Hussain
This patch adds check for NopOUT->flag (LMB) which is a mandatory as per RFC 3720 Section 10.18. (Fix up context changes for v3.14-rc code - nab) Signed-off-by: Arshad Hussain <arshad.hussain@calsoftinc.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/sbc: add debug printSagi Grimberg
Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/configfs: Expose iSCSI network portal group T10-PI supportSagi Grimberg
User may enable T10-PI support per network portal group. any connection established on top of it, will be required to serve protected transactions. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/iscsi: Add T10-PI indication for iscsi_portal_groupSagi Grimberg
In case an iscsi portal group will be defined as t10_pi enabled, all connections on top of it will support protected transactions. T10-PI support may require extra reource allocation and maintenance by the transport layer, so we don't want to apply them on non-t10_pi network portals. This is a hook for the iscsi target layer to signal the transport at connection establishment that this connection will carry protected transactions. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/core: Remove prot_handover use for nowSagi Grimberg
This is not going to be supported soon - so drop it. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/dif: Introduce protection-passthough-only modeSagi Grimberg
Some transports (iSCSI/iSER/SRP/FC) support hardware INSERT/STRIP capabilities while other transports like loopback/vhost-scsi need perform this is software. This patch allows fabrics using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC to signal the early LUN scan handling case where PROTECT CDB bits are set, but no fabric buffer has been provided. For transports which use generic new command these buffers have yet to be allocated. Also this way, target may support protection information against legacy initiators (writes are inserted and reads are stripped). (Only set prot_pto for loopback during early special case - nab) Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-04-07Target/file: place escape values for protection information formatSagi Grimberg
No need to actually compute protection information when formatting Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-13Target/sbc: Set protection operation and relevant checksSagi Grimberg
SBC-3 mandates the protection checks that must be performed in the rdprotect/wrprotect field. Use them. According to backstore device pi_attributes and cdb rdprotect/wrprotect field. (Fix incorrect se_cmd->prot_type -> TARGET_PROT_NORMAL comparision in transport_generic_new_cmd - nab) (Fix missing break in sbc_set_prot_op_checks - DanC + Sagi) Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-13Target/transport: Allocate protection sg if neededSagi Grimberg
In case protection information is involved, allocate protection SG-list for transport. Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-13target: silence GCC warning in target_alua_state_checkPaul Bolle
Building target_core_alua.o triggers a GCC warning: drivers/target/target_core_alua.c: In function ‘target_alua_state_check’: drivers/target/target_core_alua.c:773:18: warning: ‘alua_ascq’ may be used uninitialized in this function [-Wmaybe-uninitialized] cmd->scsi_ascq = alua_ascq; ^ This is a false positive. A little trial and error shows it is apparently caused by core_alua_state_lba_dependent(). It must be hard for GCC to track the branches of a switch statement, inside a list_for_each_entry loop, inside a while loop. But if we add a small (inline) helper function we can reorganize the code a bit. That also allows to drop alua_ascq which, obviously, gets rid of this warning. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-06Target/sbc: Fix sbc_copy_prot for offset scattersSagi Grimberg
When copying between device and command protection scatters we must take into account that device scatters might be offset and we might copy outside scatter range. Thus for each cmd prot scatter we must take the min between cmd prot scatter, dev prot scatter, and whats left (and loop in case we havn't copied enough from/to cmd prot scatter). Example (single t_prot_sg of len 2048): kernel: sbc_dif_copy_prot: se_cmd=ffff880380aaf970, left=2048, len=2048, dev_prot_sg_offset=3072, dev_prot_sg_len=4096 kernel: isert: se_cmd=ffff880380aaf970 PI error found type 0 at sector 0x2600 expected 0x0 vs actual 0x725f, lba=2580 Instead of copying 2048 from offset 3072 (copying junk outside sg limit 4096), we must to copy 1024 and continue to next sg until we complete cmd prot scatter. This issue was found using iSER T10-PI offload over rd_mcp (wasn't discovered with fileio since file_dev prot sglists are never offset). Changes from v1: - Fix sbc_copy_prot copy length miss-calculation Changes from v0: - Removed psg->offset consideration for psg_len computation - Removed sg->offset consideration for offset condition - Added copied consideraiton for len computation - Added copied offset to paddr when doing memcpy Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-04iscsi/iser-target: Fix isert_conn->state hung shutdown issuesNicholas Bellinger
This patch addresses a couple of different hug shutdown issues related to wait_event() + isert_conn->state. First, it changes isert_conn->conn_wait + isert_conn->conn_wait_comp_err from waitqueues to completions, and sets ISER_CONN_TERMINATING from within isert_disconnect_work(). Second, it splits isert_free_conn() into isert_wait_conn() that is called earlier in iscsit_close_connection() to ensure that all outstanding commands have completed before continuing. Finally, it breaks isert_cq_comp_err() into seperate TX / RX related code, and adds logic in isert_cq_rx_comp_err() to wait for outstanding commands to complete before setting ISER_CONN_DOWN and calling complete(&isert_conn->conn_wait_comp_err). Acked-by: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: <stable@vger.kernel.org> #3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-04iscsi/iser-target: Use list_del_init for ->i_conn_nodeNicholas Bellinger
There are a handful of uses of list_empty() for cmd->i_conn_node within iser-target code that expect to return false once a cmd has been removed from the per connect list. This patch changes all uses of list_del -> list_del_init in order to ensure that list_empty() returns false as expected. Acked-by: Sagi Grimberg <sagig@mellanox.com> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: <stable@vger.kernel.org> #3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-03-04iscsi-target: Fix iscsit_get_tpg_from_np tpg_state bugNicholas Bellinger
This patch fixes a bug in iscsit_get_tpg_from_np() where the tpg->tpg_state sanity check was looking for TPG_STATE_FREE, instead of != TPG_STATE_ACTIVE. The latter is expected during a normal TPG shutdown once the tpg_state goes into TPG_STATE_INACTIVE in order to reject any new incoming login attempts. Cc: <stable@vger.kernel.org> #3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>