From 934a138e970e5af73d6f79469a1eb363572abbaa Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 7 Oct 2013 15:20:07 -0700 Subject: [PATCH 01/11] target: Make target_do_xcopy failures return INVALID_PARAMETER_LIST This patch changes target_do_xcopy() to properly return TCM_INVALID_PARAMETER_LIST instead of TCM_INVALID_CDB_FIELD for failures related to the EXTENDED_COPY parameter list parsing. Also, move struct xcopy_op allocation ahead of kmapping to handle the special TCM_OUT_OF_RESOURCES case. Reported-by: Thomas Glanzmann Reported-by: Douglas Gilbert Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_xcopy.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index 3da4fd10b9f82..6b9774c1dc6cd 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -896,9 +896,17 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) return TCM_UNSUPPORTED_SCSI_OPCODE; } + xop = kzalloc(sizeof(struct xcopy_op), GFP_KERNEL); + if (!xop) { + pr_err("Unable to allocate xcopy_op\n"); + return TCM_OUT_OF_RESOURCES; + } + xop->xop_se_cmd = se_cmd; + p = transport_kmap_data_sg(se_cmd); if (!p) { pr_err("transport_kmap_data_sg() failed in target_do_xcopy\n"); + kfree(xop); return TCM_OUT_OF_RESOURCES; } @@ -920,13 +928,6 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) goto out; } - xop = kzalloc(sizeof(struct xcopy_op), GFP_KERNEL); - if (!xop) { - pr_err("Unable to allocate xcopy_op\n"); - goto out; - } - xop->xop_se_cmd = se_cmd; - pr_debug("Processing XCOPY with list_id: 0x%02x list_id_usage: 0x%02x" " tdll: %hu sdll: %u inline_dl: %u\n", list_id, list_id_usage, tdll, sdll, inline_dl); @@ -957,7 +958,7 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) if (p) transport_kunmap_data_sg(se_cmd); kfree(xop); - return TCM_INVALID_CDB_FIELD; + return TCM_INVALID_PARAMETER_LIST; } static sense_reason_t target_rcr_operating_parameters(struct se_cmd *se_cmd) From 3f7a46c67440a7fa422919ab2059cbab838ca558 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 7 Oct 2013 15:22:15 -0700 Subject: [PATCH 02/11] target: Allow non zero ListID in EXTENDED_COPY parameter list This patch changes target_do_xcopy() to allow processing of non-zero ListIDs in EXTENDED_COPY parameter list data, instead of returning CHECK_CONDITION status. As the copy offload implementation reports SNLID=1 (Supports No ListID) in OPERATING PARAMETERS, any ListID value presented by the client is currently ignored. Also, properly extract list_id_usage for informational purposes. Reported-by: Thomas Glanzmann Reported-by: Douglas Gilbert Cc: Hannes Reinecke Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_xcopy.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index 6b9774c1dc6cd..fe985559eeb84 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -911,11 +911,8 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) } list_id = p[0]; - if (list_id != 0x00) { - pr_err("XCOPY with non zero list_id: 0x%02x\n", list_id); - goto out; - } - list_id_usage = (p[1] & 0x18); + list_id_usage = (p[1] & 0x18) >> 3; + /* * Determine TARGET DESCRIPTOR LIST LENGTH + SEGMENT DESCRIPTOR LIST LENGTH */ From acb3f2600eb8cdd35643a8b9237719ce61c98d41 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 7 Oct 2013 18:05:14 -0700 Subject: [PATCH 03/11] target: Reject EXTENDED_COPY when emulate_3pc is disabled This patch rejects EXTENDED_COPY when the emulate_3pc attribute has been explicitly disabled for the receiving device. It also adds a similar check in target_xcopy_locate_se_dev_e4() to ignore these devices when doing a search based upon the identifier WWN provided by EXTENDED_COPY parameter list target descriptors. Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_xcopy.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index fe985559eeb84..eeeaf99387ced 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -82,6 +82,9 @@ static int target_xcopy_locate_se_dev_e4(struct se_cmd *se_cmd, struct xcopy_op mutex_lock(&g_device_mutex); list_for_each_entry(se_dev, &g_device_list, g_dev_node) { + if (!se_dev->dev_attrib.emulate_3pc) + continue; + memset(&tmp_dev_wwn[0], 0, XCOPY_NAA_IEEE_REGEX_LEN); target_xcopy_gen_naa_ieee(se_dev, &tmp_dev_wwn[0]); @@ -884,12 +887,18 @@ static void target_xcopy_do_work(struct work_struct *work) sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) { + struct se_device *dev = se_cmd->se_dev; struct xcopy_op *xop = NULL; unsigned char *p = NULL, *seg_desc; unsigned int list_id, list_id_usage, sdll, inline_dl, sa; int rc; unsigned short tdll; + if (!dev->dev_attrib.emulate_3pc) { + pr_err("EXTENDED_COPY operation explicitly disabled\n"); + return TCM_UNSUPPORTED_SCSI_OPCODE; + } + sa = se_cmd->t_task_cdb[1] & 0x1f; if (sa != 0x00) { pr_err("EXTENDED_COPY(LID4) not supported\n"); From 2053a1db41193c2b5e1f47a91aaba0fd63ba7102 Mon Sep 17 00:00:00 2001 From: Roland Dreier Date: Tue, 8 Oct 2013 09:47:22 -0700 Subject: [PATCH 04/11] target: Fix assignment of LUN in tracepoints The unpacked_lun field in the SCSI target tracepoints should be initialized with cmd->orig_fe_lun rather than cmd->se_lun->unpacked_lun for two reasons: - most importantly, if we are in the cmd_complete tracepoint returning a check condition due to no LUN found, cmd->se_lun will be NULL and we'll crash trying to dereference it. - also, in any case, cmd->se_lun->unpacked_lun is an internal index into the target's internal set of LUNs; cmd->orig_fe_lun is much more useful and interesting, since it's the value the initiator actually sent. Signed-off-by: Roland Dreier Cc: # 3.11+ Signed-off-by: Nicholas Bellinger --- include/trace/events/target.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/trace/events/target.h b/include/trace/events/target.h index aef8fc3540254..da9cc0f05c938 100644 --- a/include/trace/events/target.h +++ b/include/trace/events/target.h @@ -144,7 +144,7 @@ TRACE_EVENT(target_sequencer_start, ), TP_fast_assign( - __entry->unpacked_lun = cmd->se_lun->unpacked_lun; + __entry->unpacked_lun = cmd->orig_fe_lun; __entry->opcode = cmd->t_task_cdb[0]; __entry->data_length = cmd->data_length; __entry->task_attribute = cmd->sam_task_attr; @@ -182,7 +182,7 @@ TRACE_EVENT(target_cmd_complete, ), TP_fast_assign( - __entry->unpacked_lun = cmd->se_lun->unpacked_lun; + __entry->unpacked_lun = cmd->orig_fe_lun; __entry->opcode = cmd->t_task_cdb[0]; __entry->data_length = cmd->data_length; __entry->task_attribute = cmd->sam_task_attr; From 5cb770bf4b777dae832151f4bc4d35e7a99f9880 Mon Sep 17 00:00:00 2001 From: Roland Dreier Date: Mon, 14 Oct 2013 15:49:23 -0700 Subject: [PATCH 05/11] target: Return an error for WRITE SAME with ANCHOR==1 Per SBC-3, since we report ANC_SUP==0 in VPD page B2h, we need to return an error (ILLEGAL REQUEST/INVALID FIELD IN CDB) for all WRITE SAME requests with ANCHOR==1. Signed-off-by: Roland Dreier Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_sbc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c index 4714c6f8da4be..d9b92b2c524d4 100644 --- a/drivers/target/target_core_sbc.c +++ b/drivers/target/target_core_sbc.c @@ -263,6 +263,11 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o sectors, cmd->se_dev->dev_attrib.max_write_same_len); return TCM_INVALID_CDB_FIELD; } + /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */ + if (flags[0] & 0x10) { + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } /* * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting * translated into block discard requests within backend code. From 0a66614b937c4cfe98c68613259367bf402f368b Mon Sep 17 00:00:00 2001 From: Vu Pham Date: Tue, 22 Oct 2013 00:48:54 +0300 Subject: [PATCH 06/11] iser-target: check device before dereferencing its variable This patch changes isert_connect_release() to correctly check for the existence struct isert_device *device before checking for isert_device->use_frwr. Signed-off-by: Vu Pham Signed-off-by: Nicholas Bellinger --- drivers/infiniband/ulp/isert/ib_isert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index 3591855cc5b54..6df23502059a4 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -594,7 +594,7 @@ isert_connect_release(struct isert_conn *isert_conn) pr_debug("Entering isert_connect_release(): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); - if (device->use_frwr) + if (device && device->use_frwr) isert_conn_free_frwr_pool(isert_conn); if (isert_conn->conn_qp) { From 366bda191c344ec4d7a5b908cf047bc09639ad3d Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Thu, 24 Oct 2013 00:10:36 -0700 Subject: [PATCH 07/11] target: Add missing XCOPY I/O operation sense_buffer This patch adds the missing xcopy_pt_cmd->sense_buffer[] required for correctly handling CHECK_CONDITION exceptions within the locally generated XCOPY I/O path. Also update target_xcopy_read_source() + target_xcopy_setup_pt_cmd() to pass this buffer into transport_init_se_cmd() to correctly setup se_cmd->sense_buffer. Reported-by: Thomas Glanzmann Reported-by: Douglas Gilbert Cc: Thomas Glanzmann Cc: Douglas Gilbert Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_xcopy.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index eeeaf99387ced..5edcd2bebee8f 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -360,6 +360,7 @@ struct xcopy_pt_cmd { struct se_cmd se_cmd; struct xcopy_op *xcopy_op; struct completion xpt_passthrough_sem; + unsigned char sense_buffer[TRANSPORT_SENSE_BUFFER]; }; static struct se_port xcopy_pt_port; @@ -711,7 +712,7 @@ static int target_xcopy_read_source( (unsigned long long)src_lba, src_sectors, length); transport_init_se_cmd(se_cmd, &xcopy_pt_tfo, NULL, length, - DMA_FROM_DEVICE, 0, NULL); + DMA_FROM_DEVICE, 0, &xpt_cmd->sense_buffer[0]); xop->src_pt_cmd = xpt_cmd; rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, src_dev, &cdb[0], @@ -771,7 +772,7 @@ static int target_xcopy_write_destination( (unsigned long long)dst_lba, dst_sectors, length); transport_init_se_cmd(se_cmd, &xcopy_pt_tfo, NULL, length, - DMA_TO_DEVICE, 0, NULL); + DMA_TO_DEVICE, 0, &xpt_cmd->sense_buffer[0]); xop->dst_pt_cmd = xpt_cmd; rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, dst_dev, &cdb[0], From 8a955d6dcc1840fa9cba73eb6db831c8fea19d95 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Thu, 24 Oct 2013 00:15:27 -0700 Subject: [PATCH 08/11] target: Generate failure for XCOPY I/O with non-zero scsi_status This patch adds the missing non-zero se_cmd->scsi_status check required for local XCOPY I/O within target_xcopy_issue_pt_cmd() to signal an exception case failure. This will trigger the generation of SAM_STAT_CHECK_CONDITION status from within target_xcopy_do_work() process context code. Reported-by: Thomas Glanzmann Reported-by: Douglas Gilbert Cc: Thomas Glanzmann Cc: Douglas Gilbert Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_xcopy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index 5edcd2bebee8f..0e41143fc16e8 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -679,7 +679,8 @@ static int target_xcopy_issue_pt_cmd(struct xcopy_pt_cmd *xpt_cmd) pr_debug("target_xcopy_issue_pt_cmd(): SCSI status: 0x%02x\n", se_cmd->scsi_status); - return 0; + + return (se_cmd->scsi_status) ? -EINVAL : 0; } static int target_xcopy_read_source( From 48502ddbfb9840803f633ff81eee507e0fdae7c5 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Thu, 24 Oct 2013 00:27:00 -0700 Subject: [PATCH 09/11] target: Fail XCOPY for non matching source + destination block_size This patch adds an explicit check + failure for XCOPY I/O to source + destination devices with a non-matching block_size. This limitiation is currently due to the fact that the scatterlist memory allocated for the XCOPY READ operation is passed zero-copy to the XCOPY WRITE operation. Reported-by: Thomas Glanzmann Reported-by: Douglas Gilbert Cc: Thomas Glanzmann Cc: Douglas Gilbert Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_xcopy.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c index 0e41143fc16e8..474cd44fac14d 100644 --- a/drivers/target/target_core_xcopy.c +++ b/drivers/target/target_core_xcopy.c @@ -893,6 +893,7 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) struct xcopy_op *xop = NULL; unsigned char *p = NULL, *seg_desc; unsigned int list_id, list_id_usage, sdll, inline_dl, sa; + sense_reason_t ret = TCM_INVALID_PARAMETER_LIST; int rc; unsigned short tdll; @@ -944,6 +945,17 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) if (rc <= 0) goto out; + if (xop->src_dev->dev_attrib.block_size != + xop->dst_dev->dev_attrib.block_size) { + pr_err("XCOPY: Non matching src_dev block_size: %u + dst_dev" + " block_size: %u currently unsupported\n", + xop->src_dev->dev_attrib.block_size, + xop->dst_dev->dev_attrib.block_size); + xcopy_pt_undepend_remotedev(xop); + ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + goto out; + } + pr_debug("XCOPY: Processed %d target descriptors, length: %u\n", rc, rc * XCOPY_TARGET_DESC_LEN); seg_desc = &p[16]; @@ -966,7 +978,7 @@ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd) if (p) transport_kunmap_data_sg(se_cmd); kfree(xop); - return TCM_INVALID_PARAMETER_LIST; + return ret; } static sense_reason_t target_rcr_operating_parameters(struct se_cmd *se_cmd) From 58932e96e438cd78f75e765d7b87ef39d3533d15 Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Fri, 25 Oct 2013 21:53:33 +0800 Subject: [PATCH 10/11] target/pscsi: fix return value check In case of error, the function scsi_host_lookup() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. Signed-off-by: Wei Yongjun Cc: Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_pscsi.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c index 551c96ca60aca..0f199f6a07385 100644 --- a/drivers/target/target_core_pscsi.c +++ b/drivers/target/target_core_pscsi.c @@ -134,10 +134,10 @@ static int pscsi_pmode_enable_hba(struct se_hba *hba, unsigned long mode_flag) * pSCSI Host ID and enable for phba mode */ sh = scsi_host_lookup(phv->phv_host_id); - if (IS_ERR(sh)) { + if (!sh) { pr_err("pSCSI: Unable to locate SCSI Host for" " phv_host_id: %d\n", phv->phv_host_id); - return PTR_ERR(sh); + return -EINVAL; } phv->phv_lld_host = sh; @@ -515,10 +515,10 @@ static int pscsi_configure_device(struct se_device *dev) sh = phv->phv_lld_host; } else { sh = scsi_host_lookup(pdv->pdv_host_id); - if (IS_ERR(sh)) { + if (!sh) { pr_err("pSCSI: Unable to locate" " pdv_host_id: %d\n", pdv->pdv_host_id); - return PTR_ERR(sh); + return -EINVAL; } } } else { From 60a01f558af9c48b0bb31f303c479e32721add3f Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Fri, 25 Oct 2013 10:44:15 -0700 Subject: [PATCH 11/11] vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter This patch addresses a long-standing bug where the get_user_pages_fast() write parameter used for setting the underlying page table entry permission bits was incorrectly set to write=1 for data_direction=DMA_TO_DEVICE, and passed into get_user_pages_fast() via vhost_scsi_map_iov_to_sgl(). However, this parameter is intended to signal WRITEs to pinned userspace PTEs for the virtio-scsi DMA_FROM_DEVICE -> READ payload case, and *not* for the virtio-scsi DMA_TO_DEVICE -> WRITE payload case. This bug would manifest itself as random process segmentation faults on KVM host after repeated vhost starts + stops and/or with lots of vhost endpoints + LUNs. Cc: Stefan Hajnoczi Cc: Michael S. Tsirkin Cc: Asias He Cc: # 3.6+ Signed-off-by: Nicholas Bellinger --- drivers/vhost/scsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index ce5221fa393a8..e663921eebb6f 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -1056,7 +1056,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) if (data_direction != DMA_NONE) { ret = vhost_scsi_map_iov_to_sgl(cmd, &vq->iov[data_first], data_num, - data_direction == DMA_TO_DEVICE); + data_direction == DMA_FROM_DEVICE); if (unlikely(ret)) { vq_err(vq, "Failed to map iov to sgl\n"); goto err_free;