<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/target, branch v4.10.4</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>target: Fix NULL dereference during LUN lookup + active I/O shutdown</title>
<updated>2017-03-15T02:20:12+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2017-02-23T06:06:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f9b90f20474948f22f2e25abc98a85fa39009db5'/>
<id>f9b90f20474948f22f2e25abc98a85fa39009db5</id>
<content type='text'>
commit bd4e2d2907fa23a11d46217064ecf80470ddae10 upstream.

When transport_clear_lun_ref() is shutting down a se_lun via
configfs with new I/O in-flight, it's possible to trigger a
NULL pointer dereference in transport_lookup_cmd_lun() due
to the fact percpu_ref_get() doesn't do any __PERCPU_REF_DEAD
checking before incrementing lun-&gt;lun_ref.count after
lun-&gt;lun_ref has switched to atomic_t mode.

This results in a NULL pointer dereference as LUN shutdown
code in core_tpg_remove_lun() continues running after the
existing -&gt;release() -&gt; core_tpg_lun_ref_release() callback
completes, and clears the RCU protected se_lun-&gt;lun_se_dev
pointer.

During the OOPs, the state of lun-&gt;lun_ref in the process
which triggered the NULL pointer dereference looks like
the following on v4.1.y stable code:

struct se_lun {
  lun_link_magic = 4294932337,
  lun_status = TRANSPORT_LUN_STATUS_FREE,

  .....

  lun_se_dev = 0x0,
  lun_sep = 0x0,

  .....

  lun_ref = {
    count = {
      counter = 1
    },
    percpu_count_ptr = 3,
    release = 0xffffffffa02fa1e0 &lt;core_tpg_lun_ref_release&gt;,
    confirm_switch = 0x0,
    force_atomic = false,
    rcu = {
      next = 0xffff88154fa1a5d0,
      func = 0xffffffff8137c4c0 &lt;percpu_ref_switch_to_atomic_rcu&gt;
    }
  }
}

To address this bug, use percpu_ref_tryget_live() to ensure
once __PERCPU_REF_DEAD is visable on all CPUs and -&gt;lun_ref
has switched to atomic_t, all new I/Os will fail to obtain
a new lun-&gt;lun_ref reference.

Also use an explicit percpu_ref_kill_and_confirm() callback
to block on -&gt;lun_ref_comp to allow the first stage and
associated RCU grace period to complete, and then block on
-&gt;lun_ref_shutdown waiting for the final percpu_ref_put()
to drop the last reference via transport_lun_remove_cmd()
before continuing with core_tpg_remove_lun() shutdown.

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Vaibhav Tandon &lt;vst@datera.io&gt;
Cc: Vaibhav Tandon &lt;vst@datera.io&gt;
Tested-by: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bd4e2d2907fa23a11d46217064ecf80470ddae10 upstream.

When transport_clear_lun_ref() is shutting down a se_lun via
configfs with new I/O in-flight, it's possible to trigger a
NULL pointer dereference in transport_lookup_cmd_lun() due
to the fact percpu_ref_get() doesn't do any __PERCPU_REF_DEAD
checking before incrementing lun-&gt;lun_ref.count after
lun-&gt;lun_ref has switched to atomic_t mode.

This results in a NULL pointer dereference as LUN shutdown
code in core_tpg_remove_lun() continues running after the
existing -&gt;release() -&gt; core_tpg_lun_ref_release() callback
completes, and clears the RCU protected se_lun-&gt;lun_se_dev
pointer.

During the OOPs, the state of lun-&gt;lun_ref in the process
which triggered the NULL pointer dereference looks like
the following on v4.1.y stable code:

struct se_lun {
  lun_link_magic = 4294932337,
  lun_status = TRANSPORT_LUN_STATUS_FREE,

  .....

  lun_se_dev = 0x0,
  lun_sep = 0x0,

  .....

  lun_ref = {
    count = {
      counter = 1
    },
    percpu_count_ptr = 3,
    release = 0xffffffffa02fa1e0 &lt;core_tpg_lun_ref_release&gt;,
    confirm_switch = 0x0,
    force_atomic = false,
    rcu = {
      next = 0xffff88154fa1a5d0,
      func = 0xffffffff8137c4c0 &lt;percpu_ref_switch_to_atomic_rcu&gt;
    }
  }
}

To address this bug, use percpu_ref_tryget_live() to ensure
once __PERCPU_REF_DEAD is visable on all CPUs and -&gt;lun_ref
has switched to atomic_t, all new I/Os will fail to obtain
a new lun-&gt;lun_ref reference.

Also use an explicit percpu_ref_kill_and_confirm() callback
to block on -&gt;lun_ref_comp to allow the first stage and
associated RCU grace period to complete, and then block on
-&gt;lun_ref_shutdown waiting for the final percpu_ref_put()
to drop the last reference via transport_lun_remove_cmd()
before continuing with core_tpg_remove_lun() shutdown.

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Vaibhav Tandon &lt;vst@datera.io&gt;
Cc: Vaibhav Tandon &lt;vst@datera.io&gt;
Tested-by: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>target: Fix COMPARE_AND_WRITE ref leak for non GOOD status</title>
<updated>2017-02-08T16:25:39+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2017-02-06T22:28:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9b2792c3da1e80f2d460167d319302a24c9ca2b7'/>
<id>9b2792c3da1e80f2d460167d319302a24c9ca2b7</id>
<content type='text'>
This patch addresses a long standing bug where the commit phase
of COMPARE_AND_WRITE would result in a se_cmd-&gt;cmd_kref reference
leak if se_cmd-&gt;scsi_status returned non SAM_STAT_GOOD.

This would manifest first as a lost SCSI response, and eventual
hung task during fabric driver logout or re-login, as existing
shutdown logic waited for the COMPARE_AND_WRITE se_cmd-&gt;cmd_kref
to reach zero.

To address this bug, compare_and_write_post() has been changed
to drop the incorrect !cmd-&gt;scsi_status conditional that was
preventing *post_ret = 1 for being set during non SAM_STAT_GOOD
status.

This patch has been tested with SAM_STAT_CHECK_CONDITION status
from normal target_complete_cmd() callback path, as well as the
incoming __target_execute_cmd() submission failure path when
se_cmd-&gt;execute_cmd() returns non zero status.

Reported-by: Donald White &lt;dew@datera.io&gt;
Cc: Donald White &lt;dew@datera.io&gt;
Tested-by: Gary Guo &lt;ghg@datera.io&gt;
Cc: Gary Guo &lt;ghg@datera.io&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.12+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch addresses a long standing bug where the commit phase
of COMPARE_AND_WRITE would result in a se_cmd-&gt;cmd_kref reference
leak if se_cmd-&gt;scsi_status returned non SAM_STAT_GOOD.

This would manifest first as a lost SCSI response, and eventual
hung task during fabric driver logout or re-login, as existing
shutdown logic waited for the COMPARE_AND_WRITE se_cmd-&gt;cmd_kref
to reach zero.

To address this bug, compare_and_write_post() has been changed
to drop the incorrect !cmd-&gt;scsi_status conditional that was
preventing *post_ret = 1 for being set during non SAM_STAT_GOOD
status.

This patch has been tested with SAM_STAT_CHECK_CONDITION status
from normal target_complete_cmd() callback path, as well as the
incoming __target_execute_cmd() submission failure path when
se_cmd-&gt;execute_cmd() returns non zero status.

Reported-by: Donald White &lt;dew@datera.io&gt;
Cc: Donald White &lt;dew@datera.io&gt;
Tested-by: Gary Guo &lt;ghg@datera.io&gt;
Cc: Gary Guo &lt;ghg@datera.io&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.12+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Fix multi-session dynamic se_node_acl double free OOPs</title>
<updated>2017-02-08T16:25:23+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2016-12-07T20:55:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=01d4d673558985d9a118e1e05026633c3e2ade9b'/>
<id>01d4d673558985d9a118e1e05026633c3e2ade9b</id>
<content type='text'>
This patch addresses a long-standing bug with multi-session
(eg: iscsi-target + iser-target) se_node_acl dynamic free
withini transport_deregister_session().

This bug is caused when a storage endpoint is configured with
demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1)
initiators, and initiator login creates a new dynamic node acl
and attaches two sessions to it.

After that, demo-mode for the storage instance is disabled via
configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and
the existing dynamic acl is never converted to an explicit ACL.

The end result is dynamic acl resources are released twice when
the sessions are shutdown in transport_deregister_session().

If the storage instance is not changed to disable demo-mode,
or the dynamic acl is converted to an explict ACL, or there
is only a single session associated with the dynamic ACL,
the bug is not triggered.

To address this big, move the release of dynamic se_node_acl
memory into target_complete_nacl() so it's only freed once
when se_node_acl-&gt;acl_kref reaches zero.

(Drop unnecessary list_del_init usage - HCH)

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch addresses a long-standing bug with multi-session
(eg: iscsi-target + iser-target) se_node_acl dynamic free
withini transport_deregister_session().

This bug is caused when a storage endpoint is configured with
demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1)
initiators, and initiator login creates a new dynamic node acl
and attaches two sessions to it.

After that, demo-mode for the storage instance is disabled via
configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and
the existing dynamic acl is never converted to an explicit ACL.

The end result is dynamic acl resources are released twice when
the sessions are shutdown in transport_deregister_session().

If the storage instance is not changed to disable demo-mode,
or the dynamic acl is converted to an explict ACL, or there
is only a single session associated with the dynamic ACL,
the bug is not triggered.

To address this big, move the release of dynamic se_node_acl
memory into target_complete_nacl() so it's only freed once
when se_node_acl-&gt;acl_kref reaches zero.

(Drop unnecessary list_del_init usage - HCH)

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Fix early transport_generic_handle_tmr abort scenario</title>
<updated>2017-02-08T15:47:19+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2016-12-07T06:45:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c54eeffbe9338fa982dc853d816fda9202a13b5a'/>
<id>c54eeffbe9338fa982dc853d816fda9202a13b5a</id>
<content type='text'>
This patch fixes a bug where incoming task management requests
can be explicitly aborted during an active LUN_RESET, but who's
struct work_struct are canceled in-flight before execution.

This occurs when core_tmr_drain_tmr_list() invokes cancel_work_sync()
for the incoming se_tmr_req-&gt;task_cmd-&gt;work, resulting in cmd-&gt;work
for target_tmr_work() never getting invoked and the aborted TMR
waiting indefinately within transport_wait_for_tasks().

To address this case, perform a CMD_T_ABORTED check early in
transport_generic_handle_tmr(), and invoke the normal path via
transport_cmd_check_stop_to_fabric() to complete any TMR kthreads
blocked waiting for CMD_T_STOP in transport_wait_for_tasks().

Also, move the TRANSPORT_ISTATE_PROCESSING assignment earlier
into transport_generic_handle_tmr() so the existing check in
core_tmr_drain_tmr_list() avoids attempting abort the incoming
se_tmr_req-&gt;task_cmd-&gt;work if it has already been queued into
se_device-&gt;tmr_wq.

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 3.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a bug where incoming task management requests
can be explicitly aborted during an active LUN_RESET, but who's
struct work_struct are canceled in-flight before execution.

This occurs when core_tmr_drain_tmr_list() invokes cancel_work_sync()
for the incoming se_tmr_req-&gt;task_cmd-&gt;work, resulting in cmd-&gt;work
for target_tmr_work() never getting invoked and the aborted TMR
waiting indefinately within transport_wait_for_tasks().

To address this case, perform a CMD_T_ABORTED check early in
transport_generic_handle_tmr(), and invoke the normal path via
transport_cmd_check_stop_to_fabric() to complete any TMR kthreads
blocked waiting for CMD_T_STOP in transport_wait_for_tasks().

Also, move the TRANSPORT_ISTATE_PROCESSING assignment earlier
into transport_generic_handle_tmr() so the existing check in
core_tmr_drain_tmr_list() avoids attempting abort the incoming
se_tmr_req-&gt;task_cmd-&gt;work if it has already been queued into
se_device-&gt;tmr_wq.

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 3.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Use correct SCSI status during EXTENDED_COPY exception</title>
<updated>2017-02-08T15:46:54+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2016-10-31T07:54:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0583c261e6325f392c1f7a1b9112e31298e1a4bd'/>
<id>0583c261e6325f392c1f7a1b9112e31298e1a4bd</id>
<content type='text'>
This patch adds the missing target_complete_cmd() SCSI status
parameter change in target_xcopy_do_work(), that was originally
missing in commit 926317de33.

It correctly propigates up the correct SCSI status during
EXTENDED_COPY exception cases, instead of always using the
hardcoded SAM_STAT_CHECK_CONDITION from original code.

This is required for ESX host environments that expect to
hit SAM_STAT_RESERVATION_CONFLICT for certain scenarios,
and SAM_STAT_CHECK_CONDITION results in non-retriable
status for these cases.

Reported-by: Nixon Vincent &lt;nixon.vincent@calsoftinc.com&gt;
Tested-by: Nixon Vincent &lt;nixon.vincent@calsoftinc.com&gt;
Cc: Nixon Vincent &lt;nixon.vincent@calsoftinc.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 3.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch adds the missing target_complete_cmd() SCSI status
parameter change in target_xcopy_do_work(), that was originally
missing in commit 926317de33.

It correctly propigates up the correct SCSI status during
EXTENDED_COPY exception cases, instead of always using the
hardcoded SAM_STAT_CHECK_CONDITION from original code.

This is required for ESX host environments that expect to
hit SAM_STAT_RESERVATION_CONFLICT for certain scenarios,
and SAM_STAT_CHECK_CONDITION results in non-retriable
status for these cases.

Reported-by: Nixon Vincent &lt;nixon.vincent@calsoftinc.com&gt;
Tested-by: Nixon Vincent &lt;nixon.vincent@calsoftinc.com&gt;
Cc: Nixon Vincent &lt;nixon.vincent@calsoftinc.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 3.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Don't BUG_ON during NodeACL dynamic -&gt; explicit conversion</title>
<updated>2017-02-08T15:46:31+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2016-10-23T21:28:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=391e2a6de9781e4906dd7e0b1cc097050bf43e11'/>
<id>391e2a6de9781e4906dd7e0b1cc097050bf43e11</id>
<content type='text'>
After the v4.2+ RCU conversion to se_node_acl-&gt;lun_entry_hlist,
a BUG_ON() was added in core_enable_device_list_for_node() to
detect when the located orig-&gt;se_lun_acl contains an existing
se_lun_acl pointer reference.

However, this scenario can happen when a dynamically generated
NodeACL is being converted to an explicit NodeACL, when the
explicit NodeACL contains a different LUN mapping than the
default provided by the WWN endpoint.

So instead of triggering BUG_ON(), go ahead and fail instead
following the original pre RCU conversion logic.

Reported-by: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Cc: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 4.2+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After the v4.2+ RCU conversion to se_node_acl-&gt;lun_entry_hlist,
a BUG_ON() was added in core_enable_device_list_for_node() to
detect when the located orig-&gt;se_lun_acl contains an existing
se_lun_acl pointer reference.

However, this scenario can happen when a dynamically generated
NodeACL is being converted to an explicit NodeACL, when the
explicit NodeACL contains a different LUN mapping than the
default provided by the WWN endpoint.

So instead of triggering BUG_ON(), go ahead and fail instead
following the original pre RCU conversion logic.

Reported-by: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Cc: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 4.2+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: support XCOPY requests without parameters</title>
<updated>2017-01-10T16:41:30+00:00</updated>
<author>
<name>David Disseldorp</name>
<email>ddiss@suse.de</email>
</author>
<published>2017-01-02T17:04:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=87156518da94a696f2b27ab8945d531af2f1d339'/>
<id>87156518da94a696f2b27ab8945d531af2f1d339</id>
<content type='text'>
SPC4r37 6.4.1 EXTENDED COPY(LID4) states (also applying to LID1 reqs):
  A parameter list length of zero specifies that the copy manager shall
  not transfer any data or alter any internal state, and this shall not
  be considered an error.

This behaviour can be tested using the libiscsi ExtendedCopy.ParamHdr
test.

Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
SPC4r37 6.4.1 EXTENDED COPY(LID4) states (also applying to LID1 reqs):
  A parameter list length of zero specifies that the copy manager shall
  not transfer any data or alter any internal state, and this shall not
  be considered an error.

This behaviour can be tested using the libiscsi ExtendedCopy.ParamHdr
test.

Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: check for XCOPY parameter truncation</title>
<updated>2017-01-10T16:41:27+00:00</updated>
<author>
<name>David Disseldorp</name>
<email>ddiss@suse.de</email>
</author>
<published>2017-01-02T17:04:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f94fd098f674b78c29f482da1999d8de0c93c74e'/>
<id>f94fd098f674b78c29f482da1999d8de0c93c74e</id>
<content type='text'>
Check for XCOPY header, CSCD descriptor and segment descriptor list
truncation, and respond accordingly.

SPC4r37 6.4.1 EXTENDED COPY(LID4) states (also applying to LID1 reqs):
  If the parameter list length causes truncation of the parameter list,
  then the copy manager shall transfer no data and shall terminate the
  EXTENDED COPY command with CHECK CONDITION status, with the sense key
  set to ILLEGAL REQUEST, and the additional sense code set to PARAMETER
  LIST LENGTH ERROR.

This behaviour can be tested using the libiscsi ExtendedCopy.ParamHdr
test.

Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Check for XCOPY header, CSCD descriptor and segment descriptor list
truncation, and respond accordingly.

SPC4r37 6.4.1 EXTENDED COPY(LID4) states (also applying to LID1 reqs):
  If the parameter list length causes truncation of the parameter list,
  then the copy manager shall transfer no data and shall terminate the
  EXTENDED COPY command with CHECK CONDITION status, with the sense key
  set to ILLEGAL REQUEST, and the additional sense code set to PARAMETER
  LIST LENGTH ERROR.

This behaviour can be tested using the libiscsi ExtendedCopy.ParamHdr
test.

Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: use XCOPY segment descriptor CSCD IDs</title>
<updated>2017-01-10T16:41:19+00:00</updated>
<author>
<name>David Disseldorp</name>
<email>ddiss@suse.de</email>
</author>
<published>2017-01-02T17:04:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=66640d35c1e4ef3c96ba5edb3c5e2ff8ab812e7a'/>
<id>66640d35c1e4ef3c96ba5edb3c5e2ff8ab812e7a</id>
<content type='text'>
The XCOPY specification in SPC4r37 states that the XCOPY source and
destination device(s) should be derived from the copy source and copy
destination (CSCD) descriptor IDs in the XCOPY segment descriptor.

The CSCD IDs are generally (for block -&gt; block copies), indexes into
the corresponding CSCD descriptor list, e.g.
=================================
EXTENDED COPY Header
=================================
CSCD Descriptor List
- entry 0
  + LU ID &lt;--------------&lt;------------------\
- entry 1                                   |
  + LU ID &lt;______________&lt;_____________     |
=================================      |    |
Segment Descriptor List                |    |
- segment 0                            |    |
  + src CSCD ID = 0 ---------&gt;---------+----/
  + dest CSCD ID = 1 ___________&gt;______|
  + len
  + src lba
  + dest lba
=================================

Currently LIO completely ignores the src and dest CSCD IDs in the
Segment Descriptor List, and instead assumes that the first entry in the
CSCD list corresponds to the source, and the second to the destination.

This commit removes this assumption, by ensuring that the Segment
Descriptor List is parsed prior to processing the CSCD Descriptor List.
CSCD Descriptor List processing is modified to compare the current list
index with the previously obtained src and dest CSCD IDs.

Additionally, XCOPY requests where the src and dest CSCD IDs refer to
the CSCD Descriptor List entry can now be successfully processed.

Fixes: cbf031f ("target: Add support for EXTENDED_COPY copy offload")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=191381
Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The XCOPY specification in SPC4r37 states that the XCOPY source and
destination device(s) should be derived from the copy source and copy
destination (CSCD) descriptor IDs in the XCOPY segment descriptor.

The CSCD IDs are generally (for block -&gt; block copies), indexes into
the corresponding CSCD descriptor list, e.g.
=================================
EXTENDED COPY Header
=================================
CSCD Descriptor List
- entry 0
  + LU ID &lt;--------------&lt;------------------\
- entry 1                                   |
  + LU ID &lt;______________&lt;_____________     |
=================================      |    |
Segment Descriptor List                |    |
- segment 0                            |    |
  + src CSCD ID = 0 ---------&gt;---------+----/
  + dest CSCD ID = 1 ___________&gt;______|
  + len
  + src lba
  + dest lba
=================================

Currently LIO completely ignores the src and dest CSCD IDs in the
Segment Descriptor List, and instead assumes that the first entry in the
CSCD list corresponds to the source, and the second to the destination.

This commit removes this assumption, by ensuring that the Segment
Descriptor List is parsed prior to processing the CSCD Descriptor List.
CSCD Descriptor List processing is modified to compare the current list
index with the previously obtained src and dest CSCD IDs.

Additionally, XCOPY requests where the src and dest CSCD IDs refer to
the CSCD Descriptor List entry can now be successfully processed.

Fixes: cbf031f ("target: Add support for EXTENDED_COPY copy offload")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=191381
Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: check XCOPY segment descriptor CSCD IDs</title>
<updated>2017-01-10T16:41:13+00:00</updated>
<author>
<name>David Disseldorp</name>
<email>ddiss@suse.de</email>
</author>
<published>2017-01-02T17:04:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f184210bca6c9d0091ff5e5629dea4cbb8a17c0f'/>
<id>f184210bca6c9d0091ff5e5629dea4cbb8a17c0f</id>
<content type='text'>
Ensure that the segment descriptor CSCD descriptor ID values correspond
to CSCD descriptor entries located in the XCOPY command parameter list.
SPC4r37 6.4.6.1 Table 150 specifies this range as 0000h to 07FFh, where
the CSCD descriptor location in the parameter list can be located via:
16 + (id * 32)

Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
[ bvanassche: inserted "; " in the format string of an error message
  and also moved a "||" operator from the start of a line to the end
  of the previous line ]
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Ensure that the segment descriptor CSCD descriptor ID values correspond
to CSCD descriptor entries located in the XCOPY command parameter list.
SPC4r37 6.4.6.1 Table 150 specifies this range as 0000h to 07FFh, where
the CSCD descriptor location in the parameter list can be located via:
16 + (id * 32)

Signed-off-by: David Disseldorp &lt;ddiss@suse.de&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
[ bvanassche: inserted "; " in the format string of an error message
  and also moved a "||" operator from the start of a line to the end
  of the previous line ]
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
