<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/target/target_core_device.c, branch v4.11</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>target: Fix NULL dereference during LUN lookup + active I/O shutdown</title>
<updated>2017-02-27T00:08:44+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2017-02-23T06:06:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bd4e2d2907fa23a11d46217064ecf80470ddae10'/>
<id>bd4e2d2907fa23a11d46217064ecf80470ddae10</id>
<content type='text'>
When transport_clear_lun_ref() is shutting down a se_lun via
configfs with new I/O in-flight, it's possible to trigger a
NULL pointer dereference in transport_lookup_cmd_lun() due
to the fact percpu_ref_get() doesn't do any __PERCPU_REF_DEAD
checking before incrementing lun-&gt;lun_ref.count after
lun-&gt;lun_ref has switched to atomic_t mode.

This results in a NULL pointer dereference as LUN shutdown
code in core_tpg_remove_lun() continues running after the
existing -&gt;release() -&gt; core_tpg_lun_ref_release() callback
completes, and clears the RCU protected se_lun-&gt;lun_se_dev
pointer.

During the OOPs, the state of lun-&gt;lun_ref in the process
which triggered the NULL pointer dereference looks like
the following on v4.1.y stable code:

struct se_lun {
  lun_link_magic = 4294932337,
  lun_status = TRANSPORT_LUN_STATUS_FREE,

  .....

  lun_se_dev = 0x0,
  lun_sep = 0x0,

  .....

  lun_ref = {
    count = {
      counter = 1
    },
    percpu_count_ptr = 3,
    release = 0xffffffffa02fa1e0 &lt;core_tpg_lun_ref_release&gt;,
    confirm_switch = 0x0,
    force_atomic = false,
    rcu = {
      next = 0xffff88154fa1a5d0,
      func = 0xffffffff8137c4c0 &lt;percpu_ref_switch_to_atomic_rcu&gt;
    }
  }
}

To address this bug, use percpu_ref_tryget_live() to ensure
once __PERCPU_REF_DEAD is visable on all CPUs and -&gt;lun_ref
has switched to atomic_t, all new I/Os will fail to obtain
a new lun-&gt;lun_ref reference.

Also use an explicit percpu_ref_kill_and_confirm() callback
to block on -&gt;lun_ref_comp to allow the first stage and
associated RCU grace period to complete, and then block on
-&gt;lun_ref_shutdown waiting for the final percpu_ref_put()
to drop the last reference via transport_lun_remove_cmd()
before continuing with core_tpg_remove_lun() shutdown.

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Vaibhav Tandon &lt;vst@datera.io&gt;
Cc: Vaibhav Tandon &lt;vst@datera.io&gt;
Tested-by: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When transport_clear_lun_ref() is shutting down a se_lun via
configfs with new I/O in-flight, it's possible to trigger a
NULL pointer dereference in transport_lookup_cmd_lun() due
to the fact percpu_ref_get() doesn't do any __PERCPU_REF_DEAD
checking before incrementing lun-&gt;lun_ref.count after
lun-&gt;lun_ref has switched to atomic_t mode.

This results in a NULL pointer dereference as LUN shutdown
code in core_tpg_remove_lun() continues running after the
existing -&gt;release() -&gt; core_tpg_lun_ref_release() callback
completes, and clears the RCU protected se_lun-&gt;lun_se_dev
pointer.

During the OOPs, the state of lun-&gt;lun_ref in the process
which triggered the NULL pointer dereference looks like
the following on v4.1.y stable code:

struct se_lun {
  lun_link_magic = 4294932337,
  lun_status = TRANSPORT_LUN_STATUS_FREE,

  .....

  lun_se_dev = 0x0,
  lun_sep = 0x0,

  .....

  lun_ref = {
    count = {
      counter = 1
    },
    percpu_count_ptr = 3,
    release = 0xffffffffa02fa1e0 &lt;core_tpg_lun_ref_release&gt;,
    confirm_switch = 0x0,
    force_atomic = false,
    rcu = {
      next = 0xffff88154fa1a5d0,
      func = 0xffffffff8137c4c0 &lt;percpu_ref_switch_to_atomic_rcu&gt;
    }
  }
}

To address this bug, use percpu_ref_tryget_live() to ensure
once __PERCPU_REF_DEAD is visable on all CPUs and -&gt;lun_ref
has switched to atomic_t, all new I/Os will fail to obtain
a new lun-&gt;lun_ref reference.

Also use an explicit percpu_ref_kill_and_confirm() callback
to block on -&gt;lun_ref_comp to allow the first stage and
associated RCU grace period to complete, and then block on
-&gt;lun_ref_shutdown waiting for the final percpu_ref_put()
to drop the last reference via transport_lun_remove_cmd()
before continuing with core_tpg_remove_lun() shutdown.

Reported-by: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Rob Millner &lt;rlm@daterainc.com&gt;
Cc: Rob Millner &lt;rlm@daterainc.com&gt;
Tested-by: Vaibhav Tandon &lt;vst@datera.io&gt;
Cc: Vaibhav Tandon &lt;vst@datera.io&gt;
Tested-by: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.14+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Remove se_tmr_req.tmr_lun</title>
<updated>2017-02-09T08:39:10+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@sandisk.com</email>
</author>
<published>2016-12-23T12:23:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4f4c6c3ddb15af396cd8cf81b487b59261199ee9'/>
<id>4f4c6c3ddb15af396cd8cf81b487b59261199ee9</id>
<content type='text'>
Member tmr_lun of se_tmr_req is set but not used. Hence remove it.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Himanshu Madhani &lt;himanshu.madhani@cavium.com&gt;
Cc: Giridhar Malavali &lt;giridhar.malavali@cavium.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Member tmr_lun of se_tmr_req is set but not used. Hence remove it.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Himanshu Madhani &lt;himanshu.madhani@cavium.com&gt;
Cc: Giridhar Malavali &lt;giridhar.malavali@cavium.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Don't BUG_ON during NodeACL dynamic -&gt; explicit conversion</title>
<updated>2017-02-08T15:46:31+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2016-10-23T21:28:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=391e2a6de9781e4906dd7e0b1cc097050bf43e11'/>
<id>391e2a6de9781e4906dd7e0b1cc097050bf43e11</id>
<content type='text'>
After the v4.2+ RCU conversion to se_node_acl-&gt;lun_entry_hlist,
a BUG_ON() was added in core_enable_device_list_for_node() to
detect when the located orig-&gt;se_lun_acl contains an existing
se_lun_acl pointer reference.

However, this scenario can happen when a dynamically generated
NodeACL is being converted to an explicit NodeACL, when the
explicit NodeACL contains a different LUN mapping than the
default provided by the WWN endpoint.

So instead of triggering BUG_ON(), go ahead and fail instead
following the original pre RCU conversion logic.

Reported-by: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Cc: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 4.2+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After the v4.2+ RCU conversion to se_node_acl-&gt;lun_entry_hlist,
a BUG_ON() was added in core_enable_device_list_for_node() to
detect when the located orig-&gt;se_lun_acl contains an existing
se_lun_acl pointer reference.

However, this scenario can happen when a dynamically generated
NodeACL is being converted to an explicit NodeACL, when the
explicit NodeACL contains a different LUN mapping than the
default provided by the WWN endpoint.

So instead of triggering BUG_ON(), go ahead and fail instead
following the original pre RCU conversion logic.

Reported-by: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Cc: Benjamin ESTRABAUD &lt;ben.estrabaud@mpstor.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: stable@vger.kernel.org # 4.2+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Minimize #include directives</title>
<updated>2016-12-09T18:22:28+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@sandisk.com</email>
</author>
<published>2016-11-14T23:47:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8dcf07be2d0bcbfcebc49b9451a4feaf83e3428b'/>
<id>8dcf07be2d0bcbfcebc49b9451a4feaf83e3428b</id>
<content type='text'>
Remove superfluous #include directives from the include/target/*.h
files. Add missing #include directives to other *.h and *.c files.
Use forward declarations for structures where possible. This
change reduces the build time for make M=drivers/target on my
laptop from 27.1s to 18.7s or by about 30%.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove superfluous #include directives from the include/target/*.h
files. Add missing #include directives to other *.h and *.c files.
Use forward declarations for structures where possible. This
change reduces the build time for make M=drivers/target on my
laptop from 27.1s to 18.7s or by about 30%.

Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Bryant G. Ly &lt;bryantly@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Fix max_unmap_lba_count calc overflow</title>
<updated>2016-07-20T07:58:36+00:00</updated>
<author>
<name>Mike Christie</name>
<email>mchristi@redhat.com</email>
</author>
<published>2016-06-03T01:12:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ea263c7fada4af8ec7fe5fcfd6e7d7705a89351b'/>
<id>ea263c7fada4af8ec7fe5fcfd6e7d7705a89351b</id>
<content type='text'>
max_discard_sectors only 32bits, and some non scsi backend
devices will set this to the max 0xffffffff, so we can end up
overflowing during the max_unmap_lba_count calculation.

This fixes a regression caused by my patch:

commit 8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3
Author: Mike Christie &lt;mchristi@redhat.com&gt;
Date:   Mon Jan 18 14:09:27 2016 -0600

    target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors

which can result in extra discards being sent to due the overflow
causing max_unmap_lba_count to be smaller than what the backing
device can actually support.

Signed-off-by: Mike Christie &lt;mchristi@redhat.com&gt;
Reviewed-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
max_discard_sectors only 32bits, and some non scsi backend
devices will set this to the max 0xffffffff, so we can end up
overflowing during the max_unmap_lba_count calculation.

This fixes a regression caused by my patch:

commit 8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3
Author: Mike Christie &lt;mchristi@redhat.com&gt;
Date:   Mon Jan 18 14:09:27 2016 -0600

    target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors

which can result in extra discards being sent to due the overflow
causing max_unmap_lba_count to be smaller than what the backing
device can actually support.

Signed-off-by: Mike Christie &lt;mchristi@redhat.com&gt;
Reviewed-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Remove enum transport_lunflags_table</title>
<updated>2016-03-11T05:48:55+00:00</updated>
<author>
<name>Andy Grover</name>
<email>agrover@redhat.com</email>
</author>
<published>2016-02-25T23:14:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=03a68b44faff1b3eef5424952044747c9c555f0e'/>
<id>03a68b44faff1b3eef5424952044747c9c555f0e</id>
<content type='text'>
se_dev_entry.lun_flags and se_lun.lun_access are only used for keeping
track of read-write vs. read-only state. Since this is an either/or thing
we can represent it as bool, and remove the unneeded enum
transport_lunflags_table, which is left over from when there were more
flags.

Change code that uses this enum to just use true/false, and make it clear
through variable and param names that true means read-only, false means
read-write.

Signed-off-by: Andy Grover &lt;agrover@redhat.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
se_dev_entry.lun_flags and se_lun.lun_access are only used for keeping
track of read-write vs. read-only state. Since this is an either/or thing
we can represent it as bool, and remove the unneeded enum
transport_lunflags_table, which is left over from when there were more
flags.

Change code that uses this enum to just use true/false, and make it clear
through variable and param names that true means read-only, false means
read-write.

Signed-off-by: Andy Grover &lt;agrover@redhat.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors</title>
<updated>2016-01-30T03:29:34+00:00</updated>
<author>
<name>Mike Christie</name>
<email>mchristi@redhat.com</email>
</author>
<published>2016-01-18T20:09:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3'/>
<id>8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3</id>
<content type='text'>
In a couple places we are not converting to/from the Linux
block layer 512 bytes sectors.

1.

The request queue values and what we do are a mismatch of
things:

max_discard_sectors - This is in linux block layer 512 byte
sectors. We are just copying this to max_unmap_lba_count.

discard_granularity - This is in bytes. We are converting it
to Linux block layer 512 byte sectors.

discard_alignment - This is in bytes. We are just copying
this over.

The problem is that the core LIO code exports these values in
spc_emulate_evpd_b0 and we use them to test request arguments
in sbc_execute_unmap, but we never convert to the block size
we export to the initiator. If we are not using 512 byte sectors
then we are exporting the wrong values or are checks are off.
And, for the discard_alignment/bytes case we are just plain messed
up.

2.

blkdev_issue_discard's start and number of sector arguments
are supposed to be in linux block layer 512 byte sectors. We are
currently passing in the values we get from the initiator which
might be based on some other sector size.

There is a similar problem in iblock_execute_write_same where
the bio functions want values in 512 byte sectors but we are
passing in what we got from the initiator.

Signed-off-by: Mike Christie &lt;mchristi@redhat.com&gt;
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In a couple places we are not converting to/from the Linux
block layer 512 bytes sectors.

1.

The request queue values and what we do are a mismatch of
things:

max_discard_sectors - This is in linux block layer 512 byte
sectors. We are just copying this to max_unmap_lba_count.

discard_granularity - This is in bytes. We are converting it
to Linux block layer 512 byte sectors.

discard_alignment - This is in bytes. We are just copying
this over.

The problem is that the core LIO code exports these values in
spc_emulate_evpd_b0 and we use them to test request arguments
in sbc_execute_unmap, but we never convert to the block size
we export to the initiator. If we are not using 512 byte sectors
then we are exporting the wrong values or are checks are off.
And, for the discard_alignment/bytes case we are just plain messed
up.

2.

blkdev_issue_discard's start and number of sector arguments
are supposed to be in linux block layer 512 byte sectors. We are
currently passing in the values we get from the initiator which
might be based on some other sector size.

There is a similar problem in iblock_execute_write_same where
the bio functions want values in 512 byte sectors but we are
passing in what we got from the initiator.

Signed-off-by: Mike Christie &lt;mchristi@redhat.com&gt;
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target/sbc: Add LBPRZ attribute + control CDB emulation</title>
<updated>2016-01-06T21:39:55+00:00</updated>
<author>
<name>Jamie Pocas</name>
<email>jamie.pocas@emc.com</email>
</author>
<published>2015-11-29T22:44:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e6f41633cb79b55ead84b023c02035322c7827e7'/>
<id>e6f41633cb79b55ead84b023c02035322c7827e7</id>
<content type='text'>
This change sets the LBPRZ flag in EVPD page b2h and READ CAPACITY (16)
based on a new unmap_zeroes_data device attribute. This flag is set
automatically for iblock based on underlying block device queue's
discard_zeroes_data flag.

Signed-off-by: Jamie Pocas &lt;jamie.pocas@emc.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This change sets the LBPRZ flag in EVPD page b2h and READ CAPACITY (16)
based on a new unmap_zeroes_data device attribute. This flag is set
automatically for iblock based on underlying block device queue's
discard_zeroes_data flag.

Signed-off-by: Jamie Pocas &lt;jamie.pocas@emc.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Make TCM_WRITE_PROTECT failure honor D_SENSE bit</title>
<updated>2015-09-25T06:17:27+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2015-09-17T03:23:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8fa3a867486f85df66eba8c4df85804d3309c6ad'/>
<id>8fa3a867486f85df66eba8c4df85804d3309c6ad</id>
<content type='text'>
This patch changes transport_lookup_cmd_lun() to obtain
se_lun-&gt;lun_ref + se_cmd-&gt;se_device rcu_dereference during
TCM_WRITE_PROTECT -&gt; CHECK_CONDITION failure status.

Do this to ensure the active control D_SENSE mode page bit
is being honored.

Reported-by: Sagi Grimberg &lt;sagig@mellanox.com&gt;
Reviewed-by: Sagi Grimberg &lt;sagig@mellanox.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch changes transport_lookup_cmd_lun() to obtain
se_lun-&gt;lun_ref + se_cmd-&gt;se_device rcu_dereference during
TCM_WRITE_PROTECT -&gt; CHECK_CONDITION failure status.

Do this to ensure the active control D_SENSE mode page bit
is being honored.

Reported-by: Sagi Grimberg &lt;sagig@mellanox.com&gt;
Reviewed-by: Sagi Grimberg &lt;sagig@mellanox.com&gt;
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>target: Fix PR registration + APTPL RCU conversion regression</title>
<updated>2015-09-25T06:17:07+00:00</updated>
<author>
<name>Nicholas Bellinger</name>
<email>nab@linux-iscsi.org</email>
</author>
<published>2015-09-13T09:30:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3ccd6e83df8a0d4a664edeecc453c4fa046395fb'/>
<id>3ccd6e83df8a0d4a664edeecc453c4fa046395fb</id>
<content type='text'>
This patch fixes a v4.2+ regression introduced by commit 79dc9c9e86
where lookup of t10_pr_registration-&gt;pr_reg_deve and associated
-&gt;pr_kref get was missing from __core_scsi3_do_alloc_registration(),
which is responsible for setting DEF_PR_REG_ACTIVE.

This would result in REGISTER operations completing successfully,
but subsequent core_scsi3_pr_seq_non_holder() checking would fail
with !DEF_PR_REG_ACTIVE -&gt; RESERVATION CONFLICT status.

Update __core_scsi3_add_registration() to drop -&gt;pr_kref reference
after registration and any optional ALL_TG_PT=1 processing has
completed.  Update core_scsi3_decode_spec_i_port() to release
the new parent local_pr_reg-&gt;pr_kref as well.

Also, update __core_scsi3_check_aptpl_registration() to perform
the same target_nacl_find_deve() lookup + -&gt;pr_kref get, now that
__core_scsi3_add_registration() expects to drop the reference.

Finally, since there are cases when se_dev_entry-&gt;se_lun_acl can
still be dereferenced in core_scsi3_lunacl_undepend_item() while
holding -&gt;pr_kref, go ahead and move explicit rcu_assign_pointer()
NULL assignments within core_disable_device_list_for_node() until
after orig-&gt;pr_comp finishes.

Reported-by: Scott L. Lykens &lt;scott@lykens.org&gt;
Tested-by: Scott L. Lykens &lt;scott@lykens.org&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Hannes Reinecke &lt;hare@suse.de&gt;
Cc: Lee Duncan &lt;lduncan@suse.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v4.2+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a v4.2+ regression introduced by commit 79dc9c9e86
where lookup of t10_pr_registration-&gt;pr_reg_deve and associated
-&gt;pr_kref get was missing from __core_scsi3_do_alloc_registration(),
which is responsible for setting DEF_PR_REG_ACTIVE.

This would result in REGISTER operations completing successfully,
but subsequent core_scsi3_pr_seq_non_holder() checking would fail
with !DEF_PR_REG_ACTIVE -&gt; RESERVATION CONFLICT status.

Update __core_scsi3_add_registration() to drop -&gt;pr_kref reference
after registration and any optional ALL_TG_PT=1 processing has
completed.  Update core_scsi3_decode_spec_i_port() to release
the new parent local_pr_reg-&gt;pr_kref as well.

Also, update __core_scsi3_check_aptpl_registration() to perform
the same target_nacl_find_deve() lookup + -&gt;pr_kref get, now that
__core_scsi3_add_registration() expects to drop the reference.

Finally, since there are cases when se_dev_entry-&gt;se_lun_acl can
still be dereferenced in core_scsi3_lunacl_undepend_item() while
holding -&gt;pr_kref, go ahead and move explicit rcu_assign_pointer()
NULL assignments within core_disable_device_list_for_node() until
after orig-&gt;pr_comp finishes.

Reported-by: Scott L. Lykens &lt;scott@lykens.org&gt;
Tested-by: Scott L. Lykens &lt;scott@lykens.org&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Hannes Reinecke &lt;hare@suse.de&gt;
Cc: Lee Duncan &lt;lduncan@suse.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v4.2+
Signed-off-by: Nicholas Bellinger &lt;nab@linux-iscsi.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
