<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/target/target_core_device.c, branch v6.5</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>scsi: target: Replace all non-returning strlcpy() with strscpy()</title>
<updated>2023-05-17T01:39:44+00:00</updated>
<author>
<name>Azeem Shaikh</name>
<email>azeemshaikh38@gmail.com</email>
</author>
<published>2023-05-16T02:53:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0871237a946e2b16e82048d92d69058fddb9172a'/>
<id>0871237a946e2b16e82048d92d69058fddb9172a</id>
<content type='text'>
strlcpy() reads the entire source buffer first.  This read may exceed the
destination size limit.  This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated [1].  In an effort
to remove strlcpy() completely [2], replace strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh &lt;azeemshaikh38@gmail.com&gt;
Link: https://lore.kernel.org/r/20230516025322.2804923-1-azeemshaikh38@gmail.com
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
strlcpy() reads the entire source buffer first.  This read may exceed the
destination size limit.  This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated [1].  In an effort
to remove strlcpy() completely [2], replace strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh &lt;azeemshaikh38@gmail.com&gt;
Link: https://lore.kernel.org/r/20230516025322.2804923-1-azeemshaikh38@gmail.com
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge patch series "target: TMF and recovery fixes"</title>
<updated>2023-03-24T21:39:15+00:00</updated>
<author>
<name>Martin K. Petersen</name>
<email>martin.petersen@oracle.com</email>
</author>
<published>2023-03-24T21:39:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ae2fb3cb0f00482c0ec0079e4244bdee3e1fc46b'/>
<id>ae2fb3cb0f00482c0ec0079e4244bdee3e1fc46b</id>
<content type='text'>
Mike Christie &lt;michael.christie@oracle.com&gt; says:

The following patches apply over Martin's 6.4 branches and Linus's tree.
They fix a couple regressions in iscsit that occur when there are TMRs
executing and a connection is closed. It also includes Dimitry's fixes in
related code paths for cmd cleanup when ERL2 is used and the write pending
hang during conn cleanup.

This version of the patchset brings it back to just regressions and fixes
for bugs we have a lot of users hitting. I'm going to fix isert and get it
hooked into iscsit properly in a second patchset, because this one was
getting so large. I've also moved my cleanup type of patches for a 3rd
patchset.

Link: https://lore.kernel.org/r/20230319015620.96006-1-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Mike Christie &lt;michael.christie@oracle.com&gt; says:

The following patches apply over Martin's 6.4 branches and Linus's tree.
They fix a couple regressions in iscsit that occur when there are TMRs
executing and a connection is closed. It also includes Dimitry's fixes in
related code paths for cmd cleanup when ERL2 is used and the write pending
hang during conn cleanup.

This version of the patchset brings it back to just regressions and fixes
for bugs we have a lot of users hitting. I'm going to fix isert and get it
hooked into iscsit properly in a second patchset, because this one was
getting so large. I've also moved my cleanup type of patches for a 3rd
patchset.

Link: https://lore.kernel.org/r/20230319015620.96006-1-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: Fix multiple LUN_RESET handling</title>
<updated>2023-03-24T21:32:23+00:00</updated>
<author>
<name>Mike Christie</name>
<email>michael.christie@oracle.com</email>
</author>
<published>2023-03-19T01:56:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=673db054d7a2b5a470d7a25baf65956d005ad729'/>
<id>673db054d7a2b5a470d7a25baf65956d005ad729</id>
<content type='text'>
This fixes a bug where an initiator thinks a LUN_RESET has cleaned up
running commands when it hasn't. The bug was added in commit 51ec502a3266
("target: Delete tmr from list before processing").

The problem occurs when:

 1. We have N I/O cmds running in the target layer spread over 2 sessions.

 2. The initiator sends a LUN_RESET for each session.

 3. session1's LUN_RESET loops over all the running commands from both
    sessions and moves them to its local drain_task_list.

 4. session2's LUN_RESET does not see the LUN_RESET from session1 because
    the commit above has it remove itself. session2 also does not see any
    commands since the other reset moved them off the state lists.

 5. sessions2's LUN_RESET will then complete with a successful response.

 6. sessions2's inititor believes the running commands on its session are
    now cleaned up due to the successful response and cleans up the running
    commands from its side. It then restarts them.

 7. The commands do eventually complete on the backend and the target
    starts to return aborted task statuses for them. The initiator will
    either throw a invalid ITT error or might accidentally lookup a new
    task if the ITT has been reallocated already.

Fix the bug by reverting the patch, and serialize the execution of
LUN_RESETs and Preempt and Aborts.

Also prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,
because it turns out the original patch fixed a bug that was not
mentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second
LUN_RESET and wait on it. Then the second reset will run
core_tmr_drain_tmr_list and see the first reset and wait on it resulting in
a deadlock.

Fixes: 51ec502a3266 ("target: Delete tmr from list before processing")
Signed-off-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Link: https://lore.kernel.org/r/20230319015620.96006-8-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This fixes a bug where an initiator thinks a LUN_RESET has cleaned up
running commands when it hasn't. The bug was added in commit 51ec502a3266
("target: Delete tmr from list before processing").

The problem occurs when:

 1. We have N I/O cmds running in the target layer spread over 2 sessions.

 2. The initiator sends a LUN_RESET for each session.

 3. session1's LUN_RESET loops over all the running commands from both
    sessions and moves them to its local drain_task_list.

 4. session2's LUN_RESET does not see the LUN_RESET from session1 because
    the commit above has it remove itself. session2 also does not see any
    commands since the other reset moved them off the state lists.

 5. sessions2's LUN_RESET will then complete with a successful response.

 6. sessions2's inititor believes the running commands on its session are
    now cleaned up due to the successful response and cleans up the running
    commands from its side. It then restarts them.

 7. The commands do eventually complete on the backend and the target
    starts to return aborted task statuses for them. The initiator will
    either throw a invalid ITT error or might accidentally lookup a new
    task if the ITT has been reallocated already.

Fix the bug by reverting the patch, and serialize the execution of
LUN_RESETs and Preempt and Aborts.

Also prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,
because it turns out the original patch fixed a bug that was not
mentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second
LUN_RESET and wait on it. Then the second reset will run
core_tmr_drain_tmr_list and see the first reset and wait on it resulting in
a deadlock.

Fixes: 51ec502a3266 ("target: Delete tmr from list before processing")
Signed-off-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Link: https://lore.kernel.org/r/20230319015620.96006-8-michael.christie@oracle.com
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: core: Drop device-based RTPI</title>
<updated>2023-03-10T02:29:23+00:00</updated>
<author>
<name>Roman Bolshakov</name>
<email>r.bolshakov@yadro.com</email>
</author>
<published>2023-03-01T08:45:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5fe99dace4313b0061d46f69e32f981956c92445'/>
<id>5fe99dace4313b0061d46f69e32f981956c92445</id>
<content type='text'>
The code is not needed since target port-based RTPI allocation replaced it.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Roman Bolshakov &lt;r.bolshakov@yadro.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Link: https://lore.kernel.org/r/20230301084512.21956-4-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The code is not needed since target port-based RTPI allocation replaced it.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Roman Bolshakov &lt;r.bolshakov@yadro.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Link: https://lore.kernel.org/r/20230301084512.21956-4-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: core: Use RTPI from target port</title>
<updated>2023-03-10T02:29:23+00:00</updated>
<author>
<name>Roman Bolshakov</name>
<email>r.bolshakov@yadro.com</email>
</author>
<published>2023-03-01T08:45:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b9e063adfb8a812d9c47ff690e645086c6f76f42'/>
<id>b9e063adfb8a812d9c47ff690e645086c6f76f42</id>
<content type='text'>
Replace all references to RTPI from LUN field to se_portal_group field.  It
introduces consistent reporting of RTPI for all LUNs and all target ports.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Roman Bolshakov &lt;r.bolshakov@yadro.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Link: https://lore.kernel.org/r/20230301084512.21956-3-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace all references to RTPI from LUN field to se_portal_group field.  It
introduces consistent reporting of RTPI for all LUNs and all target ports.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Roman Bolshakov &lt;r.bolshakov@yadro.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Link: https://lore.kernel.org/r/20230301084512.21956-3-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi</title>
<updated>2022-12-14T16:58:51+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2022-12-14T16:58:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=aa5ad10f6cca6d42f3fef6cb862e03b220ea19a6'/>
<id>aa5ad10f6cca6d42f3fef6cb862e03b220ea19a6</id>
<content type='text'>
Pull SCSI updates from James Bottomley:
 "Updates to the usual drivers (target, ufs, smartpqi, lpfc).

  There are some core changes, mostly around reworking some of our user
  context assumptions in device put and moving some code around.

  The remaining updates are bug fixes and minor changes"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (138 commits)
  scsi: sg: Fix get_user() in call sg_scsi_ioctl()
  scsi: megaraid_sas: Fix some spelling mistakes in comment
  scsi: core: Use SCSI_SCAN_INITIAL in do_scsi_scan_host()
  scsi: core: Use SCSI_SCAN_RESCAN in __scsi_add_device()
  scsi: ufs: ufs-mediatek: Remove unnecessary return code
  scsi: ufs: core: Fix the polling implementation
  scsi: libsas: Do not export sas_ata_wait_after_reset()
  scsi: hisi_sas: Fix SATA devices missing issue during I_T nexus reset
  scsi: libsas: Add smp_ata_check_ready_type()
  scsi: Revert "scsi: hisi_sas: Don't send bcast events from HW during nexus HA reset"
  scsi: Revert "scsi: hisi_sas: Drain bcast events in hisi_sas_rescan_topology()"
  scsi: ufs: ufs-mediatek: Modify the return value
  scsi: ufs: ufs-mediatek: Remove unneeded code
  scsi: device_handler: alua: Call scsi_device_put() from non-atomic context
  scsi: device_handler: alua: Revert "Move a scsi_device_put() call out of alua_check_vpd()"
  scsi: snic: Fix possible UAF in snic_tgt_create()
  scsi: qla2xxx: Initialize vha-&gt;unknown_atio_[list, work] for NPIV hosts
  scsi: qla2xxx: Remove duplicate of vha-&gt;iocb_work initialization
  scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
  scsi: sd: Use 16-byte SYNCHRONIZE CACHE on ZBC devices
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull SCSI updates from James Bottomley:
 "Updates to the usual drivers (target, ufs, smartpqi, lpfc).

  There are some core changes, mostly around reworking some of our user
  context assumptions in device put and moving some code around.

  The remaining updates are bug fixes and minor changes"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (138 commits)
  scsi: sg: Fix get_user() in call sg_scsi_ioctl()
  scsi: megaraid_sas: Fix some spelling mistakes in comment
  scsi: core: Use SCSI_SCAN_INITIAL in do_scsi_scan_host()
  scsi: core: Use SCSI_SCAN_RESCAN in __scsi_add_device()
  scsi: ufs: ufs-mediatek: Remove unnecessary return code
  scsi: ufs: core: Fix the polling implementation
  scsi: libsas: Do not export sas_ata_wait_after_reset()
  scsi: hisi_sas: Fix SATA devices missing issue during I_T nexus reset
  scsi: libsas: Add smp_ata_check_ready_type()
  scsi: Revert "scsi: hisi_sas: Don't send bcast events from HW during nexus HA reset"
  scsi: Revert "scsi: hisi_sas: Drain bcast events in hisi_sas_rescan_topology()"
  scsi: ufs: ufs-mediatek: Modify the return value
  scsi: ufs: ufs-mediatek: Remove unneeded code
  scsi: device_handler: alua: Call scsi_device_put() from non-atomic context
  scsi: device_handler: alua: Revert "Move a scsi_device_put() call out of alua_check_vpd()"
  scsi: snic: Fix possible UAF in snic_tgt_create()
  scsi: qla2xxx: Initialize vha-&gt;unknown_atio_[list, work] for NPIV hosts
  scsi: qla2xxx: Remove duplicate of vha-&gt;iocb_work initialization
  scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
  scsi: sd: Use 16-byte SYNCHRONIZE CACHE on ZBC devices
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: core: Add emulate_rsoc attribute</title>
<updated>2022-10-27T01:44:32+00:00</updated>
<author>
<name>Dmitry Bogdanov</name>
<email>d.bogdanov@yadro.com</email>
</author>
<published>2022-09-06T10:34:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bd217b8c3a1f705f2d92d30974412fbd5f43271a'/>
<id>bd217b8c3a1f705f2d92d30974412fbd5f43271a</id>
<content type='text'>
Allow support for RSOC to be turned off via the emulate_rsoc attibute.
This is just for testing purposes.

Reviewed-by: Roman Bolshakov &lt;r.bolshakov@yadro.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Link: https://lore.kernel.org/r/20220906103421.22348-5-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Allow support for RSOC to be turned off via the emulate_rsoc attibute.
This is just for testing purposes.

Reviewed-by: Roman Bolshakov &lt;r.bolshakov@yadro.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Link: https://lore.kernel.org/r/20220906103421.22348-5-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: core: UA on all LUNs after reset</title>
<updated>2022-10-01T09:06:53+00:00</updated>
<author>
<name>Dmitry Bogdanov</name>
<email>d.bogdanov@yadro.com</email>
</author>
<published>2022-09-13T16:36:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6290e23f3bd8cee52fb8fd98980bb1eb31c8284d'/>
<id>6290e23f3bd8cee52fb8fd98980bb1eb31c8284d</id>
<content type='text'>
Allocate UNIT ATTENTION "BUS DEVICE RESET OCCURRED" on all LUNs on all
target ports of the device upon reception of TMF LUN RESET.

This change passes libiscsi test SCSI.MultipathIO.Reset.

Link: https://lore.kernel.org/r/20220913163602.20597-1-d.bogdanov@yadro.com
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Allocate UNIT ATTENTION "BUS DEVICE RESET OCCURRED" on all LUNs on all
target ports of the device upon reception of TMF LUN RESET.

This change passes libiscsi test SCSI.MultipathIO.Reset.

Link: https://lore.kernel.org/r/20220913163602.20597-1-d.bogdanov@yadro.com
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: core: De-RCU of se_lun and se_lun acl</title>
<updated>2022-08-01T23:36:02+00:00</updated>
<author>
<name>Dmitry Bogdanov</name>
<email>d.bogdanov@yadro.com</email>
</author>
<published>2022-07-27T21:41:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ef4f7e4bf1dc26aaa86cf8e5a13013684139be51'/>
<id>ef4f7e4bf1dc26aaa86cf8e5a13013684139be51</id>
<content type='text'>
se_lun and se_lun_acl are immutable pointers of struct se_dev_entry.
Remove RCU usage for access to those pointers.

Link: https://lore.kernel.org/r/20220727214125.19647-3-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
se_lun and se_lun_acl are immutable pointers of struct se_dev_entry.
Remove RCU usage for access to those pointers.

Link: https://lore.kernel.org/r/20220727214125.19647-3-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: target: core: Fix race during ACL removal</title>
<updated>2022-08-01T23:36:02+00:00</updated>
<author>
<name>Dmitry Bogdanov</name>
<email>d.bogdanov@yadro.com</email>
</author>
<published>2022-07-27T21:41:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=dd0a66ada0bd0ae6c96ea45cfa1581797e867a40'/>
<id>dd0a66ada0bd0ae6c96ea45cfa1581797e867a40</id>
<content type='text'>
Under huge load there is a possibility of race condition in updating
se_dev_entry object in ACL removal procedure:

 NIP [c0080000154093d0] transport_lookup_cmd_lun+0x1f8/0x3d0 [target_core_mod]
 LR [c00800001542ab34] target_submit_cmd_map_sgls+0x11c/0x300 [target_core_mod]
 Call Trace:
   target_submit_cmd_map_sgls+0x11c/0x300 [target_core_mod]
   target_submit_cmd+0x44/0x60 [target_core_mod]
   tcm_qla2xxx_handle_cmd+0x88/0xe0 [tcm_qla2xxx]
   qlt_do_work+0x2e4/0x3d0 [qla2xxx]
   process_one_work+0x298/0x5c

Despite usage of RCU primitives with deve-&gt;se_lun pointer, it has not
become dereference-safe because deve-&gt;se_lun is updated and not
synchronized with a reader. That change might be in a release function
called by synchronize_rcu(). But, in fact, there is no point in setting
that pointer to NULL for deleting deve. All access to deve-&gt;se_lun is
already under rcu_read_lock. And either deve-&gt;se_lun is always valid or
deve is not valid itself and will not be found in the list_for_*.  The same
applicable for deve-&gt;se_lun_acl too.  So a better solution is to remove
that NULLing.

Link: https://lore.kernel.org/r/20220727214125.19647-2-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Under huge load there is a possibility of race condition in updating
se_dev_entry object in ACL removal procedure:

 NIP [c0080000154093d0] transport_lookup_cmd_lun+0x1f8/0x3d0 [target_core_mod]
 LR [c00800001542ab34] target_submit_cmd_map_sgls+0x11c/0x300 [target_core_mod]
 Call Trace:
   target_submit_cmd_map_sgls+0x11c/0x300 [target_core_mod]
   target_submit_cmd+0x44/0x60 [target_core_mod]
   tcm_qla2xxx_handle_cmd+0x88/0xe0 [tcm_qla2xxx]
   qlt_do_work+0x2e4/0x3d0 [qla2xxx]
   process_one_work+0x298/0x5c

Despite usage of RCU primitives with deve-&gt;se_lun pointer, it has not
become dereference-safe because deve-&gt;se_lun is updated and not
synchronized with a reader. That change might be in a release function
called by synchronize_rcu(). But, in fact, there is no point in setting
that pointer to NULL for deleting deve. All access to deve-&gt;se_lun is
already under rcu_read_lock. And either deve-&gt;se_lun is always valid or
deve is not valid itself and will not be found in the list_for_*.  The same
applicable for deve-&gt;se_lun_acl too.  So a better solution is to remove
that NULLing.

Link: https://lore.kernel.org/r/20220727214125.19647-2-d.bogdanov@yadro.com
Reviewed-by: Mike Christie &lt;michael.christie@oracle.com&gt;
Signed-off-by: Dmitry Bogdanov &lt;d.bogdanov@yadro.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
