About the tcm_fc FCoE target driver

About the tcm_fc FCoE target driver

[Bart Van Assche]

Hi,

My understanding is that the ft_queue_data_in() function in the tcm_fc
driver gets called while processing SCSI READ commands. That function queues
data for sending by calling fc_seq_send(). The FCoE driver translates that
call into a dev_queue_xmit(skb) which sends the data asynchronously.
ft_queue_data_in() frees the data buffer synchronously from inside
ft_queue_status(). I believe that this race condition can trigger data
corruption. Since nobody ever reported this race condition, does this mean
that the FCoE target driver has no users and hence that it can be removed
from the kernel tree?

Thanks,

Bart.

Re: About the tcm_fc FCoE target driver

[James Bottomley]

On Mon, 2021-01-04 at 07:51 -0800, Bart Van Assche wrote:
> Hi,
> 
> My understanding is that the ft_queue_data_in() function in the
> tcm_fc driver gets called while processing SCSI READ commands. That
> function queues data for sending by calling fc_seq_send(). The FCoE
> driver translates that call into a dev_queue_xmit(skb) which sends
> the data asynchronously.  ft_queue_data_in() frees the data buffer
> synchronously from inside ft_queue_status(). I believe that this race
> condition can trigger data corruption. Since nobody ever reported
> this race condition, does this mean that the FCoE target driver has
> no users and hence that it can be removed from the kernel tree?

It could just mean the race condition is so rare no user has ever
triggered it reliably enough to report ... have you managed to trigger
it?

James

Re: About the tcm_fc FCoE target driver

[Bart Van Assche]

On 1/4/21 8:06 AM, James Bottomley wrote:
> On Mon, 2021-01-04 at 07:51 -0800, Bart Van Assche wrote:
>> Hi,
>>
>> My understanding is that the ft_queue_data_in() function in the
>> tcm_fc driver gets called while processing SCSI READ commands. That
>> function queues data for sending by calling fc_seq_send(). The FCoE
>> driver translates that call into a dev_queue_xmit(skb) which sends
>> the data asynchronously.  ft_queue_data_in() frees the data buffer
>> synchronously from inside ft_queue_status(). I believe that this race
>> condition can trigger data corruption. Since nobody ever reported
>> this race condition, does this mean that the FCoE target driver has
>> no users and hence that it can be removed from the kernel tree?
> 
> It could just mean the race condition is so rare no user has ever
> triggered it reliably enough to report ... have you managed to trigger
> it?

Hi James,

That's a great question. With a driver that is closely related (the SCST
FCoE target driver; the driver from which the upstream tcm_fc driver has
been derived) I could trigger this race condition easily by running fio
--verify against the FCoE initiator driver. Changing "use_sg = !(remaining %
4) && lport->sg_supp" into "use_sg = false" made the fio verification errors
disappear.

Bart.