https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260449

John Baldwin <***@FreeBSD.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@FreeBSD.org

--- Comment #1 from John Baldwin <***@FreeBSD.org> ---
So I think the issue is that in cfiscsi_terminate_tasks() there is no request
to store in PRIV_REQUEST() so it instead stores the session directly. However,
it is possible to send a request on the wire that also results in CTL_IO_TASK
and and CTL_TASK_I_T_NEXUS_RESET in cfiscsi_pdu_handle_task_request:

case BHSTMR_FUNCTION_I_T_NEXUS_RESET:
#if 0
CFISCSI_SESSION_DEBUG(cs, "BHSTMR_FUNCTION_I_T_NEXUS_RESET");
#endif
io->taskio.task_action = CTL_TASK_I_T_NEXUS_RESET;
break;


And in this case, PRIV_REQUEST() is the request instead.

Your test program constructs a normal CDB inquiry but then xors the first two
bytes with 0x4b03 to generate 0x8b02 (little endian). 0x2 ==
ISCSI_BHS_OPCODE_TASK_REQUEST and 0x8b as the function == 0x80 |
BHSTMR_FUNCTION_I_T_NEXUS_RESET.

I think the bug is we need a clean way to differentiate between an on-the-wire
reset vs the internally-initiatired reset. One way may be to allocate a new
CTL_TASK_INTERNAL_RESET or some such that terminate_tasks would use instead of
of CTL_TASK_I_T_NEXUS_RESET, and ctl_run_task would treat as identical to
CTL_TASK_I_T_NEXUS_RESET. The only thing I don't yet understand for that is
cfumass_done() in the usb storage driver checking for this opcode. Nothing in
the cfumass driver schedules a CTL_IO_TASK, so I suspect the code in
cfumass_done is just stale copy/paste from cfiscsi_done?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260449

John Baldwin <***@FreeBSD.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|***@FreeBSD.org |***@FreeBSD.org
Status|New |In Progress

--- Comment #2 from John Baldwin <***@FreeBSD.org> ---
Candidate fix up for review at https://reviews.freebsd.org/D34055