f36199355c
Maurizio found a race where the abort and cmd stop paths can race as follows: 1. thread1 runs iscsit_release_commands_from_conn and sets CMD_T_FABRIC_STOP. 2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It then returns from the aborted_task callout and we finish target_handle_abort and do: target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd The cmd is now freed. 3. thread1 now finishes iscsit_release_commands_from_conn and runs iscsit_free_cmd while accessing a command we just released. In __target_check_io_state we check for CMD_T_FABRIC_STOP and set the CMD_T_ABORTED if the driver is not cleaning up the cmd because of a session shutdown. However, iscsit_release_commands_from_conn only sets the CMD_T_FABRIC_STOP and does not check to see if the abort path has claimed completion ownership of the command. This adds a check in iscsit_release_commands_from_conn so only the abort or fabric stop path cleanup the command. Link: https://lore.kernel.org/r/1605318378-9269-1-git-send-email-michael.christie@oracle.com Reported-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
||
---|---|---|
.. | ||
cxgbit | ||
Kconfig | ||
Makefile | ||
iscsi_target.c | ||
iscsi_target.h | ||
iscsi_target_auth.c | ||
iscsi_target_auth.h | ||
iscsi_target_configfs.c | ||
iscsi_target_datain_values.c | ||
iscsi_target_datain_values.h | ||
iscsi_target_device.c | ||
iscsi_target_device.h | ||
iscsi_target_erl0.c | ||
iscsi_target_erl0.h | ||
iscsi_target_erl1.c | ||
iscsi_target_erl1.h | ||
iscsi_target_erl2.c | ||
iscsi_target_erl2.h | ||
iscsi_target_login.c | ||
iscsi_target_login.h | ||
iscsi_target_nego.c | ||
iscsi_target_nego.h | ||
iscsi_target_nodeattrib.c | ||
iscsi_target_nodeattrib.h | ||
iscsi_target_parameters.c | ||
iscsi_target_parameters.h | ||
iscsi_target_seq_pdu_list.c | ||
iscsi_target_seq_pdu_list.h | ||
iscsi_target_stat.c | ||
iscsi_target_tmr.c | ||
iscsi_target_tmr.h | ||
iscsi_target_tpg.c | ||
iscsi_target_tpg.h | ||
iscsi_target_transport.c | ||
iscsi_target_util.c | ||
iscsi_target_util.h |