diff options
| author | Mike Christie <michael.christie@oracle.com> | 2020-11-13 19:46:18 -0600 | 
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2020-11-16 23:34:18 -0500 | 
| commit | f36199355c64a39fe82cfddc7623d827c7e050da (patch) | |
| tree | 80dfecc860f380cfe737f625add36eb7f8952724 /lib/test_overflow.c | |
| parent | fe0a8a95e7134d0b44cd407bc0085b9ba8d8fe31 (diff) | |
scsi: target: iscsi: Fix cmd abort fabric stop race
Maurizio found a race where the abort and cmd stop paths can race as
follows:
 1. thread1 runs iscsit_release_commands_from_conn and sets
    CMD_T_FABRIC_STOP.
 2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It
    then returns from the aborted_task callout and we finish
    target_handle_abort and do:
    target_handle_abort -> transport_cmd_check_stop_to_fabric ->
	lio_check_stop_free -> target_put_sess_cmd
    The cmd is now freed.
 3. thread1 now finishes iscsit_release_commands_from_conn and runs
    iscsit_free_cmd while accessing a command we just released.
In __target_check_io_state we check for CMD_T_FABRIC_STOP and set the
CMD_T_ABORTED if the driver is not cleaning up the cmd because of a session
shutdown. However, iscsit_release_commands_from_conn only sets the
CMD_T_FABRIC_STOP and does not check to see if the abort path has claimed
completion ownership of the command.
This adds a check in iscsit_release_commands_from_conn so only the abort or
fabric stop path cleanup the command.
Link: https://lore.kernel.org/r/1605318378-9269-1-git-send-email-michael.christie@oracle.com
Reported-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'lib/test_overflow.c')
0 files changed, 0 insertions, 0 deletions
