Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4293859pxu; Tue, 1 Dec 2020 01:03:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJynqpDu7B6+dLgZRT1eHNdaCNrpBZsy71xrHUrvOkaWwy729ARfNXsCpicYtxnqfdi1cwf7 X-Received: by 2002:a17:906:1294:: with SMTP id k20mr2026501ejb.404.1606813415086; Tue, 01 Dec 2020 01:03:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606813415; cv=none; d=google.com; s=arc-20160816; b=nAS+x013gDzdtY01tB29vg/astiFCl5JgPHpSNMHNx+QW9hAxCsq5KKM5WZUidB94h ycsxQBquKqTj0PXqEvk8xAM/OGWx0OHhLH48A7fnJxPOYUe7N7O569sDP67pYfKrEF/X B1IdJ1gZxZ/pS0NZfeXVa29AhpKcbQ3HnnzLRxQhntlKgHQcnp5VoBLnMixqqoS9xrJV hQCE0Eg/GENxaQLt7/RRPYH0M+O1w+GOtgObVl3cXFh06PWLD1v379JxWnVJaILp0zvu jIZcOo5JzJopa/lHe6bpNwO7NiA2O94MAmvzeNJ+9BHgs+TGuGcUTvFmL0/4x5blNtKt pwnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=co86kTJrFsNEItgfHEKUjO2B3tJffx+CspHHu1NjvmA=; b=a7nCiUXhagxbCYmLQR7NqstGzAWKzqmfXh9aN2RvzNgC+rKRhllOcocpGLsZt3RIce XtHa/WLtr3b8rVJqHykhFbc2g9hCa4XqZv4JBNQt1ENamYoS+nQGIQ55HlifBOkkDqmQ gUfAkfoK1RUeHDiQfaBMGBjY8yZ4/P4MrRSDzike+D9IqrGLADFN36fiVU1qK28A8kVa d+Z2o404CbAnTpJOqblYuNlWzyT4jz1GXLvs2yeTAaz9xU/s+f8x/2Q82qiIR2UATIFm aPn273LvQ39cXAcuHDp0n4mMARbIktyiRPqerHfJycT7+fShljv2rSNbqUS0+X0k6M9c hraw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="SrYX/Xwu"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qp24si625944ejb.526.2020.12.01.01.03.11; Tue, 01 Dec 2020 01:03:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="SrYX/Xwu"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388233AbgLAJAC (ORCPT + 99 others); Tue, 1 Dec 2020 04:00:02 -0500 Received: from mail.kernel.org ([198.145.29.99]:35962 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388229AbgLAJAB (ORCPT ); Tue, 1 Dec 2020 04:00:01 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 47178206D8; Tue, 1 Dec 2020 08:59:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606813160; bh=0aG6pmoJmjNvoBa3rfNR2bzU5m8tJReV1TSDXab/2Yc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SrYX/Xwu8hY4b/S2WJ70EojIBfJwssP2kroy7ohS23HAtiuh5EJFobGRljENzQiyN mxC0THQUxJDOwH4mGX45TabVfpofcBiMEKR5bia4ax+y1xXdQlc3JVJLdfY/UkmGN4 o6O9RPHFqMGgPFFGRzAczr5MQAHRZkN701gaLeoQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maurizio Lombardi , Mike Christie , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 4.14 24/50] scsi: target: iscsi: Fix cmd abort fabric stop race Date: Tue, 1 Dec 2020 09:53:23 +0100 Message-Id: <20201201084648.070550220@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201201084644.803812112@linuxfoundation.org> References: <20201201084644.803812112@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mike Christie [ Upstream commit f36199355c64a39fe82cfddc7623d827c7e050da ] Maurizio found a race where the abort and cmd stop paths can race as follows: 1. thread1 runs iscsit_release_commands_from_conn and sets CMD_T_FABRIC_STOP. 2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It then returns from the aborted_task callout and we finish target_handle_abort and do: target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd The cmd is now freed. 3. thread1 now finishes iscsit_release_commands_from_conn and runs iscsit_free_cmd while accessing a command we just released. In __target_check_io_state we check for CMD_T_FABRIC_STOP and set the CMD_T_ABORTED if the driver is not cleaning up the cmd because of a session shutdown. However, iscsit_release_commands_from_conn only sets the CMD_T_FABRIC_STOP and does not check to see if the abort path has claimed completion ownership of the command. This adds a check in iscsit_release_commands_from_conn so only the abort or fabric stop path cleanup the command. Link: https://lore.kernel.org/r/1605318378-9269-1-git-send-email-michael.christie@oracle.com Reported-by: Maurizio Lombardi Reviewed-by: Maurizio Lombardi Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/target/iscsi/iscsi_target.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index da80c03de6ea4..d9fcef82ddf59 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -490,8 +490,7 @@ EXPORT_SYMBOL(iscsit_queue_rsp); void iscsit_aborted_task(struct iscsi_conn *conn, struct iscsi_cmd *cmd) { spin_lock_bh(&conn->cmd_lock); - if (!list_empty(&cmd->i_conn_node) && - !(cmd->se_cmd.transport_state & CMD_T_FABRIC_STOP)) + if (!list_empty(&cmd->i_conn_node)) list_del_init(&cmd->i_conn_node); spin_unlock_bh(&conn->cmd_lock); @@ -4086,12 +4085,22 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) spin_lock_bh(&conn->cmd_lock); list_splice_init(&conn->conn_cmd_list, &tmp_list); - list_for_each_entry(cmd, &tmp_list, i_conn_node) { + list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) { struct se_cmd *se_cmd = &cmd->se_cmd; if (se_cmd->se_tfo != NULL) { spin_lock_irq(&se_cmd->t_state_lock); - se_cmd->transport_state |= CMD_T_FABRIC_STOP; + if (se_cmd->transport_state & CMD_T_ABORTED) { + /* + * LIO's abort path owns the cleanup for this, + * so put it back on the list and let + * aborted_task handle it. + */ + list_move_tail(&cmd->i_conn_node, + &conn->conn_cmd_list); + } else { + se_cmd->transport_state |= CMD_T_FABRIC_STOP; + } spin_unlock_irq(&se_cmd->t_state_lock); } } -- 2.27.0