Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4304047pxu; Tue, 1 Dec 2020 01:22:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJw6+5KmQA03RXFdVBeMfCDRvkQVEWpbBiRbZo0EZCg9HU0YdJQwYuVFCzmFv+QR3hhw3/Gj X-Received: by 2002:a17:906:6010:: with SMTP id o16mr2081487ejj.55.1606814541386; Tue, 01 Dec 2020 01:22:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606814541; cv=none; d=google.com; s=arc-20160816; b=ul5etjcLXH+WVbZuJ8e4pgBXrMhXpY3NMGHpsZxVO08ufHHIQcfrcSfU/C7JEk0L1P 5UDAExpZ8Gs7UA+PTkWlukcZeBdDkoEaYOZz7CDHv4EJxMOmF8cD9/Anjcx7InccHErD 3eg0YeUoNzcrdhWH1uoWRxbrT4iE95okrPI9Rmx7VWFLYD7kT01rs1XOQAPZBhkLdgeQ +ClyFDt+tM29nqWhhTcKEh1CBFW1yzFCCZ2EwRJdKujmKaTZPXdQWDf0/hz93f/NNpjy 7Pqm7hBMxkSMMNSoyj9DC67c4Zc1nQqcG/kd1yIm4FxMEQHjHOEbZuF8A/tH3FOkWy9h hDrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4xZDGjDxG9zBHIcvplLQ0F2Me5UHNS470SBQWwj8msY=; b=QSrhml6MwDITKDrw6GRmuuvS+sfUIiqbZUUilztBdu99unz7Z/yYLRZnal5nU3fNZE 9Pgdq6OlcQI0+eKJIK3/Qo1t/qRIaII3n7iOmY9x5LDm0rE+9gKheY0ZnH5djLARML5k oiHU8AqUnCj6N4ijeKEvHYsVTrpB45GAjNl64F7xeuzKICpWefackvyCtLpSomz9GRU3 4dGJyejbWOw9WLWESoTSPsXxJEZ8fjkR6qyiPT326e0lh+VEBIJfe+6KftOE+eF/ibiG YsZnqKnHJiKiGa0J3NV17PhV5GTIPzki3SBdUDNzmaLo3f1bG7U20oNMq2pmLmQaoeyr 7+Aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ozOrg/xy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ec19si541203ejb.669.2020.12.01.01.21.59; Tue, 01 Dec 2020 01:22:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ozOrg/xy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389679AbgLAJKW (ORCPT + 99 others); Tue, 1 Dec 2020 04:10:22 -0500 Received: from mail.kernel.org ([198.145.29.99]:47180 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389659AbgLAJKQ (ORCPT ); Tue, 1 Dec 2020 04:10:16 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6FE7F22247; Tue, 1 Dec 2020 09:09:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606813800; bh=pUGDZrd+Ioaup822M6QC2UlHABmuW71vc5EibKGl3Wk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ozOrg/xyx2/+TSVolFHIIZlNtrJf4n8QwaH9CLo5irI6tpW/gDYR9xVTn0u1q2QIo q8DhiCSlfcwQkCmffRdB2miyBnKwdm9Gqi4xGBZj2ko3UyM8dtXEwlbMNZxh0ADFsv WJROHZQU89mE5V3R3Lpon/b5vI9bQMBXOGY+6/UY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maurizio Lombardi , Mike Christie , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.9 063/152] scsi: target: iscsi: Fix cmd abort fabric stop race Date: Tue, 1 Dec 2020 09:52:58 +0100 Message-Id: <20201201084720.197306773@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201201084711.707195422@linuxfoundation.org> References: <20201201084711.707195422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mike Christie [ Upstream commit f36199355c64a39fe82cfddc7623d827c7e050da ] Maurizio found a race where the abort and cmd stop paths can race as follows: 1. thread1 runs iscsit_release_commands_from_conn and sets CMD_T_FABRIC_STOP. 2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It then returns from the aborted_task callout and we finish target_handle_abort and do: target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd The cmd is now freed. 3. thread1 now finishes iscsit_release_commands_from_conn and runs iscsit_free_cmd while accessing a command we just released. In __target_check_io_state we check for CMD_T_FABRIC_STOP and set the CMD_T_ABORTED if the driver is not cleaning up the cmd because of a session shutdown. However, iscsit_release_commands_from_conn only sets the CMD_T_FABRIC_STOP and does not check to see if the abort path has claimed completion ownership of the command. This adds a check in iscsit_release_commands_from_conn so only the abort or fabric stop path cleanup the command. Link: https://lore.kernel.org/r/1605318378-9269-1-git-send-email-michael.christie@oracle.com Reported-by: Maurizio Lombardi Reviewed-by: Maurizio Lombardi Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/target/iscsi/iscsi_target.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index 7b56fe9f10628..2e18ec42c7045 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -483,8 +483,7 @@ EXPORT_SYMBOL(iscsit_queue_rsp); void iscsit_aborted_task(struct iscsi_conn *conn, struct iscsi_cmd *cmd) { spin_lock_bh(&conn->cmd_lock); - if (!list_empty(&cmd->i_conn_node) && - !(cmd->se_cmd.transport_state & CMD_T_FABRIC_STOP)) + if (!list_empty(&cmd->i_conn_node)) list_del_init(&cmd->i_conn_node); spin_unlock_bh(&conn->cmd_lock); @@ -4083,12 +4082,22 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) spin_lock_bh(&conn->cmd_lock); list_splice_init(&conn->conn_cmd_list, &tmp_list); - list_for_each_entry(cmd, &tmp_list, i_conn_node) { + list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) { struct se_cmd *se_cmd = &cmd->se_cmd; if (se_cmd->se_tfo != NULL) { spin_lock_irq(&se_cmd->t_state_lock); - se_cmd->transport_state |= CMD_T_FABRIC_STOP; + if (se_cmd->transport_state & CMD_T_ABORTED) { + /* + * LIO's abort path owns the cleanup for this, + * so put it back on the list and let + * aborted_task handle it. + */ + list_move_tail(&cmd->i_conn_node, + &conn->conn_cmd_list); + } else { + se_cmd->transport_state |= CMD_T_FABRIC_STOP; + } spin_unlock_irq(&se_cmd->t_state_lock); } } -- 2.27.0