diff options
| author | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-07-03 06:11:48 -0400 |
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-07-07 01:01:23 -0400 |
| commit | 186a9647019587b3784694894c4d136fd00cfd7b (patch) | |
| tree | 47864da1726666d59bfa20a9b346b06d4b948218 | |
| parent | 561bf15892375597ee59d473a704a3e634c4f311 (diff) | |
iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iser
This patch adds target_get_sess_cmd reference counting for
iscsit_handle_task_mgt_cmd(), and adds a target_put_sess_cmd()
for the failure case.
It also fixes a bug where ISCSI_OP_SCSI_TMFUNC type commands
where leaking iscsi_cmd->i_conn_node and eventually triggering
an OOPs during struct isert_conn shutdown.
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| -rw-r--r-- | drivers/infiniband/ulp/isert/ib_isert.c | 16 | ||||
| -rw-r--r-- | drivers/target/iscsi/iscsi_target.c | 12 |
2 files changed, 18 insertions, 10 deletions
diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index 7e219a46e7ca..9efbf13007e4 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c | |||
| @@ -1200,14 +1200,12 @@ isert_put_cmd(struct isert_cmd *isert_cmd) | |||
| 1200 | { | 1200 | { |
| 1201 | struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd; | 1201 | struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd; |
| 1202 | struct isert_conn *isert_conn = isert_cmd->conn; | 1202 | struct isert_conn *isert_conn = isert_cmd->conn; |
| 1203 | struct iscsi_conn *conn; | 1203 | struct iscsi_conn *conn = isert_conn->conn; |
| 1204 | 1204 | ||
| 1205 | pr_debug("Entering isert_put_cmd: %p\n", isert_cmd); | 1205 | pr_debug("Entering isert_put_cmd: %p\n", isert_cmd); |
| 1206 | 1206 | ||
| 1207 | switch (cmd->iscsi_opcode) { | 1207 | switch (cmd->iscsi_opcode) { |
| 1208 | case ISCSI_OP_SCSI_CMD: | 1208 | case ISCSI_OP_SCSI_CMD: |
| 1209 | conn = isert_conn->conn; | ||
| 1210 | |||
| 1211 | spin_lock_bh(&conn->cmd_lock); | 1209 | spin_lock_bh(&conn->cmd_lock); |
| 1212 | if (!list_empty(&cmd->i_conn_node)) | 1210 | if (!list_empty(&cmd->i_conn_node)) |
| 1213 | list_del(&cmd->i_conn_node); | 1211 | list_del(&cmd->i_conn_node); |
| @@ -1217,16 +1215,18 @@ isert_put_cmd(struct isert_cmd *isert_cmd) | |||
| 1217 | iscsit_stop_dataout_timer(cmd); | 1215 | iscsit_stop_dataout_timer(cmd); |
| 1218 | 1216 | ||
| 1219 | isert_unmap_cmd(isert_cmd, isert_conn); | 1217 | isert_unmap_cmd(isert_cmd, isert_conn); |
| 1220 | /* | 1218 | transport_generic_free_cmd(&cmd->se_cmd, 0); |
| 1221 | * Fall-through | 1219 | break; |
| 1222 | */ | ||
| 1223 | case ISCSI_OP_SCSI_TMFUNC: | 1220 | case ISCSI_OP_SCSI_TMFUNC: |
| 1221 | spin_lock_bh(&conn->cmd_lock); | ||
| 1222 | if (!list_empty(&cmd->i_conn_node)) | ||
| 1223 | list_del(&cmd->i_conn_node); | ||
| 1224 | spin_unlock_bh(&conn->cmd_lock); | ||
| 1225 | |||
| 1224 | transport_generic_free_cmd(&cmd->se_cmd, 0); | 1226 | transport_generic_free_cmd(&cmd->se_cmd, 0); |
| 1225 | break; | 1227 | break; |
| 1226 | case ISCSI_OP_REJECT: | 1228 | case ISCSI_OP_REJECT: |
| 1227 | case ISCSI_OP_NOOP_OUT: | 1229 | case ISCSI_OP_NOOP_OUT: |
| 1228 | conn = isert_conn->conn; | ||
| 1229 | |||
| 1230 | spin_lock_bh(&conn->cmd_lock); | 1230 | spin_lock_bh(&conn->cmd_lock); |
| 1231 | if (!list_empty(&cmd->i_conn_node)) | 1231 | if (!list_empty(&cmd->i_conn_node)) |
| 1232 | list_del(&cmd->i_conn_node); | 1232 | list_del(&cmd->i_conn_node); |
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index 4319dad7d919..c30ec1d5756e 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c | |||
| @@ -1737,8 +1737,8 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | |||
| 1737 | struct se_tmr_req *se_tmr; | 1737 | struct se_tmr_req *se_tmr; |
| 1738 | struct iscsi_tmr_req *tmr_req; | 1738 | struct iscsi_tmr_req *tmr_req; |
| 1739 | struct iscsi_tm *hdr; | 1739 | struct iscsi_tm *hdr; |
| 1740 | int out_of_order_cmdsn = 0; | 1740 | int out_of_order_cmdsn = 0, ret; |
| 1741 | int ret; | 1741 | bool sess_ref = false; |
| 1742 | u8 function; | 1742 | u8 function; |
| 1743 | 1743 | ||
| 1744 | hdr = (struct iscsi_tm *) buf; | 1744 | hdr = (struct iscsi_tm *) buf; |
| @@ -1794,6 +1794,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | |||
| 1794 | conn->sess->se_sess, 0, DMA_NONE, | 1794 | conn->sess->se_sess, 0, DMA_NONE, |
| 1795 | MSG_SIMPLE_TAG, cmd->sense_buffer + 2); | 1795 | MSG_SIMPLE_TAG, cmd->sense_buffer + 2); |
| 1796 | 1796 | ||
| 1797 | target_get_sess_cmd(conn->sess->se_sess, &cmd->se_cmd, true); | ||
| 1798 | sess_ref = true; | ||
| 1799 | |||
| 1797 | switch (function) { | 1800 | switch (function) { |
| 1798 | case ISCSI_TM_FUNC_ABORT_TASK: | 1801 | case ISCSI_TM_FUNC_ABORT_TASK: |
| 1799 | tcm_function = TMR_ABORT_TASK; | 1802 | tcm_function = TMR_ABORT_TASK; |
| @@ -1931,6 +1934,11 @@ attach: | |||
| 1931 | * For connection recovery, this is also the default action for | 1934 | * For connection recovery, this is also the default action for |
| 1932 | * TMR TASK_REASSIGN. | 1935 | * TMR TASK_REASSIGN. |
| 1933 | */ | 1936 | */ |
| 1937 | if (sess_ref) { | ||
| 1938 | pr_debug("Handle TMR, using sess_ref=true check\n"); | ||
| 1939 | target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd); | ||
| 1940 | } | ||
| 1941 | |||
| 1934 | iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state); | 1942 | iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state); |
| 1935 | return 0; | 1943 | return 0; |
| 1936 | } | 1944 | } |