target: Fix race between iscsi-target connection shutdown + ABORT_TASK
authorNicholas Bellinger <nab@linux-iscsi.org>
Thu, 2 Jun 2016 21:56:45 +0000 (14:56 -0700)
committerNicholas Bellinger <nab@linux-iscsi.org>
Wed, 20 Jul 2016 07:58:34 +0000 (00:58 -0700)
commit064cdd2d91c2805d788876082f31cc63506f22c3
treeb868cab48c4c28bc253d804f459a4722092ee522
parent5e2c956b8aa24d4f33ff7afef92d409eed164746
target: Fix race between iscsi-target connection shutdown + ABORT_TASK

This patch fixes a race in iscsit_release_commands_from_conn() ->
iscsit_free_cmd() -> transport_generic_free_cmd() + wait_for_tasks=1,
where CMD_T_FABRIC_STOP could end up being set after the final
kref_put() is called from core_tmr_abort_task() context.

This results in transport_generic_free_cmd() blocking indefinately
on se_cmd->cmd_wait_comp, because the target_release_cmd_kref()
check for CMD_T_FABRIC_STOP returns false.

To address this bug, make iscsit_release_commands_from_conn()
do list_splice and set CMD_T_FABRIC_STOP early while holding
iscsi_conn->cmd_lock.  Also make iscsit_aborted_task() only
remove iscsi_cmd_t if CMD_T_FABRIC_STOP has not already been
set.

Finally in target_release_cmd_kref(), only honor fabric_stop
if CMD_T_ABORTED has been set.

Cc: Mike Christie <mchristi@redhat.com>
Cc: Quinn Tran <quinn.tran@qlogic.com>
Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: stable@vger.kernel.org # 3.14+
Tested-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
drivers/target/iscsi/iscsi_target.c
drivers/target/target_core_transport.c