iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iser

commit 186a9647019587b3784694894c4d136fd00cfd7b upstream.

This patch adds target_get_sess_cmd reference counting for
iscsit_handle_task_mgt_cmd(), and adds a target_put_sess_cmd()
for the failure case.

It also fixes a bug where ISCSI_OP_SCSI_TMFUNC type commands
where leaking iscsi_cmd->i_conn_node and eventually triggering
an OOPs during struct isert_conn shutdown.

Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
index 6b20a9d09cbb0c80049b7b38d13f8d43ace37a61..bfc21798bd5ecf4804c74e6098fbd09f67064669 100644 (file)
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1202,14 +1202,12 @@ isert_put_cmd(struct isert_cmd *isert_cmd)
 {
        struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd;
        struct isert_conn *isert_conn = isert_cmd->conn;
-       struct iscsi_conn *conn;
+       struct iscsi_conn *conn = isert_conn->conn;
 
        pr_debug("Entering isert_put_cmd: %p\n", isert_cmd);
 
        switch (cmd->iscsi_opcode) {
        case ISCSI_OP_SCSI_CMD:
-               conn = isert_conn->conn;
-
                spin_lock_bh(&conn->cmd_lock);
                if (!list_empty(&cmd->i_conn_node))
                        list_del(&cmd->i_conn_node);
@@ -1219,16 +1217,18 @@ isert_put_cmd(struct isert_cmd *isert_cmd)
                        iscsit_stop_dataout_timer(cmd);
 
                isert_unmap_cmd(isert_cmd, isert_conn);
-               /*
-                * Fall-through
-                */
+               transport_generic_free_cmd(&cmd->se_cmd, 0);
+               break;
        case ISCSI_OP_SCSI_TMFUNC:
+               spin_lock_bh(&conn->cmd_lock);
+               if (!list_empty(&cmd->i_conn_node))
+                       list_del(&cmd->i_conn_node);
+               spin_unlock_bh(&conn->cmd_lock);
+
                transport_generic_free_cmd(&cmd->se_cmd, 0);
                break;
        case ISCSI_OP_REJECT:
        case ISCSI_OP_NOOP_OUT:
-               conn = isert_conn->conn;
-
                spin_lock_bh(&conn->cmd_lock);
                if (!list_empty(&cmd->i_conn_node))
                        list_del(&cmd->i_conn_node);

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index d7705e5824fb2d39205d55846d560df2a8a03270..f1db6ee710061a91c132e070187bc13e237e38ea 100644 (file)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1757,8 +1757,8 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
        struct se_tmr_req *se_tmr;
        struct iscsi_tmr_req *tmr_req;
        struct iscsi_tm *hdr;
-       int out_of_order_cmdsn = 0;
-       int ret;
+       int out_of_order_cmdsn = 0, ret;
+       bool sess_ref = false;
        u8 function;
 
        hdr                     = (struct iscsi_tm *) buf;
@@ -1814,6 +1814,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
                                      conn->sess->se_sess, 0, DMA_NONE,
                                      MSG_SIMPLE_TAG, cmd->sense_buffer + 2);
 
+               target_get_sess_cmd(conn->sess->se_sess, &cmd->se_cmd, true);
+               sess_ref = true;
+
                switch (function) {
                case ISCSI_TM_FUNC_ABORT_TASK:
                        tcm_function = TMR_ABORT_TASK;
@@ -1956,6 +1959,11 @@ attach:
         * For connection recovery, this is also the default action for
         * TMR TASK_REASSIGN.
         */
+       if (sess_ref) {
+               pr_debug("Handle TMR, using sess_ref=true check\n");
+               target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
+       }
+
        iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state);
        return 0;
 }