[RHEL7,COMMIT] ms/target: Fix LUN_RESET active I/O handling for ACK_KREF

Submitted by Konstantin Khorenko on April 2, 2018, 2:28 p.m.

Details

Message ID 201804021428.w32ESREw024380@finist_ce7.work
State New
Series "target: backport bug fixes from the upstream kernel"
Headers show

Commit Message

Konstantin Khorenko April 2, 2018, 2:28 p.m.
The commit is pushed to "branch-rh7-3.10.0-693.21.1.vz7.46.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.21.1.vz7.46.2
------>
commit 77a02567ce7a0c8a7cea3e76a675af745e4d3e0c
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date:   Mon Apr 2 17:28:26 2018 +0300

    ms/target: Fix LUN_RESET active I/O handling for ACK_KREF
    
    ML: febe562c20dfa8f33bee7d419c6b517986a5aa33
    
    This patch fixes a NULL pointer se_cmd->cmd_kref < 0
    refcount bug during TMR LUN_RESET with active se_cmd
    I/O, that can be triggered during se_cmd descriptor
    shutdown + release via core_tmr_drain_state_list() code.
    
    To address this bug, add common __target_check_io_state()
    helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
    checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
    both cases ahead of last target_put_sess_cmd() after
    TFO->aborted_task() -> transport_cmd_finish_abort()
    callback has completed.
    
    It also introduces SCF_ACK_KREF to determine when
    transport_cmd_finish_abort() needs to drop the second
    extra reference, ahead of calling target_put_sess_cmd()
    for the final kref_put(&se_cmd->cmd_kref).
    
    It also updates transport_cmd_check_stop() to avoid
    holding se_cmd->t_state_lock while dropping se_cmd
    device state via target_remove_from_state_list(), now
    that core_tmr_drain_state_list() is holding the
    se_device lock while checking se_cmd state from
    within TMR logic.
    
    Finally, move transport_put_cmd() release of SGL +
    TMR + extended CDB memory into target_free_cmd_mem()
    in order to avoid potential resource leaks in TMR
    ABORT_TASK + LUN_RESET code-paths.  Also update
    target_release_cmd_kref() accordingly.
    
    Reviewed-by: Quinn Tran <quinn.tran@qlogic.com>
    Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Cc: Sagi Grimberg <sagig@mellanox.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Hannes Reinecke <hare@suse.de>
    Cc: Andy Grover <agrover@redhat.com>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: stable@vger.kernel.org # 3.10+
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Andrei Vagin <avagin@openvz.org>
---
 drivers/target/target_core_tmr.c | 1 -
 1 file changed, 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 4fe985ae18d8..e2c96725a7bf 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -177,7 +177,6 @@  void core_tmr_abort_task(
 		cancel_work_sync(&se_cmd->work);
 		transport_wait_for_tasks(se_cmd);
 
-
 		if (se_cmd->se_cmd_flags & SCF_SE_LUN_CMD)
 			atomic_long_inc(&se_cmd->se_lun->lun_stats.aborts);