• Nicholas Bellinger's avatar
    target: Fix LUN_RESET active TMR descriptor handling · cf0fbc6b
    Nicholas Bellinger authored
    [ Upstream commit a6d9bb1c ]
    
    This patch fixes a NULL pointer se_cmd->cmd_kref < 0
    refcount bug during TMR LUN_RESET with active TMRs,
    triggered during se_cmd + se_tmr_req descriptor
    shutdown + release via core_tmr_drain_tmr_list().
    
    To address this bug, go ahead and obtain a local
    kref_get_unless_zero(&se_cmd->cmd_kref) for active I/O
    to set CMD_T_ABORTED, and transport_wait_for_tasks()
    followed by the final target_put_sess_cmd() to drop
    the local ->cmd_kref.
    
    Also add two new checks within target_tmr_work() to
    avoid CMD_T_ABORTED -> TFO->queue_tm_rsp() callbacks
    ahead of invoking the backend -> fabric put in
    transport_cmd_check_stop_to_fabric().
    
    For good measure, also change core_tmr_release_req()
    to use list_del_init() ahead of se_tmr_req memory
    free.
    Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
    Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Cc: Sagi Grimberg <sagig@mellanox.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Hannes Reinecke <hare@suse.de>
    Cc: Andy Grover <agrover@redhat.com>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: stable@vger.kernel.org # 3.10+
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
    cf0fbc6b
target_core_transport.c 80.8 KB