• Nicholas Bellinger's avatar
    iscsi-target: Fix TMR reference leak during session shutdown · efb2ea77
    Nicholas Bellinger authored
    This patch fixes a iscsi-target specific TMR reference leak
    during session shutdown, that could occur when a TMR was
    quiesced before the hand-off back to iscsi-target code
    via transport_cmd_check_stop_to_fabric().
    
    The reference leak happens because iscsit_free_cmd() was
    incorrectly skipping the final target_put_sess_cmd() for
    TMRs when transport_generic_free_cmd() returned zero because
    the se_cmd->cmd_kref did not reach zero, due to the missing
    se_cmd assignment in original code.
    
    The result was iscsi_cmd and it's associated se_cmd memory
    would be freed once se_sess->sess_cmd_map where released,
    but the associated se_tmr_req was leaked and remained part
    of se_device->dev_tmr_list.
    
    This bug would manfiest itself as kernel paging request
    OOPsen in core_tmr_lun_reset(), when a left-over se_tmr_req
    attempted to dereference it's se_cmd pointer that had
    already been released during normal session shutdown.
    
    To address this bug, go ahead and treat ISCSI_OP_SCSI_CMD
    and ISCSI_OP_SCSI_TMFUNC the same when there is an extra
    se_cmd->cmd_kref to drop in iscsit_free_cmd(), and use
    op_scsi to signal __iscsit_free_cmd() when the former
    needs to clear any further iscsi related I/O state.
    Reported-by: default avatarRob Millner <rlm@daterainc.com>
    Cc: Rob Millner <rlm@daterainc.com>
    Reported-by: default avatarChu Yuan Lin <cyl@datera.io>
    Cc: Chu Yuan Lin <cyl@datera.io>
    Tested-by: default avatarChu Yuan Lin <cyl@datera.io>
    Cc: stable@vger.kernel.org # 3.10+
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    efb2ea77
iscsi_target_util.c 36.1 KB