Commit 186a9647 authored by Nicholas Bellinger's avatar Nicholas Bellinger

iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iser

This patch adds target_get_sess_cmd reference counting for
iscsit_handle_task_mgt_cmd(), and adds a target_put_sess_cmd()
for the failure case.

It also fixes a bug where ISCSI_OP_SCSI_TMFUNC type commands
where leaking iscsi_cmd->i_conn_node and eventually triggering
an OOPs during struct isert_conn shutdown.

Cc: stable@vger.kernel.org  # 3.10+
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
parent 561bf158
...@@ -1200,14 +1200,12 @@ isert_put_cmd(struct isert_cmd *isert_cmd) ...@@ -1200,14 +1200,12 @@ isert_put_cmd(struct isert_cmd *isert_cmd)
{ {
struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd; struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd;
struct isert_conn *isert_conn = isert_cmd->conn; struct isert_conn *isert_conn = isert_cmd->conn;
struct iscsi_conn *conn; struct iscsi_conn *conn = isert_conn->conn;
pr_debug("Entering isert_put_cmd: %p\n", isert_cmd); pr_debug("Entering isert_put_cmd: %p\n", isert_cmd);
switch (cmd->iscsi_opcode) { switch (cmd->iscsi_opcode) {
case ISCSI_OP_SCSI_CMD: case ISCSI_OP_SCSI_CMD:
conn = isert_conn->conn;
spin_lock_bh(&conn->cmd_lock); spin_lock_bh(&conn->cmd_lock);
if (!list_empty(&cmd->i_conn_node)) if (!list_empty(&cmd->i_conn_node))
list_del(&cmd->i_conn_node); list_del(&cmd->i_conn_node);
...@@ -1217,16 +1215,18 @@ isert_put_cmd(struct isert_cmd *isert_cmd) ...@@ -1217,16 +1215,18 @@ isert_put_cmd(struct isert_cmd *isert_cmd)
iscsit_stop_dataout_timer(cmd); iscsit_stop_dataout_timer(cmd);
isert_unmap_cmd(isert_cmd, isert_conn); isert_unmap_cmd(isert_cmd, isert_conn);
/* transport_generic_free_cmd(&cmd->se_cmd, 0);
* Fall-through break;
*/
case ISCSI_OP_SCSI_TMFUNC: case ISCSI_OP_SCSI_TMFUNC:
spin_lock_bh(&conn->cmd_lock);
if (!list_empty(&cmd->i_conn_node))
list_del(&cmd->i_conn_node);
spin_unlock_bh(&conn->cmd_lock);
transport_generic_free_cmd(&cmd->se_cmd, 0); transport_generic_free_cmd(&cmd->se_cmd, 0);
break; break;
case ISCSI_OP_REJECT: case ISCSI_OP_REJECT:
case ISCSI_OP_NOOP_OUT: case ISCSI_OP_NOOP_OUT:
conn = isert_conn->conn;
spin_lock_bh(&conn->cmd_lock); spin_lock_bh(&conn->cmd_lock);
if (!list_empty(&cmd->i_conn_node)) if (!list_empty(&cmd->i_conn_node))
list_del(&cmd->i_conn_node); list_del(&cmd->i_conn_node);
......
...@@ -1737,8 +1737,8 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, ...@@ -1737,8 +1737,8 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
struct se_tmr_req *se_tmr; struct se_tmr_req *se_tmr;
struct iscsi_tmr_req *tmr_req; struct iscsi_tmr_req *tmr_req;
struct iscsi_tm *hdr; struct iscsi_tm *hdr;
int out_of_order_cmdsn = 0; int out_of_order_cmdsn = 0, ret;
int ret; bool sess_ref = false;
u8 function; u8 function;
hdr = (struct iscsi_tm *) buf; hdr = (struct iscsi_tm *) buf;
...@@ -1794,6 +1794,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, ...@@ -1794,6 +1794,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
conn->sess->se_sess, 0, DMA_NONE, conn->sess->se_sess, 0, DMA_NONE,
MSG_SIMPLE_TAG, cmd->sense_buffer + 2); MSG_SIMPLE_TAG, cmd->sense_buffer + 2);
target_get_sess_cmd(conn->sess->se_sess, &cmd->se_cmd, true);
sess_ref = true;
switch (function) { switch (function) {
case ISCSI_TM_FUNC_ABORT_TASK: case ISCSI_TM_FUNC_ABORT_TASK:
tcm_function = TMR_ABORT_TASK; tcm_function = TMR_ABORT_TASK;
...@@ -1931,6 +1934,11 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, ...@@ -1931,6 +1934,11 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
* For connection recovery, this is also the default action for * For connection recovery, this is also the default action for
* TMR TASK_REASSIGN. * TMR TASK_REASSIGN.
*/ */
if (sess_ref) {
pr_debug("Handle TMR, using sess_ref=true check\n");
target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
}
iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state); iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment