• Nicholas Bellinger's avatar
    target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK · fe132502
    Nicholas Bellinger authored
    commit 1c21a480 upstream.
    This patch fixes bug where early se_cmd exceptions that occur
    before backend execution can result in use-after-free if/when
    a subsequent ABORT_TASK occurs for the same tag.
    Since an early se_cmd exception will have had se_cmd added to
    se_session->sess_cmd_list via target_get_sess_cmd(), it will
    not have CMD_T_COMPLETE set by the usual target_complete_cmd()
    backend completion path.
    This causes a subsequent ABORT_TASK + __target_check_io_state()
    to signal ABORT_TASK should proceed.  As core_tmr_abort_task()
    executes, it will bring the outstanding se_cmd->cmd_kref count
    down to zero releasing se_cmd, after se_cmd has already been
    queued with error status into fabric driver response path code.
    To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is
    set at target_get_sess_cmd() time, and cleared immediately before
    backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE
    is set.
    Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to
    determine when an early exception has occured, and avoid aborting
    this se_cmd since it will have already been queued into fabric
    driver response path code.
    Reported-by: default avatarDonald White <dew@datera.io>
    Cc: Donald White <dew@datera.io>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: Hannes Reinecke <hare@suse.com>
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
target_core_base.h 26.5 KB