Commit fe132502 authored by Nicholas Bellinger's avatar Nicholas Bellinger Committed by Greg Kroah-Hartman

target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK

commit 1c21a480 upstream.

This patch fixes bug where early se_cmd exceptions that occur
before backend execution can result in use-after-free if/when
a subsequent ABORT_TASK occurs for the same tag.

Since an early se_cmd exception will have had se_cmd added to
se_session->sess_cmd_list via target_get_sess_cmd(), it will
not have CMD_T_COMPLETE set by the usual target_complete_cmd()
backend completion path.

This causes a subsequent ABORT_TASK + __target_check_io_state()
to signal ABORT_TASK should proceed.  As core_tmr_abort_task()
executes, it will bring the outstanding se_cmd->cmd_kref count
down to zero releasing se_cmd, after se_cmd has already been
queued with error status into fabric driver response path code.

To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is
set at target_get_sess_cmd() time, and cleared immediately before
backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE
is set.

Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to
determine when an early exception has occured, and avoid aborting
this se_cmd since it will have already been queued into fabric
driver response path code.
Reported-by: default avatarDonald White <>
Cc: Donald White <>
Cc: Mike Christie <>
Cc: Hannes Reinecke <>
Signed-off-by: default avatarNicholas Bellinger <>
Signed-off-by: default avatarGreg Kroah-Hartman <>
parent 3c68944b
......@@ -133,6 +133,15 @@ static bool __target_check_io_state(struct se_cmd *se_cmd,
return false;
if (se_cmd->transport_state & CMD_T_PRE_EXECUTE) {
if (se_cmd->scsi_status) {
pr_debug("Attempted to abort io tag: %llu early failure"
" status: 0x%02x\n", se_cmd->tag,
return false;
if (sess->sess_tearing_down || se_cmd->cmd_wait_set) {
pr_debug("Attempted to abort io tag: %llu already shutdown,"
" skipping\n", se_cmd->tag);
......@@ -1974,6 +1974,7 @@ void target_execute_cmd(struct se_cmd *cmd)
cmd->transport_state &= ~CMD_T_PRE_EXECUTE;
cmd->transport_state |= CMD_T_ACTIVE | CMD_T_SENT;
......@@ -2682,6 +2683,7 @@ int target_get_sess_cmd(struct se_cmd *se_cmd, bool ack_kref)
goto out;
se_cmd->transport_state |= CMD_T_PRE_EXECUTE;
list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list);
spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
......@@ -490,6 +490,7 @@ struct se_cmd {
#define CMD_T_STOP (1 << 5)
#define CMD_T_TAS (1 << 10)
#define CMD_T_FABRIC_STOP (1 << 11)
#define CMD_T_PRE_EXECUTE (1 << 12)
spinlock_t t_state_lock;
struct kref cmd_kref;
struct completion t_transport_stop_comp;
