• Nicholas Bellinger's avatar
    target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK · fe132502
    Nicholas Bellinger authored
    commit 1c21a480 upstream.
    
    This patch fixes bug where early se_cmd exceptions that occur
    before backend execution can result in use-after-free if/when
    a subsequent ABORT_TASK occurs for the same tag.
    
    Since an early se_cmd exception will have had se_cmd added to
    se_session->sess_cmd_list via target_get_sess_cmd(), it will
    not have CMD_T_COMPLETE set by the usual target_complete_cmd()
    backend completion path.
    
    This causes a subsequent ABORT_TASK + __target_check_io_state()
    to signal ABORT_TASK should proceed.  As core_tmr_abort_task()
    executes, it will bring the outstanding se_cmd->cmd_kref count
    down to zero releasing se_cmd, after se_cmd has already been
    queued with error status into fabric driver response path code.
    
    To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is
    set at target_get_sess_cmd() time, and cleared immediately before
    backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE
    is set.
    
    Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to
    determine when an early exception has occured, and avoid aborting
    this se_cmd since it will have already been queued into fabric
    driver response path code.
    Reported-by: default avatarDonald White <dew@datera.io>
    Cc: Donald White <dew@datera.io>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: Hannes Reinecke <hare@suse.com>
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    fe132502
Name
Last commit
Last update
..
iscsi Loading commit data...
loopback Loading commit data...
sbp Loading commit data...
tcm_fc Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
target_core_alua.c Loading commit data...
target_core_alua.h Loading commit data...
target_core_configfs.c Loading commit data...
target_core_device.c Loading commit data...
target_core_fabric_configfs.c Loading commit data...
target_core_fabric_lib.c Loading commit data...
target_core_file.c Loading commit data...
target_core_file.h Loading commit data...
target_core_hba.c Loading commit data...
target_core_iblock.c Loading commit data...
target_core_iblock.h Loading commit data...
target_core_internal.h Loading commit data...
target_core_pr.c Loading commit data...
target_core_pr.h Loading commit data...
target_core_pscsi.c Loading commit data...
target_core_pscsi.h Loading commit data...
target_core_rd.c Loading commit data...
target_core_rd.h Loading commit data...
target_core_sbc.c Loading commit data...
target_core_spc.c Loading commit data...
target_core_stat.c Loading commit data...
target_core_tmr.c Loading commit data...
target_core_tpg.c Loading commit data...
target_core_transport.c Loading commit data...
target_core_ua.c Loading commit data...
target_core_ua.h Loading commit data...
target_core_user.c Loading commit data...
target_core_xcopy.c Loading commit data...
target_core_xcopy.h Loading commit data...