summaryrefslogtreecommitdiffstats
path: root/fs/minix
diff options
context:
space:
mode:
authorNicholas Bellinger <nab@linux-iscsi.org>2017-10-28 08:19:26 +0200
committerNicholas Bellinger <nab@linux-iscsi.org>2017-11-08 04:50:24 +0100
commit1c21a48055a67ceb693e9c2587824a8de60a217c (patch)
tree43fd75f6f3cfc05510242b7d9a40fa9740b9b18a /fs/minix
parenttarget: Fix quiese during transport_write_pending_qf endless loop (diff)
downloadlinux-1c21a48055a67ceb693e9c2587824a8de60a217c.tar.xz
linux-1c21a48055a67ceb693e9c2587824a8de60a217c.zip
target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
This patch fixes bug where early se_cmd exceptions that occur before backend execution can result in use-after-free if/when a subsequent ABORT_TASK occurs for the same tag. Since an early se_cmd exception will have had se_cmd added to se_session->sess_cmd_list via target_get_sess_cmd(), it will not have CMD_T_COMPLETE set by the usual target_complete_cmd() backend completion path. This causes a subsequent ABORT_TASK + __target_check_io_state() to signal ABORT_TASK should proceed. As core_tmr_abort_task() executes, it will bring the outstanding se_cmd->cmd_kref count down to zero releasing se_cmd, after se_cmd has already been queued with error status into fabric driver response path code. To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is set at target_get_sess_cmd() time, and cleared immediately before backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE is set. Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to determine when an early exception has occured, and avoid aborting this se_cmd since it will have already been queued into fabric driver response path code. Reported-by: Donald White <dew@datera.io> Cc: Donald White <dew@datera.io> Cc: Mike Christie <mchristi@redhat.com> Cc: Hannes Reinecke <hare@suse.com> Cc: stable@vger.kernel.org # 3.14+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'fs/minix')
0 files changed, 0 insertions, 0 deletions