From: "Nicholas A. Bellinger" <nab@daterainc.com>
To: target-devel <target-devel@vger.kernel.org>
Cc: linux-scsi <linux-scsi@vger.kernel.org>,
Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [PATCH 0/2] target: kthread login failure hung task + CAW use-after-free
Date: Sun, 15 Nov 2015 00:21:41 +0000 [thread overview]
Message-ID: <1447546903-15305-1-git-send-email-nab@daterainc.com> (raw)
From: Nicholas Bellinger <nab@linux-iscsi.org>
Hi all,
Here are two patches to address issues encountered over the
last month while stress testing with ESX hosts.
This first is hopefully the last regression around iscsi-target
changes over the last releases to create kthreads on-demand
during login negotiation. It addresses a case that would end
up leaving left-over iscsi_target_rx_thread() in uninterruptible
sleep, if the failure occured in iscsi_target_do_tx_login_io()
attempting to send the last login response PDU.
The second is a COMPARE_AND_WRITE use-after-free bug, that
is difficult to hit for normal backends, but with just the
right scheduling delays will result in OOPsen. The problem
centers around the use of SCF_COMPARE_AND_WRITE_POST flag
checking in target_complete_ok_work() to determine the
first or second phase processing of COMPARE_AND_WRITE.
That is, there is nothing that prevents the CAW callbacks
in target_complete_ok_work() from completing in reverse order,
so the dependency on checking cmd->se_cmd_flags is incorrect.
To address this, allow cmd->transport_complete_callback() to
propigate up 'post_ret' to target_complete_ok_work(), and
avoid se_cmd dereference after ->transport_complete_callback().
Both patches are straight-forward fixes, and have been verified
extensively on Linux + ESX hosts the last weeks.
--nab
Nicholas Bellinger (2):
iscsi-target: Fix rx_login_comp hang after login failure
target: Fix race for SCF_COMPARE_AND_WRITE_POST checking
drivers/target/iscsi/iscsi_target.c | 13 ++++++++++++-
drivers/target/iscsi/iscsi_target_nego.c | 1 +
drivers/target/target_core_sbc.c | 13 +++++++++----
drivers/target/target_core_transport.c | 14 ++++++++------
include/target/target_core_base.h | 2 +-
5 files changed, 31 insertions(+), 12 deletions(-)
--
1.9.1
next reply other threads:[~2015-11-15 0:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-15 0:21 Nicholas A. Bellinger [this message]
2015-11-15 0:21 ` [PATCH 1/2] iscsi-target: Fix rx_login_comp hang after login failure Nicholas A. Bellinger
2015-11-16 11:27 ` Sagi Grimberg
2015-11-15 0:21 ` [PATCH 2/2] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking Nicholas A. Bellinger
2015-12-18 13:05 ` [PATCH 0/2] target: kthread login failure hung task + CAW use-after-free Martin Svec
2015-12-21 7:19 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1447546903-15305-1-git-send-email-nab@daterainc.com \
--to=nab@daterainc.com \
--cc=linux-scsi@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.