Patch "target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP" has been added to the 4.7-stable tree

Patch "target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP" has been added to the 4.7-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP

to the 4.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch
and it can be found in the queue-4.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 5e2c956b8aa24d4f33ff7afef92d409eed164746 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Wed, 25 May 2016 12:25:04 -0700
Subject: target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 5e2c956b8aa24d4f33ff7afef92d409eed164746 upstream.

During transport_generic_free_cmd() with a concurrent TMR
ABORT_TASK and shutdown CMD_T_FABRIC_STOP bit set, the
caller will be blocked on se_cmd->cmd_wait_stop completion
until the final kref_put() -> target_release_cmd_kref()
has been invoked to call complete().

However, when ABORT_TASK is completed with FUNCTION_COMPLETE
in core_tmr_abort_task(), the aborted se_cmd will have already
been removed from se_sess->sess_cmd_list via list_del_init().

This results in target_release_cmd_kref() hitting the
legacy list_empty() == true check, invoking ->release_cmd()
but skipping complete() to wakeup se_cmd->cmd_wait_stop
blocked earlier in transport_generic_free_cmd() code.

To address this bug, it's safe to go ahead and drop the
original list_empty() check so that fabric_stop invokes
the complete() as expected, since list_del_init() can
safely be used on a empty list.

Cc: Mike Christie <mchristi@redhat.com>
Cc: Quinn Tran <quinn.tran@qlogic.com>
Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Tested-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_transport.c |    6 ------
 1 file changed, 6 deletions(-)

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2565,12 +2565,6 @@ static void target_release_cmd_kref(stru
 	bool fabric_stop;
 
 	spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
-	if (list_empty(&se_cmd->se_cmd_list)) {
-		spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
-		target_free_cmd_mem(se_cmd);
-		se_cmd->se_tfo->release_cmd(se_cmd);
-		return;
-	}
 
 	spin_lock(&se_cmd->t_state_lock);
 	fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP);


Patches currently in stable-queue which might be from nab@linux-iscsi.org are

queue-4.7/target-fix-max_unmap_lba_count-calc-overflow.patch
queue-4.7/target-fix-ordered-task-check_condition-early-exception-handling.patch
queue-4.7/ib-core-make-rdma_rw_ctx_init-initialize-all-used-fields.patch
queue-4.7/ib-srpt-limit-the-number-of-sg-elements-per-work-request.patch
queue-4.7/ib-core-rdma-rw-api-do-not-exceed-qp-sge-send-limit.patch
queue-4.7/target-fix-race-between-iscsi-target-connection-shutdown-abort_task.patch
queue-4.7/target-fix-ordered-task-target_setup_cmd_from_cdb-exception-hang.patch
queue-4.7/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi-session.patch
queue-4.7/target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch