From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Roland Dreier <roland@purestorage.com>,
Martin Svec <martin.svec@zoner.cz>,
Christoph Hellwig <hch@lst.de>,
Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [ 08/33] target: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs
Date: Fri, 18 Jan 2013 17:16:33 -0800 [thread overview]
Message-ID: <20130119010348.734283044@linuxfoundation.org> (raw)
In-Reply-To: <20130119010345.885772698@linuxfoundation.org>
3.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roland Dreier <roland@purestorage.com>
commit e627c615553a356f6f70215ebb3933c6e057553e upstream.
This patch fixes a regression bug introduced during v3.6.x code with
the following commit to drop transport_add_cmd_to_queue(), which
originally re-set CMD_T_ACTIVE during pending WRITE I/O submission:
commit af8772926f019b7bddd7477b8de5f3b0f12bad21
Author: Christoph Hellwig <hch@infradead.org>
Date: Sun Jul 8 15:58:49 2012 -0400
target: replace the processing thread with a TMR work queue
The following sequence happens for write commands (or any other
commands with a data out phase):
- The transport calls target_submit_cmd(), which sets CMD_T_ACTIVE in
cmd->transport_state and sets cmd->t_state to TRANSPORT_NEW_CMD.
- Things go on transport_generic_new_cmd(), which notices that the
command needs to transfer data, so it sets cmd->t_state to
TRANSPORT_WRITE_PENDING and calls transport_cmd_check_stop().
- transport_cmd_check_stop() clears CMD_T_ACTIVE in cmd->transport_state
and returns in the normal case.
- Then we continue on to call ->se_tfo->write_pending().
- The data comes back from the initiator, and the transport calls
target_execute_cmd(), which sets cmd->t_state to TRANSPORT_PROCESSING
and calls into the backend to actually write the data.
At this point, the backend might take a long time to complete the
command, since it has to do real IO. If an abort request comes in for
this command at this point, it will not wait for the command to finish
since CMD_T_ACTIVE is not set. Then when the command does finally
finish, we blow up with use-after-free.
Avoid this by setting CMD_T_ACTIVE in target_execute_cmd() so that
transport_wait_for_tasks() waits for the command to finish executing.
This matches the behavior from before commit 1389533ef944 ("target:
remove transport_generic_handle_data"), when data was signaled via
transport_generic_handle_data(), which set CMD_T_ACTIVE because it
called transport_add_cmd_to_queue().
Signed-off-by: Roland Dreier <roland@purestorage.com>
Reported-by: Martin Svec <martin.svec@zoner.cz>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_transport.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1853,6 +1853,7 @@ void target_execute_cmd(struct se_cmd *c
}
cmd->t_state = TRANSPORT_PROCESSING;
+ cmd->transport_state |= CMD_T_ACTIVE;
spin_unlock_irq(&cmd->t_state_lock);
if (dev->dev_task_attr_type != SAM_TASK_ATTR_EMULATED)
next prev parent reply other threads:[~2013-01-19 1:17 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-19 1:16 [ 00/33] 3.7.4-stable review Greg Kroah-Hartman
2013-01-19 1:16 ` [ 01/33] ALSA: hda/hdmi - Work around "alsactl restore" errors Greg Kroah-Hartman
2013-01-19 1:16 ` [ 02/33] sh: Fix FDPIC binary loader Greg Kroah-Hartman
2013-01-19 1:16 ` [ 03/33] firmware: make sure the fw file size is not 0 Greg Kroah-Hartman
2013-01-19 1:16 ` [ 04/33] arm64: mm: only wrprotect clean ptes if they are present Greg Kroah-Hartman
2013-01-19 1:16 ` [ 05/33] target: use correct sense code for LUN communication failure Greg Kroah-Hartman
2013-01-19 1:16 ` [ 06/33] tcm_fc: Do not indicate retry capability to initiators Greg Kroah-Hartman
2013-01-19 1:16 ` [ 07/33] tcm_fc: Do not report target role when target is not defined Greg Kroah-Hartman
2013-01-19 1:16 ` Greg Kroah-Hartman [this message]
2013-01-19 1:16 ` [ 09/33] target: Fix use-after-free in LUN RESET handling Greg Kroah-Hartman
2013-01-19 1:16 ` [ 10/33] target: Release se_cmd when LUN lookup fails for TMR Greg Kroah-Hartman
2013-01-19 1:16 ` [ 11/33] s390/time: fix sched_clock() overflow Greg Kroah-Hartman
2013-01-19 1:16 ` [ 12/33] x86/Sandy Bridge: reserve pages when integrated graphics is present Greg Kroah-Hartman
2013-01-19 1:16 ` [ 13/33] ALSA: usb - fix race in creation of M-Audio Fast track pro driver Greg Kroah-Hartman
2013-01-19 1:16 ` [ 14/33] ext4: init pagevec in ext4_da_block_invalidatepages Greg Kroah-Hartman
2013-01-19 1:16 ` [ 15/33] usb: chipidea: Allow disabling streaming not only in udc mode Greg Kroah-Hartman
2013-01-19 1:16 ` [ 16/33] drm/radeon: fix NULL pointer dereference in UMS mode Greg Kroah-Hartman
2013-01-19 1:16 ` [ 17/33] drm/radeon: fix a bogus kfree Greg Kroah-Hartman
2013-01-19 1:16 ` [ 18/33] target: Add link_magic for fabric allow_link destination target_items Greg Kroah-Hartman
2013-01-19 1:16 ` [ 19/33] intel-iommu: Prevent devices with RMRRs from being placed into SI Domain Greg Kroah-Hartman
2013-01-19 1:16 ` [ 20/33] igb: release already assigned MSI-X interrupts if setup fails Greg Kroah-Hartman
2013-01-19 1:16 ` [ 21/33] xen/grant-table: correctly initialize grant table version 1 Greg Kroah-Hartman
2013-01-19 1:16 ` [ 22/33] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests Greg Kroah-Hartman
2013-01-19 1:16 ` [ 23/33] USB: io_ti: Fix NULL dereference in chase_port() Greg Kroah-Hartman
2013-01-19 1:16 ` [ 24/33] USB: option: add TP-LINK HSUPA Modem MA180 Greg Kroah-Hartman
2013-01-19 1:16 ` [ 25/33] USB: option: blacklist network interface on ONDA MT8205 4G LTE Greg Kroah-Hartman
2013-01-19 1:16 ` [ 26/33] serial:ifx6x60:Delete SPI timer when shut down port Greg Kroah-Hartman
2013-01-19 1:16 ` [ 27/33] tty: serial: vt8500: fix return value check in vt8500_serial_probe() Greg Kroah-Hartman
2013-01-19 1:16 ` [ 28/33] tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler Greg Kroah-Hartman
2013-01-19 1:16 ` [ 29/33] 8250/16?50: Add support for Broadcom TruManage redirected serial port Greg Kroah-Hartman
2013-01-19 1:16 ` [ 30/33] staging: wlan-ng: Fix clamping of returned SSID length Greg Kroah-Hartman
2013-01-19 1:16 ` [ 31/33] staging: vt6656: Fix inconsistent structure packing Greg Kroah-Hartman
2013-01-19 1:16 ` [ 32/33] mxs: uart: fix setting RTS from software Greg Kroah-Hartman
2013-01-19 1:16 ` [ 33/33] pty: return EINVAL for TIOCGPTN for BSD ptys Greg Kroah-Hartman
2013-01-19 18:51 ` [ 00/33] 3.7.4-stable review Shuah Khan
2013-01-20 9:22 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130119010348.734283044@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.svec@zoner.cz \
--cc=nab@linux-iscsi.org \
--cc=roland@purestorage.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox