[Qemu-devel] PATCH V2: fix NULL dereferences / races between task completition and abort

[Qemu-devel] PATCH V2: fix NULL dereferences / races between task completition and abort

[Stefan Priebe]

This patch fixes a race and some segfaults which i discovered while testing scsi-generic
and unmapping with libiscsi.

The first problem is that in iscsi_aio_cancel iscsi_scsi_task_cancel and 
iscsi_task_mgmt_abort_task_async got called but iscsi_task_mgmt_abort_task_async already
calls iscsi_scsi_task_cancel.

The second problem is that scsi_free_scsi_task(acb->task) and acb->task = NULL must be done
when io is complete or the whole task cancelation has finished. Right now it is done in
between.

Sorry no native speaker i hope i was able to explain what the problem is. Otherwise Ronnie
is informed and perhaps explain the problem too.

[Qemu-devel] PATCH V2: fix NULL dereferences / races between task completition and abort

[Stefan Priebe]

This patch fixes two main issues with block/iscsi.c:
1.) iscsi_task_mgmt_abort_task_async calls iscsi_scsi_task_cancel which was also directly
    called in iscsi_aio_cancel

2.) a race between task completition and task abortion could happen cause the scsi_free_scsi_task
    were done before iscsi_schedule_bh has finished