From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:46834)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1T2oaD-0002gQ-2u
	for qemu-devel@nongnu.org; Sat, 18 Aug 2012 15:21:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1T2oaB-0001oe-FJ
	for qemu-devel@nongnu.org; Sat, 18 Aug 2012 15:21:17 -0400
Received: from mail-wi0-f181.google.com ([209.85.212.181]:47570)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1T2oaB-0001oR-8E
	for qemu-devel@nongnu.org; Sat, 18 Aug 2012 15:21:15 -0400
Received: by wibhm2 with SMTP id hm2so2030205wib.10
	for <qemu-devel@nongnu.org>; Sat, 18 Aug 2012 12:21:14 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
Message-ID: <502FEB27.3090403@redhat.com>
Date: Sat, 18 Aug 2012 21:21:11 +0200
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <1345039003-19186-1-git-send-email-kwolf@redhat.com>
	<1345039003-19186-9-git-send-email-kwolf@redhat.com>
In-Reply-To: <1345039003-19186-9-git-send-email-kwolf@redhat.com>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 08/10] iscsi: Fix NULL dereferences / races
 between task completion and abort
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-devel@nongnu.org, anthony@codemonkey.ws

Il 15/08/2012 15:56, Kevin Wolf ha scritto:
> @@ -76,6 +76,10 @@ static void
>  iscsi_abort_task_cb(struct iscsi_context *iscsi, int status, void *command_data,
>                      void *private_data)
>  {
> +    IscsiAIOCB *acb = (IscsiAIOCB *)private_data;
> +
> +    scsi_free_scsi_task(acb->task);
> +    acb->task = NULL;
>  }
>  
>  static void
> @@ -84,15 +88,15 @@ iscsi_aio_cancel(BlockDriverAIOCB *blockacb)
>      IscsiAIOCB *acb = (IscsiAIOCB *)blockacb;
>      IscsiLun *iscsilun = acb->iscsilun;
>  
> -    acb->common.cb(acb->common.opaque, -ECANCELED);
>      acb->canceled = 1;
>  
> -    /* send a task mgmt call to the target to cancel the task on the target */
> -    iscsi_task_mgmt_abort_task_async(iscsilun->iscsi, acb->task,
> -                                     iscsi_abort_task_cb, NULL);
> +    acb->common.cb(acb->common.opaque, -ECANCELED);
>  
> -    /* then also cancel the task locally in libiscsi */
> -    iscsi_scsi_task_cancel(iscsilun->iscsi, acb->task);
> +    /* send a task mgmt call to the target to cancel the task on the target
> +     * this also cancels the task in libiscsi
> +     */
> +    iscsi_task_mgmt_abort_task_async(iscsilun->iscsi, acb->task,
> +                                     iscsi_abort_task_cb, &acb);

This is definitely a step forward, but iscsi_aio_cancel should actually
be synchronous.  Otherwise the target could write the data between the
callback and the sending of the TMF.  I'll send a patch for testing on
Monday.

Paolo