The commit is pushed to "branch-rh7-3.10.0-693.21.1.vz7.46.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.21.1.vz7.46.2
------>
commit 77a02567ce7a0c8a7cea3e76a675af745e4d3e0c
Author: Nicholas Bellinger <n...@linux-iscsi.org>
Date: Mon Apr 2 17:28:26 2018 +0300
ms/target: Fix LUN_RESET active I/O handling for ACK_KREF
ML: febe562c20dfa8f33bee7d419c6b517986a5aa33
This patch fixes a NULL pointer se_cmd->cmd_kref < 0
refcount bug during TMR LUN_RESET with active se_cmd
I/O, that can be triggered during se_cmd descriptor
shutdown + release via core_tmr_drain_state_list() code.
To address this bug, add common __target_check_io_state()
helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
both cases ahead of last target_put_sess_cmd() after
TFO->aborted_task() -> transport_cmd_finish_abort()
callback has completed.
It also introduces SCF_ACK_KREF to determine when
transport_cmd_finish_abort() needs to drop the second
extra reference, ahead of calling target_put_sess_cmd()
for the final kref_put(&se_cmd->cmd_kref).
It also updates transport_cmd_check_stop() to avoid
holding se_cmd->t_state_lock while dropping se_cmd
device state via target_remove_from_state_list(), now
that core_tmr_drain_state_list() is holding the
se_device lock while checking se_cmd state from
within TMR logic.
Finally, move transport_put_cmd() release of SGL +
TMR + extended CDB memory into target_free_cmd_mem()
in order to avoid potential resource leaks in TMR
ABORT_TASK + LUN_RESET code-paths. Also update
target_release_cmd_kref() accordingly.
Reviewed-by: Quinn Tran <quinn.t...@qlogic.com>
Cc: Himanshu Madhani <himanshu.madh...@qlogic.com>
Cc: Sagi Grimberg <sa...@mellanox.com>
Cc: Christoph Hellwig <h...@lst.de>
Cc: Hannes Reinecke <h...@suse.de>
Cc: Andy Grover <agro...@redhat.com>
Cc: Mike Christie <mchri...@redhat.com>
Cc: sta...@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>
Signed-off-by: Andrei Vagin <ava...@openvz.org>
---
drivers/target/target_core_tmr.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 4fe985ae18d8..e2c96725a7bf 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -177,7 +177,6 @@ void core_tmr_abort_task(
cancel_work_sync(&se_cmd->work);
transport_wait_for_tasks(se_cmd);
-
if (se_cmd->se_cmd_flags & SCF_SE_LUN_CMD)
atomic_long_inc(&se_cmd->se_lun->lun_stats.aborts);
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
