mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers/scsi
History
Anoob Soman 8d7045ab40 scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task 
[ Upstream commit 79edd00dc6 ]

When a target sends Check Condition, whilst initiator is busy xmiting
re-queued data, could lead to race between iscsi_complete_task() and
iscsi_xmit_task() and eventually crashing with the following kernel
backtrace.

[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
[3326150.987549] ALERT: IP: [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0
[3326150.987582] WARN: Oops: 0002 [#1] SMP
[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin
[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1
[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016
[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi]
[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000
[3326150.987810] WARN: RIP: e030:[<ffffffffa05ce70d>] [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246
[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480
[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20
[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008
[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000
[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08
[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000
[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660
[3326150.987918] WARN: Stack:
[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18
[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00
[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400
[3326150.987964] WARN: Call Trace:
[3326150.987975] WARN: [<ffffffffa05cea90>] iscsi_xmitworker+0x2f0/0x360 [libiscsi]
[3326150.987988] WARN: [<ffffffff8108862c>] process_one_work+0x1fc/0x3b0
[3326150.987997] WARN: [<ffffffff81088f95>] worker_thread+0x2a5/0x470
[3326150.988006] WARN: [<ffffffff8159cad8>] ? __schedule+0x648/0x870
[3326150.988015] WARN: [<ffffffff81088cf0>] ? rescuer_thread+0x300/0x300
[3326150.988023] WARN: [<ffffffff8108ddf5>] kthread+0xd5/0xe0
[3326150.988031] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
[3326150.988040] WARN: [<ffffffff815a0bcf>] ret_from_fork+0x3f/0x70
[3326150.988048] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
[3326150.988127] ALERT: RIP [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
[3326150.988138] WARN: RSP <ffff8801f545bdb0>
[3326150.988144] WARN: CR2: 0000000000000078
[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]---

Commit 6f8830f5bb ("scsi: libiscsi: add lock around task lists to fix
list corruption regression") introduced "taskqueuelock" to fix list
corruption during the race, but this wasn't enough.

Re-setting of conn->task to NULL, could race with iscsi_xmit_task().
iscsi_complete_task()
{
    ....
    if (conn->task == task)
        conn->task = NULL;
}

conn->task in iscsi_xmit_task() could be NULL and so will be task.
__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access
refcount.

iscsi_xmit_task()
{
    struct iscsi_task *task = conn->task;

    __iscsi_get_task(task);
}

This commit will take extra conn->session->back_lock in iscsi_xmit_task()
to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if
iscsi_complete_task() wins the race.  If iscsi_xmit_task() wins the race,
iscsi_xmit_task() increments task->refcount
(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task().

Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
Signed-off-by: Bob Liu <bob.liu@oracle.com>
Acked-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2019-03-23 13:19:42 +01:00
..
aacraid scsi: aacraid: Fix missing break in switch statement 2019-03-13 14:05:01 -07:00
aic7xxx
aic94xx Revert "scsi: aic94xx: fix module loading" 2019-02-20 10:18:35 +01:00
arcmsr scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware 2016-10-26 22:17:43 -04:00
arm scsi: fas216: fix sense buffer initialization 2018-05-25 16:13:06 +02:00
be2iscsi scsi: be2iscsi: Check tag in beiscsi_mccq_compl_wait 2018-03-22 09:17:43 +01:00
bfa scsi: bfa: convert to strlcpy/strlcat 2018-12-08 13:05:05 +01:00
bnx2fc scsi: bnx2fc: Fix NULL dereference in error handling 2019-01-13 10:03:48 +01:00
bnx2i scsi: bnx2i: add error handling for ioremap_nocache 2018-10-03 17:01:48 -07:00
csiostor scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() 2019-03-05 17:57:05 +01:00
cxgbi scsi: cxgb4i: fix Tx skb leak 2017-12-25 14:23:44 +01:00
cxlflash scsi: cxlflash: Fix context reference tracking on detach 2016-09-14 12:47:42 -04:00
device_handler scsi: scsi_dh_emc: return success in clariion_std_inquiry() 2017-10-21 17:21:36 +02:00
dpt
esas2r scsi: esas2r: don't reinitialize adapter's req_table 2016-08-25 22:28:17 -04:00
fcoe scsi: fcoe: drop frames in ELS LOGO error path 2018-09-05 09:20:04 +02:00
fnic scsi: fnic: Fix for "Number of Active IOs" in fnicstats becoming negative 2018-03-22 09:17:41 +01:00
hisi_sas scsi: hisi_sas: send three identify before phy up 2016-09-14 12:54:18 -04:00
ibmvscsi scsi: ibmvscsi: Improve strings handling 2018-10-03 17:01:45 -07:00
ibmvscsi_tgt scsi: ibmvscsis: Ensure partition name is properly NUL terminated 2018-10-20 09:51:30 +02:00
isci scsi: isci: initialize shost fully before calling scsi_add_host() 2019-02-27 10:06:59 +01:00
libfc scsi: libfc: free skb when receiving invalid flogi resp 2019-03-13 14:04:57 -07:00
libsas scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached 2019-03-05 17:57:03 +01:00
lpfc scsi: lpfc: Correct LCB RJT handling 2019-02-12 19:44:51 +01:00
megaraid scsi: megaraid: fix out-of-bound array accesses 2019-01-26 09:38:35 +01:00
mpt3sas scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM 2018-05-25 16:13:07 +02:00
mvsas scsi: mvsas: fix wrong endianness of sgpio api 2018-05-25 16:13:08 +02:00
osd scsi/osd: open code blk_make_request 2016-07-20 17:38:35 -06:00
pcmcia
pm8001 scsi: pm8001: Mark symbols static where possible 2016-09-26 21:10:45 -04:00
qla2xxx scsi: qla2xxx: shutdown chip if reset fail 2018-11-21 09:25:57 +01:00
qla4xxx scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param 2019-02-27 10:06:59 +01:00
smartpqi scsi: smartpqi: correct volume status 2019-02-12 19:44:56 +01:00
snic scsi: snic: Return error code on memory allocation failure 2017-08-06 18:59:49 -07:00
sym53c8xx_2 scsi: sym53c8xx_2: iterator underflow in sym_getsync() 2018-05-25 16:13:06 +02:00
ufs scsi: ufshcd: release resources if probe fails 2018-12-01 09:44:25 +01:00
.gitignore
3w-9xxx.c scsi: 3ware: fix return 0 on the error path of probe 2018-09-19 22:47:14 +02:00
3w-9xxx.h
3w-sas.c scsi: 3ware: fix return 0 on the error path of probe 2018-09-19 22:47:14 +02:00
3w-sas.h
3w-xxxx.c scsi: 3ware: fix return 0 on the error path of probe 2018-09-19 22:47:14 +02:00
3w-xxxx.h
53c700.c scsi: remove current_cmnd field from struct scsi_device 2016-07-13 22:33:23 -04:00
53c700.h scsi: remove current_cmnd field from struct scsi_device 2016-07-13 22:33:23 -04:00
53c700.scr
53c700_d.h_shipped
BusLogic.c
BusLogic.h
FlashPoint.c
Kconfig scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m 2017-05-14 14:00:19 +02:00
Makefile scsi: dtc: remove from tree 2016-09-26 20:49:25 -04:00
NCR53c406a.c
NCR5380.c scsi: NCR5380: no longer mark irq probing as __init 2016-10-17 14:13:03 -04:00
NCR5380.h scsi: ncr5380: Improve interrupt latency during PIO tranfers 2016-09-14 14:11:12 -04:00
NCR_D700.c
NCR_D700.h
NCR_Q720.c
NCR_Q720.h
a100u2w.c
a100u2w.h
a2091.c
a2091.h
a3000.c
a3000.h
a4000t.c
advansys.c scsi: advansys: fix uninitialized data access 2018-02-25 11:05:53 +01:00
aha152x.c
aha152x.h
aha1542.c
aha1542.h
aha1740.c
aha1740.h
am53c974.c
atari_scsi.c atari_scsi: Allow can_queue to be increased for Falcon 2016-04-11 16:57:09 -04:00
atp870u.c
atp870u.h
bvme6000_scsi.c
ch.c
constants.c scsi: fix upper bounds check of sense key in scsi_sense_key_string() 2016-08-16 00:49:32 -04:00
dc395x.c
dc395x.h
dmx3191d.c ncr5380: Remove DONT_USE_INTR and AUTOPROBE_IRQ macros 2016-04-11 16:57:09 -04:00
dpt_i2o.c
dpti.h
eata.c
eata_generic.h
eata_pio.c eata_pio: missing break statement 2016-05-10 22:01:07 -04:00
eata_pio.h
esp_scsi.c scsi: esp_scsi: Track residual for PIO transfers 2018-11-13 11:16:51 -08:00
esp_scsi.h scsi: esp_scsi: Track residual for PIO transfers 2018-11-13 11:16:51 -08:00
fdomain.c
fdomain.h
g_NCR5380.c scsi: g_NCR5380: Fix release_region in error handling 2017-01-12 11:39:29 +01:00
g_NCR5380.h scsi: g_NCR5380: Stop using scsi_module.c 2016-09-29 21:52:43 -04:00
g_NCR5380_mmio.c
gdth.c
gdth.h
gdth_ioctl.h
gdth_proc.c
gdth_proc.h
gvp11.c
gvp11.h
hosts.c SCSI misc on 20161006 2016-10-07 09:28:53 -07:00
hpsa.c scsi: hpsa: fix volume offline state 2018-01-23 19:57:05 +01:00
hpsa.h scsi: hpsa: limit outstanding rescans 2017-12-20 10:07:22 +01:00
hpsa_cmd.h scsi: hpsa: update check for logical volume status 2017-12-20 10:07:22 +01:00
hptiop.c
hptiop.h
imm.c
imm.h
initio.c
initio.h
ipr.c scsi: ipr: Fix missed EH wakeup 2018-03-22 09:17:42 +01:00
ipr.h scsi: ipr: Don't log unnecessary 9084 error details 2016-09-19 11:57:33 -04:00
ips.c
ips.h
iscsi_boot_sysfs.c ibft: Expose iBFT acpi header via sysfs 2016-05-16 11:14:29 -04:00
iscsi_tcp.c scsi_tcp: block BH in TCP callbacks 2016-05-19 11:36:49 -07:00
iscsi_tcp.h
jazz_esp.c
lasi700.c
libiscsi.c scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task 2019-03-23 13:19:42 +01:00
libiscsi_tcp.c
mac53c94.c
mac53c94.h
mac_esp.c scsi: esp_scsi: Track residual for PIO transfers 2018-11-13 11:16:51 -08:00
mac_scsi.c mac_scsi: Fix pseudo DMA implementation 2016-04-11 16:57:09 -04:00
megaraid.c scsi: megaraid: silence a static checker bug 2018-08-03 07:55:23 +02:00
megaraid.h
mesh.c
mesh.h
mvme16x_scsi.c
mvme147.c
mvme147.h
mvumi.c scsi: mvumi: use __maybe_unused to hide pm functions 2016-03-05 17:07:46 -05:00
mvumi.h
ncr53c8xx.c
ncr53c8xx.h
nsp32.c
nsp32.h
nsp32_debug.c
nsp32_io.h
osst.c
osst.h
osst_detect.h
osst_options.h
pmcraid.c scsi: pmcraid: mark symbols static where possible 2016-09-04 01:28:07 -04:00
pmcraid.h
ppa.c
ppa.h
ps3rom.c
qla1280.c qla1280: Don't allocate 512kb of host tags 2016-04-30 09:25:26 -07:00
qla1280.h
qlogicfas.c
qlogicfas408.c
qlogicfas408.h
qlogicpti.c qlogicpti: Return correct error code 2016-03-01 20:06:49 -05:00
qlogicpti.h qlogicpti: Fix compiler warnings 2016-11-28 15:51:31 -05:00
raid_class.c
script_asm.pl
scsi.c scsi: Avoid that toggling use_blk_mq triggers a memory leak 2016-09-26 20:58:42 -04:00
scsi.h
scsi_common.c scsi: add scsi_set_sense_field_pointer() 2016-04-04 12:07:42 -04:00
scsi_debug.c scsi: scsi_debug: write_same: fix error report 2017-12-20 10:07:30 +01:00
scsi_devinfo.c scsi: scsi_devinfo: cleanly zero-pad devinfo strings 2018-12-08 13:05:06 +01:00
scsi_dh.c scsi: scsi_dh: replace too broad "TP9" string with the exact models 2018-08-03 07:55:25 +02:00
scsi_error.c Merge remote-tracking branch 'mkp-scsi/4.7/scsi-fixes' into fixes 2016-06-18 11:59:01 -07:00
scsi_ioctl.c
scsi_lib.c scsi: use dma_get_cache_alignment() as minimum DMA alignment 2017-12-14 09:28:11 +01:00
scsi_lib_dma.c
scsi_logging.c
scsi_logging.h
scsi_module.c
scsi_netlink.c
scsi_pm.c scsi: core: Synchronize request queue PM status only on successful resume 2019-01-23 08:10:54 +01:00
scsi_priv.h SCSI misc on 20161006 2016-10-07 09:28:53 -07:00
scsi_proc.c scsi: disable automatic target scan 2016-04-11 16:57:09 -04:00
scsi_sas_internal.h scsi_transport_sas: add 'scsi_target_id' sysfs attribute 2016-03-14 21:05:04 -04:00
scsi_scan.c scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state 2017-07-27 15:07:59 -07:00
scsi_sysctl.c
scsi_sysfs.c scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock 2018-09-05 09:20:10 +02:00
scsi_trace.c scsi-trace: define ZBC_IN and ZBC_OUT 2016-04-11 16:57:09 -04:00
scsi_transport_api.h
scsi_transport_fc.c scsi_transport_fc: Unexport scsi_is_fc_vport() 2016-04-11 16:57:09 -04:00
scsi_transport_iscsi.c scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly 2017-10-05 09:43:59 +02:00
scsi_transport_sas.c scsi: sas: remove is_sas_attached() 2016-08-18 22:23:20 -04:00
scsi_transport_spi.c
scsi_transport_srp.c scsi: scsi_transport_srp: Fix shost to rport translation 2018-06-06 16:44:38 +02:00
scsi_typedefs.h
scsicam.c
sd.c scsi: sd: Fix cache_type_store() 2019-01-23 08:10:54 +01:00
sd.h scsi: sd: Move DIF protection types to t10-pi.h 2016-09-15 09:51:14 -04:00
sd_dif.c scsi: sd: Move DIF protection types to t10-pi.h 2016-09-15 09:51:14 -04:00
sense_codes.h scsi: move Additional Sense Codes to separate file 2016-04-11 16:57:09 -04:00
ses.c scsi: ses: don't ask for diagnostic pages repeatedly during probe 2018-03-22 09:17:55 +01:00
sg.c scsi: sg: fix minor memory leak in error path 2018-08-06 16:23:04 +02:00
sgiwd93.c
sim710.c
sni_53c710.c
sr.c scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled 2018-08-15 18:14:42 +02:00
sr.h
sr_ioctl.c sr: pass down correctly sized SCSI sense buffer 2018-12-13 09:20:29 +01:00
sr_vendor.c
st.c mm: replace get_user_pages_unlocked() write/force parameters with gup_flags 2016-10-18 14:13:37 -07:00
st.h
st_options.h
stex.c
storvsc_drv.c scsi: storvsc: Increase cmd_per_lun for higher speed devices 2018-05-25 16:13:07 +02:00
sun3_scsi.c ncr5380: Remove disused atari_NCR5380.c core driver 2016-04-11 16:57:09 -04:00
sun3_scsi.h
sun3_scsi_vme.c
sun3x_esp.c
sun_esp.c
sym53c416.c
sym53c416.h
virtio_scsi.c scsi: virtio_scsi: always read VPD pages for multiqueue too 2018-04-08 12:12:50 +02:00
vmw_pvscsi.c scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload 2018-12-21 14:11:35 +01:00
vmw_pvscsi.h scsi: vmw_pvscsi: return SUCCESS for successful command aborts 2016-11-01 13:31:23 -04:00
wd33c93.c
wd33c93.h
wd719x.c drivers/scsi/wd719x.c: remove last declaration using DEFINE_PCI_DEVICE_TABLE 2016-09-01 17:52:01 -07:00
wd719x.h
xen-scsifront.c scsi: xen-scsifront: add error handling for xenbus_printf 2018-08-24 13:12:29 +02:00
zalon.c
zorro7xx.c