From c1ce4bd56f2846de55043374598fd929ad3b711b Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 16 Jan 2012 16:04:15 -0800 Subject: [PATCH] iscsi-target: Fix reject release handling in iscsit_free_cmd() This patch addresses a bug where iscsit_free_cmd() was incorrectly calling iscsit_release_cmd() for ISCSI_OP_REJECT because iscsi_add_reject*() will overwrite the original iscsi_cmd->iscsi_opcode assignment. This bug was introduced with the following commit: commit 0be67f2ed8f577d2c72d917928394c5885fa9134 Author: Nicholas Bellinger Date: Sun Oct 9 01:48:14 2011 -0700 iscsi-target: Remove SCF_SE_LUN_CMD flag abuses and was manifesting itself as list corruption with the following: [ 131.191092] ------------[ cut here ]------------ [ 131.191092] WARNING: at lib/list_debug.c:53 __list_del_entry+0x8d/0x98() [ 131.191092] Hardware name: VMware Virtual Platform [ 131.191092] list_del corruption. prev->next should be ffff880022d3c100, but was 6b6b6b6b6b6b6b6b [ 131.191092] Modules linked in: tcm_vhost ib_srpt ib_cm ib_sa ib_mad ib_core tcm_qla2xxx qla2xxx tcm_loop tcm_fc libfc scsi_transport_fc crc32c iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi sr_mod cdrom sd_mod e1000 ata_piix libata mptspi mptscsih mptbase [last unloaded: scsi_wait_scan] [ 131.191092] Pid: 2250, comm: iscsi_ttx Tainted: G W 3.2.0-rc4+ #42 [ 131.191092] Call Trace: [ 131.191092] [] warn_slowpath_common+0x80/0x98 [ 131.191092] [] warn_slowpath_fmt+0x41/0x43 [ 131.191092] [] __list_del_entry+0x8d/0x98 [ 131.191092] [] transport_lun_remove_cmd+0x9b/0xb7 [target_core_mod] [ 131.191092] [] transport_generic_free_cmd+0x5d/0x71 [target_core_mod] [ 131.191092] [] iscsit_free_cmd+0x1e/0x27 [iscsi_target_mod] [ 131.191092] [] iscsit_close_connection+0x14d/0x5b2 [iscsi_target_mod] [ 131.191092] [] iscsit_take_action_for_connection_exit+0xdb/0xe0 [iscsi_target_mod] [ 131.191092] [] iscsi_target_tx_thread+0x15cb/0x1608 [iscsi_target_mod] [ 131.191092] [] ? check_preempt_wakeup+0x121/0x185 [ 131.191092] [] ? __dequeue_entity+0x2e/0x33 [ 131.191092] [] ? iscsit_send_text_rsp+0x25f/0x25f [iscsi_target_mod] [ 131.191092] [] ? iscsit_send_text_rsp+0x25f/0x25f [iscsi_target_mod] [ 131.191092] [] ? schedule+0x55/0x57 [ 131.191092] [] kthread+0x7d/0x85 [ 131.191092] [] kernel_thread_helper+0x4/0x10 [ 131.191092] [] ? kthread_worker_fn+0x16d/0x16d [ 131.191092] [] ? gs_change+0x13/0x13 Reported-by: Cc: Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_util.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c index a05ca1c..11287e1 100644 --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -849,6 +849,17 @@ void iscsit_free_cmd(struct iscsi_cmd *cmd) case ISCSI_OP_SCSI_TMFUNC: transport_generic_free_cmd(&cmd->se_cmd, 1); break; + case ISCSI_OP_REJECT: + /* + * Handle special case for REJECT when iscsi_add_reject*() has + * overwritten the original iscsi_opcode assignment, and the + * associated cmd->se_cmd needs to be released. + */ + if (cmd->se_cmd.se_tfo != NULL) { + transport_generic_free_cmd(&cmd->se_cmd, 1); + break; + } + /* Fall-through */ default: iscsit_release_cmd(cmd); break; -- 2.7.4