This is a note to let you know that I've just added the patch titled scsi: iscsi: Fix race condition between login and sync thread to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: scsi-iscsi-fix-race-condition-between-login-and-sync-thread.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu Jul 15 01:10:15 PM CEST 2021 From: Hanjun Guo <guohanjun@xxxxxxxxxx> Date: Tue, 13 Jul 2021 17:18:36 +0800 Subject: scsi: iscsi: Fix race condition between login and sync thread To: <stable@xxxxxxxxxxxxxxx> Cc: <linux-kernel@xxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Sasha Levin <sashal@xxxxxxxxxx>, Gulam Mohamed <gulam.mohamed@xxxxxxxxxx>, "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>, Hanjun Guo <guohanjun@xxxxxxxxxx> Message-ID: <1626167917-11972-7-git-send-email-guohanjun@xxxxxxxxxx> From: Gulam Mohamed <gulam.mohamed@xxxxxxxxxx> commit 9e67600ed6b8565da4b85698ec659b5879a6c1c6 upstream. A kernel panic was observed due to a timing issue between the sync thread and the initiator processing a login response from the target. The session reopen can be invoked both from the session sync thread when iscsid restarts and from iscsid through the error handler. Before the initiator receives the response to a login, another reopen request can be sent from the error handler/sync session. When the initial login response is subsequently processed, the connection has been closed and the socket has been released. To fix this a new connection state, ISCSI_CONN_BOUND, is added: - Set the connection state value to ISCSI_CONN_DOWN upon iscsi_if_ep_disconnect() and iscsi_if_stop_conn() - Set the connection state to the newly created value ISCSI_CONN_BOUND after bind connection (transport->bind_conn()) - In iscsi_set_param(), return -ENOTCONN if the connection state is not either ISCSI_CONN_BOUND or ISCSI_CONN_UP Link: https://lore.kernel.org/r/20210325093248.284678-1-gulam.mohamed@xxxxxxxxxx Reviewed-by: Mike Christie <michael.christie@xxxxxxxxxx> Signed-off-by: Gulam Mohamed <gulam.mohamed@xxxxxxxxxx> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx> Signed-off-by: Hanjun Guo <guohanjun@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/scsi/scsi_transport_iscsi.c | 14 +++++++++++++- include/scsi/scsi_transport_iscsi.h | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c @@ -2480,6 +2480,7 @@ static void iscsi_if_stop_conn(struct is */ mutex_lock(&conn_mutex); conn->transport->stop_conn(conn, flag); + conn->state = ISCSI_CONN_DOWN; mutex_unlock(&conn_mutex); } @@ -2906,6 +2907,13 @@ iscsi_set_param(struct iscsi_transport * default: err = transport->set_param(conn, ev->u.set_param.param, data, ev->u.set_param.len); + if ((conn->state == ISCSI_CONN_BOUND) || + (conn->state == ISCSI_CONN_UP)) { + err = transport->set_param(conn, ev->u.set_param.param, + data, ev->u.set_param.len); + } else { + return -ENOTCONN; + } } return err; @@ -2965,6 +2973,7 @@ static int iscsi_if_ep_disconnect(struct mutex_lock(&conn->ep_mutex); conn->ep = NULL; mutex_unlock(&conn->ep_mutex); + conn->state = ISCSI_CONN_DOWN; } transport->ep_disconnect(ep); @@ -3732,6 +3741,8 @@ iscsi_if_recv_msg(struct sk_buff *skb, s ev->r.retcode = transport->bind_conn(session, conn, ev->u.b_conn.transport_eph, ev->u.b_conn.is_leading); + if (!ev->r.retcode) + conn->state = ISCSI_CONN_BOUND; mutex_unlock(&conn_mutex); if (ev->r.retcode || !transport->ep_connect) @@ -3971,7 +3982,8 @@ iscsi_conn_attr(local_ipaddr, ISCSI_PARA static const char *const connection_state_names[] = { [ISCSI_CONN_UP] = "up", [ISCSI_CONN_DOWN] = "down", - [ISCSI_CONN_FAILED] = "failed" + [ISCSI_CONN_FAILED] = "failed", + [ISCSI_CONN_BOUND] = "bound" }; static ssize_t show_conn_state(struct device *dev, --- a/include/scsi/scsi_transport_iscsi.h +++ b/include/scsi/scsi_transport_iscsi.h @@ -193,6 +193,7 @@ enum iscsi_connection_state { ISCSI_CONN_UP = 0, ISCSI_CONN_DOWN, ISCSI_CONN_FAILED, + ISCSI_CONN_BOUND, }; struct iscsi_cls_conn { Patches currently in stable-queue which might be from guohanjun@xxxxxxxxxx are queue-5.10/io_uring-simplify-io_remove_personalities.patch queue-5.10/io_uring-convert-personality_idr-to-xarray.patch queue-5.10/loop-fix-i-o-error-on-fsync-in-detached-loop-devices.patch queue-5.10/io_uring-convert-io_buffer_idr-to-xarray.patch queue-5.10/mm-hwpoison-return-ebusy-when-migration-fails.patch queue-5.10/scsi-iscsi-fix-iscsi-cls-conn-state.patch queue-5.10/scsi-iscsi-fix-race-condition-between-login-and-sync-thread.patch