This is a note to let you know that I've just added the patch titled target: Fix COMPARE_AND_WRITE ref leak for non GOOD status to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: target-fix-compare_and_write-ref-leak-for-non-good-status.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 9b2792c3da1e80f2d460167d319302a24c9ca2b7 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> Date: Mon, 6 Feb 2017 14:28:09 -0800 Subject: target: Fix COMPARE_AND_WRITE ref leak for non GOOD status From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> commit 9b2792c3da1e80f2d460167d319302a24c9ca2b7 upstream. This patch addresses a long standing bug where the commit phase of COMPARE_AND_WRITE would result in a se_cmd->cmd_kref reference leak if se_cmd->scsi_status returned non SAM_STAT_GOOD. This would manifest first as a lost SCSI response, and eventual hung task during fabric driver logout or re-login, as existing shutdown logic waited for the COMPARE_AND_WRITE se_cmd->cmd_kref to reach zero. To address this bug, compare_and_write_post() has been changed to drop the incorrect !cmd->scsi_status conditional that was preventing *post_ret = 1 for being set during non SAM_STAT_GOOD status. This patch has been tested with SAM_STAT_CHECK_CONDITION status from normal target_complete_cmd() callback path, as well as the incoming __target_execute_cmd() submission failure path when se_cmd->execute_cmd() returns non zero status. Reported-by: Donald White <dew@xxxxxxxxx> Cc: Donald White <dew@xxxxxxxxx> Tested-by: Gary Guo <ghg@xxxxxxxxx> Cc: Gary Guo <ghg@xxxxxxxxx> Reviewed-by: Christoph Hellwig <hch@xxxxxx> Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/target/target_core_sbc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/target/target_core_sbc.c +++ b/drivers/target/target_core_sbc.c @@ -450,6 +450,7 @@ static sense_reason_t compare_and_write_ int *post_ret) { struct se_device *dev = cmd->se_dev; + sense_reason_t ret = TCM_NO_SENSE; /* * Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through @@ -457,9 +458,12 @@ static sense_reason_t compare_and_write_ * sent to the backend driver. */ spin_lock_irq(&cmd->t_state_lock); - if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) { + if (cmd->transport_state & CMD_T_SENT) { cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST; *post_ret = 1; + + if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION) + ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; } spin_unlock_irq(&cmd->t_state_lock); @@ -469,7 +473,7 @@ static sense_reason_t compare_and_write_ */ up(&dev->caw_sem); - return TCM_NO_SENSE; + return ret; } static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success, Patches currently in stable-queue which might be from nab@xxxxxxxxxxxxxxx are queue-4.9/target-fix-compare_and_write-ref-leak-for-non-good-status.patch queue-4.9/target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch queue-4.9/target-use-correct-scsi-status-during-extended_copy-exception.patch queue-4.9/ibmvscsis-add-sgl-limit.patch queue-4.9/target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch queue-4.9/target-fix-early-transport_generic_handle_tmr-abort-scenario.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html