On Tue, 2017-02-07 at 17:21 +0000, Bart Van Assche wrote: > On Tue, 2017-02-07 at 07:53 -0800, Nicholas A. Bellinger wrote: > > iscsi-target and iser-target currently depend upon > > transport_generic_free_cmd() to both quiesce, and wait for the se_cmd to > > complete via se_cmd->cmd_wait_comp in the CMD_T_ABORTED path before > > returning to the caller. > > > > This is required because as soon as all the transport_generic_free_cmd() > > callers return, iscsi-target + iser-target expect for it to be safe to > > release se_session associated memory. > > > > Which means that if transport_generic_free_cmd() doesn't wait during the > > second order issue when CMD_T_ABORTED is blocked waiting for se_cmd to > > be quiesced from se_device->tmr_wq context, it will trigger > > use-after-free OOPsen. > > That's useful feedback. Although I have not seen any such OOPSes in my > tests, I will make sure that no such use-after-free is triggered. > Note this requirement is specific to iscsi-target + iser-target only. All other drivers in modern upstream v4.x mainline code use target_wait_for_sess_cmds() to wait for outstanding se_cmd->cmd_kref to reach zero, and don't have this specific requirement. -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
