[PATCH openEuler-1.0-LTS] scsi: target: core: Add TMF to tmr_list handling - Kernel

6 May 2024

From: Dmitry Bogdanov d.bogdanov@yadro.com
stable inclusion
from stable-v4.19.308
commit 425a571a7e6fc389954cf2564e1edbba3740e171
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJQC
CVE: CVE-2024-26845
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 83ab68168a3d990d5ff39ab030ad5754cbbccb25 ]
An abort that is responded to by iSCSI itself is added to tmr_list but does
not go to target core. A LUN_RESET that goes through tmr_list takes a
refcounter on the abort and waits for completion. However, the abort will
be never complete because it was not started in target core.
Unable to locate ITT: 0x05000000 on CID: 0
 Unable to locate RefTaskTag: 0x05000000 on CID: 0.
 wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop
 wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop
...
 INFO: task kworker/0:2:49 blocked for more than 491 seconds.
 task:kworker/0:2     state:D stack:    0 pid:   49 ppid:     2 flags:0x00000800
 Workqueue: events target_tmr_work [target_core_mod]
Call Trace:
 __switch_to+0x2c4/0x470
 _schedule+0x314/0x1730
 schedule+0x64/0x130
 schedule_timeout+0x168/0x430
 wait_for_completion+0x140/0x270
 target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]
 core_tmr_lun_reset+0x30/0xa0 [target_core_mod]
 target_tmr_work+0xc8/0x1b0 [target_core_mod]
 process_one_work+0x2d4/0x5d0
 worker_thread+0x78/0x6c0
To fix this, only add abort to tmr_list if it will be handled by target
core.
Signed-off-by: Dmitry Bogdanov d.bogdanov@yadro.com
Link: https://lore.kernel.org/r/20240111125941.8688-1-d.bogdanov@yadro.com
Reviewed-by: Mike Christie michael.christie@oracle.com
Signed-off-by: Martin K. Petersen martin.petersen@oracle.com
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Cui GaoSheng cuigaosheng1@huawei.com
---
 drivers/target/target_core_device.c    | 5 -----
 drivers/target/target_core_transport.c | 4 ++++
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index e9ff2a7c0c0e..f990aae1d621 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -164,7 +164,6 @@ int transport_lookup_tmr_lun(struct se_cmd *se_cmd, u64 unpacked_lun)
    struct se_session *se_sess = se_cmd->se_sess;
    struct se_node_acl *nacl = se_sess->se_node_acl;
    struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
-	unsigned long flags;
rcu_read_lock();
    deve = target_nacl_find_deve(nacl, unpacked_lun);
@@ -195,10 +194,6 @@ int transport_lookup_tmr_lun(struct se_cmd *se_cmd, u64 unpacked_lun)
    se_cmd->se_dev = rcu_dereference_raw(se_lun->lun_se_dev);
    se_tmr->tmr_dev = rcu_dereference_raw(se_lun->lun_se_dev);
-	spin_lock_irqsave(&se_tmr->tmr_dev->se_tmr_lock, flags);
-	list_add_tail(&se_tmr->tmr_list, &se_tmr->tmr_dev->dev_tmr_list);
-	spin_unlock_irqrestore(&se_tmr->tmr_dev->se_tmr_lock, flags);
-
    return 0;
 }
 EXPORT_SYMBOL(transport_lookup_tmr_lun);
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 9c60a090cfd1..7bd863e2c05b 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -3431,6 +3431,10 @@ int transport_generic_handle_tmr(
    unsigned long flags;
    bool aborted = false;
+	spin_lock_irqsave(&cmd->se_dev->se_tmr_lock, flags);
+	list_add_tail(&cmd->se_tmr_req->tmr_list, &cmd->se_dev->dev_tmr_list);
+	spin_unlock_irqrestore(&cmd->se_dev->se_tmr_lock, flags);
+
    spin_lock_irqsave(&cmd->t_state_lock, flags);
    if (cmd->transport_state & CMD_T_ABORTED) {
    	aborted = true;
-- 
2.34.1


    