Commit d39df158 authored by Mike Christie's avatar Mike Christie Committed by Martin K. Petersen
Browse files

scsi: iscsi: Have abort handler get ref to conn 

If SCSI midlayer is aborting a task when we are tearing down the conn we
could free the conn while the abort thread is accessing the conn. This has
the abort handler get a ref to the conn so it won't be freed from under it.

Note: this is not needed for device/target reset because we are holding the
eh_mutex when accessing the conn.

Link: https://lore.kernel.org/r/20210525181821.7617-12-michael.christie@oracle.com


Reviewed-by: default avatarLee Duncan <lduncan@suse.com>
Signed-off-by: default avatarMike Christie <michael.christie@oracle.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent b1d19e8c

drivers/scsi/libiscsi.c

+4 −3
Original line number Diff line number Diff line
@@ -2285,6 +2285,7 @@ int iscsi_eh_abort(struct scsi_cmnd *sc) 
	}



	conn = session->leadconn;

	iscsi_get_conn(conn->cls_conn);

	conn->eh_abort_cnt++;

	age = session->age;
@@ -2295,9 +2296,7 @@ int iscsi_eh_abort(struct scsi_cmnd *sc) 
		ISCSI_DBG_EH(session, "sc completed while abort in progress\n");



		spin_unlock(&session->back_lock);

		spin_unlock_bh(&session->frwd_lock);

		mutex_unlock(&session->eh_mutex);

		return SUCCESS;

		goto success;

	}

	ISCSI_DBG_EH(session, "aborting [sc %p itt 0x%x]\n", sc, task->itt);

	__iscsi_get_task(task);
@@ -2364,6 +2363,7 @@ int iscsi_eh_abort(struct scsi_cmnd *sc) 
	ISCSI_DBG_EH(session, "abort success [sc %p itt 0x%x]\n",

		     sc, task->itt);

	iscsi_put_task(task);

	iscsi_put_conn(conn->cls_conn);

	mutex_unlock(&session->eh_mutex);

	return SUCCESS;
@@ -2373,6 +2373,7 @@ int iscsi_eh_abort(struct scsi_cmnd *sc) 
	ISCSI_DBG_EH(session, "abort failed [sc %p itt 0x%x]\n", sc,

		     task ? task->itt : 0);

	iscsi_put_task(task);

	iscsi_put_conn(conn->cls_conn);

	mutex_unlock(&session->eh_mutex);

	return FAILED;

}