From patchwork Mon Feb 27 03:03:59 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mike Christie <mchristi@redhat.com>
X-Patchwork-Id: 9592659
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	93D5A60578 for <patchwork-target-devel@patchwork.kernel.org>;
	Mon, 27 Feb 2017 03:05:32 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8631F27FA8
	for <patchwork-target-devel@patchwork.kernel.org>;
	Mon, 27 Feb 2017 03:05:32 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7B5C42811C; Mon, 27 Feb 2017 03:05:32 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC8D727FBB
	for <patchwork-target-devel@patchwork.kernel.org>;
	Mon, 27 Feb 2017 03:05:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751301AbdB0DFb (ORCPT
	<rfc822;patchwork-target-devel@patchwork.kernel.org>);
	Sun, 26 Feb 2017 22:05:31 -0500
Received: from mx1.redhat.com ([209.132.183.28]:46304 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751314AbdB0DF3 (ORCPT <rfc822;target-devel@vger.kernel.org>);
	Sun, 26 Feb 2017 22:05:29 -0500
Received: from int-mx13.intmail.prod.int.phx2.redhat.com
	(int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 59EFF3B707;
	Mon, 27 Feb 2017 03:04:05 +0000 (UTC)
Received: from rh2.redhat.com (ovpn-120-121.rdu2.redhat.com [10.10.120.121]
	(may be forged))
	by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id v1R342ku007727; Sun, 26 Feb 2017 22:04:04 -0500
From: Mike Christie <mchristi@redhat.com>
To: target-devel@vger.kernel.org, nab@linux-iscsi.org
Cc: Mike Christie <mchristi@redhat.com>
Subject: [PATCH 3/4] iscsi target: don't free connection from
	iscsi_target_do_cleanup
Date: Sun, 26 Feb 2017 21:03:59 -0600
Message-Id: <1488164640-8751-4-git-send-email-mchristi@redhat.com>
In-Reply-To: <1488164640-8751-1-git-send-email-mchristi@redhat.com>
References: <1488164640-8751-1-git-send-email-mchristi@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.30]);
	Mon, 27 Feb 2017 03:04:05 +0000 (UTC)
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

We cannot free the connection in iscsi_target_do_cleanup because
the np_thread could still be accessing it.

An easy way to hit this bug is to force a command to get stuck and
timeout. The initiator will send TMFs which will fail and then it
drop the session and try to relogin. While the login thread waits in
iscsit_cause_connection_reinstatement for the original connection's
iscsit_close_connection call to iscsit_release_commands_from_conn
to complete,  the initiator could fail the login operation
and kill the tcp connection. That will fire off
iscsi_target_sk_state_change -> iscsi_target_do_cleanup which will
free the connection.

If the command gets unstuck then it will complete, and
iscsit_cause_connection_reinstatement will return and np_thread
will try to complete the login and access the freed connection.

This patch has iscsi_target_do_cleanup do the low level
socket state change and wake up the np_thread. When the np_thread wakes
from iscsit_cause_connection_reinstatement it will see the tcp connection
has been failed and the login will fail like normal.

Signed-off-by: Mike Christie <mchristi@redhat.com>
---
 drivers/target/iscsi/iscsi_target_nego.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index 5269e9e..9edac16 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -620,17 +620,13 @@ static void iscsi_target_do_cleanup(struct work_struct *work)
 	struct sock *sk = conn->sock->sk;
 	struct iscsi_login *login = conn->login;
 	struct iscsi_np *np = login->np;
-	struct iscsi_portal_group *tpg = conn->tpg;
-	struct iscsi_tpg_np *tpg_np = conn->tpg_np;
 
 	pr_debug("Entering iscsi_target_do_cleanup\n");
 
 	cancel_delayed_work_sync(&conn->login_work);
 	conn->orig_state_change(sk);
-
 	iscsi_target_restore_sock_callbacks(conn);
-	iscsi_target_login_drop(conn, login);
-	iscsit_deaccess_np(np, tpg, tpg_np);
+	send_sig(SIGINT, np->np_thread, 1);
 
 	pr_debug("iscsi_target_do_cleanup done()\n");
 }