summaryrefslogtreecommitdiffstats
path: root/include/target
diff options
context:
space:
mode:
authorNicholas Bellinger <nab@linux-iscsi.org>2016-12-07 12:55:54 -0800
committerNicholas Bellinger <nab@linux-iscsi.org>2017-02-08 08:25:23 -0800
commit01d4d673558985d9a118e1e05026633c3e2ade9b (patch)
tree0aa259773374b5a919689c9db28d78274778b359 /include/target
parentc54eeffbe9338fa982dc853d816fda9202a13b5a (diff)
downloadlinux-stable-01d4d673558985d9a118e1e05026633c3e2ade9b.tar.gz
linux-stable-01d4d673558985d9a118e1e05026633c3e2ade9b.tar.bz2
linux-stable-01d4d673558985d9a118e1e05026633c3e2ade9b.zip
target: Fix multi-session dynamic se_node_acl double free OOPs
This patch addresses a long-standing bug with multi-session (eg: iscsi-target + iser-target) se_node_acl dynamic free withini transport_deregister_session(). This bug is caused when a storage endpoint is configured with demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1) initiators, and initiator login creates a new dynamic node acl and attaches two sessions to it. After that, demo-mode for the storage instance is disabled via configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and the existing dynamic acl is never converted to an explicit ACL. The end result is dynamic acl resources are released twice when the sessions are shutdown in transport_deregister_session(). If the storage instance is not changed to disable demo-mode, or the dynamic acl is converted to an explict ACL, or there is only a single session associated with the dynamic ACL, the bug is not triggered. To address this big, move the release of dynamic se_node_acl memory into target_complete_nacl() so it's only freed once when se_node_acl->acl_kref reaches zero. (Drop unnecessary list_del_init usage - HCH) Reported-by: Rob Millner <rlm@daterainc.com> Tested-by: Rob Millner <rlm@daterainc.com> Cc: Rob Millner <rlm@daterainc.com> Cc: stable@vger.kernel.org # 4.1+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'include/target')
-rw-r--r--include/target/target_core_base.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
index 43edf82e54ff..da854fb4530f 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -538,6 +538,7 @@ struct se_node_acl {
char initiatorname[TRANSPORT_IQN_LEN];
/* Used to signal demo mode created ACL, disabled by default */
bool dynamic_node_acl;
+ bool dynamic_stop;
u32 queue_depth;
u32 acl_index;
enum target_prot_type saved_prot_type;