diff options
author | Stefan Hajnoczi | 2018-02-15 12:15:26 +0100 |
---|---|---|
committer | Paolo Bonzini | 2019-01-11 13:57:24 +0100 |
commit | 88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2 (patch) | |
tree | 98d996062a20d8740e898766aa30dff1704e6514 /block | |
parent | block/iscsi: fix ioctl cancel use-after-free (diff) | |
download | qemu-88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2.tar.gz qemu-88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2.tar.xz qemu-88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2.zip |
block/iscsi: cancel libiscsi task when ABORT TASK TMF completes
The libiscsi iscsi_task_mgmt_async() API documentation says:
abort_task will also cancel the scsi task. The callback for the scsi
task will be invoked with SCSI_STATUS_CANCELLED
The libiscsi implementation does not fulfil this promise. The task's
callback is not invoked and its struct iscsi_pdu remains in the internal
list (effectively leaked).
This patch invokes the libiscsi iscsi_scsi_cancel_task() API to force
the task's callback to be invoked with SCSI_STATUS_CANCELLED when the
ABORT TASK TMF completes and the task's callback hasn't been invoked
yet.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20180215111526.2464-1-stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/iscsi.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/block/iscsi.c b/block/iscsi.c index abb872d3d9..a7e8c1ffaf 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -295,8 +295,12 @@ iscsi_abort_task_cb(struct iscsi_context *iscsi, int status, void *command_data, { IscsiAIOCB *acb = private_data; - acb->status = -ECANCELED; - iscsi_schedule_bh(acb); + /* If the command callback hasn't been called yet, drop the task */ + if (!acb->bh) { + /* Call iscsi_aio_ioctl_cb() with SCSI_STATUS_CANCELLED */ + iscsi_scsi_cancel_task(iscsi, acb->task); + } + qemu_aio_unref(acb); /* acquired in iscsi_aio_cancel() */ } @@ -947,6 +951,14 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status, { IscsiAIOCB *acb = opaque; + if (status == SCSI_STATUS_CANCELLED) { + if (!acb->bh) { + acb->status = -ECANCELED; + iscsi_schedule_bh(acb); + } + return; + } + acb->status = 0; if (status < 0) { error_report("Failed to ioctl(SG_IO) to iSCSI lun. %s", |