summaryrefslogtreecommitdiffstats
path: root/block
diff options
context:
space:
mode:
authorStefan Hajnoczi2018-02-15 12:15:26 +0100
committerPaolo Bonzini2019-01-11 13:57:24 +0100
commit88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2 (patch)
tree98d996062a20d8740e898766aa30dff1704e6514 /block
parentblock/iscsi: fix ioctl cancel use-after-free (diff)
downloadqemu-88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2.tar.gz
qemu-88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2.tar.xz
qemu-88e94fd238aa425c1a19d64afd1b3c83dfeb7dc2.zip
block/iscsi: cancel libiscsi task when ABORT TASK TMF completes
The libiscsi iscsi_task_mgmt_async() API documentation says: abort_task will also cancel the scsi task. The callback for the scsi task will be invoked with SCSI_STATUS_CANCELLED The libiscsi implementation does not fulfil this promise. The task's callback is not invoked and its struct iscsi_pdu remains in the internal list (effectively leaked). This patch invokes the libiscsi iscsi_scsi_cancel_task() API to force the task's callback to be invoked with SCSI_STATUS_CANCELLED when the ABORT TASK TMF completes and the task's callback hasn't been invoked yet. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20180215111526.2464-1-stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'block')
-rw-r--r--block/iscsi.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/block/iscsi.c b/block/iscsi.c
index abb872d3d9..a7e8c1ffaf 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -295,8 +295,12 @@ iscsi_abort_task_cb(struct iscsi_context *iscsi, int status, void *command_data,
{
IscsiAIOCB *acb = private_data;
- acb->status = -ECANCELED;
- iscsi_schedule_bh(acb);
+ /* If the command callback hasn't been called yet, drop the task */
+ if (!acb->bh) {
+ /* Call iscsi_aio_ioctl_cb() with SCSI_STATUS_CANCELLED */
+ iscsi_scsi_cancel_task(iscsi, acb->task);
+ }
+
qemu_aio_unref(acb); /* acquired in iscsi_aio_cancel() */
}
@@ -947,6 +951,14 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status,
{
IscsiAIOCB *acb = opaque;
+ if (status == SCSI_STATUS_CANCELLED) {
+ if (!acb->bh) {
+ acb->status = -ECANCELED;
+ iscsi_schedule_bh(acb);
+ }
+ return;
+ }
+
acb->status = 0;
if (status < 0) {
error_report("Failed to ioctl(SG_IO) to iSCSI lun. %s",