Commit 462c12d9 authored May 22, 2019 by Jim Harris Committed by Changpeng Liu May 24, 2019

iscsi: free pdus in hot remove path with no lun



The datain handling code path will set the LUN to
NULL if it finds a task's LUN has been hotremoved.
This could happen before the iscsi hotplug routine
actually gets a chance to run.  If this happens,
one of these tasks doesn't actually get freed, and
then will be freed after the lun is closed -
causing a segfault in the bdev layer since it may
have a bdev_io associated with it.

Found by running the iscsi_tgt/fio test after
applying the next patch in this series.

There's more work needed in this hot remove clean up
path - currently we are just freeing a lot of PDUs
rather than completing them with error status when
a LUN is hot removed.  But let's tackle that
separately.

Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: I8d27f0c7a79ae91cb6504e5ff6ffc8e346c9e54c

Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/455460


Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>

parent 151a357c

lib/iscsi/conn.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -624,7 +624,13 @@ _iscsi_conn_remove_lun(void arg1, void arg2)

		spdk_clear_all_transfer_task(conn, lun, NULL);
		TAILQ_FOREACH_SAFE(pdu, &conn->write_pdu_list, tailq, tmp_pdu) {
		if (pdu->task && (lun == pdu->task->scsi.lun)) {
		/* If the pdu's LUN matches the LUN that was removed, free this
		* PDU immediately. If the pdu's LUN is NULL, then we know
		* the datain handling code already detected the hot removal,
		* so we can free that PDU as well.
		*/
		if (pdu->task &&
		(lun == pdu->task->scsi.lun \|\| NULL == pdu->task->scsi.lun)) {
		TAILQ_REMOVE(&conn->write_pdu_list, pdu, tailq);
		spdk_iscsi_conn_free_pdu(conn, pdu);
		}