[PATCH v2] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Jörn Engel" <joern@logfs.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
	linux-kernel@vger.kernel.org,
	target-devel <target-devel@vger.kernel.org>
Subject: [PATCH v2] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race
Date: Mon, 18 Mar 2013 19:11:54 -0400	[thread overview]
Message-ID: <20130318231154.GC9685@logfs.org> (raw)
In-Reply-To: <20130319002742.GA11050@kroah.com>

On Mon, 18 March 2013 17:27:42 -0700, Greg Kroah-Hartman wrote:
> On Mon, Mar 18, 2013 at 06:56:57PM -0400, Jörn Engel wrote:
> > 
> > Back when I originally wrote this patch, kref_put_mutex() didn't exist
> > yet.  So there is my evil predetermined plan to introduce random
> > inconsistencies by being consistent with atomic_dec_and_lock()
> > instead.
> 
> Don't be evil, leave that up to the professionals :)

I wouldn't dare question your authority in such matters. :-P

> > If you think this matters I can rename the function and resend.
> 
> Please do, it is good to name things correctly, when we have the chance.

Fair enough.

Jörn

--
ticks = jiffies;
while (ticks == jiffies);
ticks = jiffies;
-- /usr/src/linux/init/main.c


It is possible for one thread to to take se_sess->sess_cmd_lock in
core_tmr_abort_task() before taking a reference count on
se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.

This introduces kref_put_and_lock() and uses it in
target_put_sess_cmd() to close the race window.

Signed-off-by: Joern Engel <joern@logfs.org>
---
 drivers/target/target_core_transport.c |   17 +++++++++++------
 include/linux/kref.h                   |   26 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 04ec9cb..b98c158 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2207,21 +2207,19 @@ static void target_release_cmd_kref(struct kref *kref)
 {
 	struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
 	struct se_session *se_sess = se_cmd->se_sess;
-	unsigned long flags;
 
-	spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
 	if (list_empty(&se_cmd->se_cmd_list)) {
-		spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+		spin_unlock(&se_sess->sess_cmd_lock);
 		se_cmd->se_tfo->release_cmd(se_cmd);
 		return;
 	}
 	if (se_sess->sess_tearing_down && se_cmd->cmd_wait_set) {
-		spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+		spin_unlock(&se_sess->sess_cmd_lock);
 		complete(&se_cmd->cmd_wait_comp);
 		return;
 	}
 	list_del(&se_cmd->se_cmd_list);
-	spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+	spin_unlock(&se_sess->sess_cmd_lock);
 
 	se_cmd->se_tfo->release_cmd(se_cmd);
 }
@@ -2232,7 +2230,14 @@ static void target_release_cmd_kref(struct kref *kref)
  */
 int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
 {
-	return kref_put(&se_cmd->cmd_kref, target_release_cmd_kref);
+	unsigned long flags;
+	int ret;
+
+	local_irq_save(flags);
+	ret = kref_put_spinlock(&se_cmd->cmd_kref, target_release_cmd_kref,
+			&se_sess->sess_cmd_lock);
+	local_irq_restore(flags);
+	return ret;
 }
 EXPORT_SYMBOL(target_put_sess_cmd);
 
diff --git a/include/linux/kref.h b/include/linux/kref.h
index 4972e6e..c40eaf6 100644
--- a/include/linux/kref.h
+++ b/include/linux/kref.h
@@ -19,6 +19,7 @@
 #include <linux/atomic.h>
 #include <linux/kernel.h>
 #include <linux/mutex.h>
+#include <linux/spinlock_types.h>
 
 struct kref {
 	atomic_t refcount;
@@ -95,6 +96,31 @@ static inline int kref_put(struct kref *kref, void (*release)(struct kref *kref)
 	return kref_sub(kref, 1, release);
 }
 
+/**
+ * kref_put_and_lock - decrement refcount for object.
+ * @kref: object.
+ * @release: pointer to the function that will clean up the object when the
+ *	     last reference to the object is released.
+ *	     This pointer is required, and it is not acceptable to pass kfree
+ *	     in as this function.
+ * @lock: lock to take in release case
+ *
+ * Behaves identical to kref_put with one exception.  If the reference count
+ * drops to zero, the lock will be taken atomically wrt dropping the reference
+ * count.
+ */
+static inline int kref_put_spinlock(struct kref *kref,
+		void (*release)(struct kref *kref),
+		spinlock_t *lock)
+{
+	WARN_ON(release == NULL);
+	if (atomic_dec_and_lock(&kref->refcount, lock)) {
+		release(kref);
+		return 1;
+	}
+	return 0;
+}
+
 static inline int kref_put_mutex(struct kref *kref,
 				 void (*release)(struct kref *kref),
 				 struct mutex *lock)
-- 
1.7.10.4

next prev parent reply	other threads:[~2013-03-19  0:36 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-18 22:28 [PATCH] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race Jörn Engel
2013-03-19  0:04 ` Greg Kroah-Hartman
2013-03-18 22:56   ` Jörn Engel
2013-03-19  0:27     ` Greg Kroah-Hartman
2013-03-18 23:11       ` Jörn Engel [this message]
2013-03-18 23:34         ` [PATCH v3] " Jörn Engel
2013-03-19  1:53           ` Greg Kroah-Hartman
2013-03-19  3:31             ` [PATCH v4] " Jörn Engel
2013-03-19  5:09               ` Greg Kroah-Hartman
2013-03-19  3:58                 ` Jörn Engel
2013-03-19 13:38                   ` Greg Kroah-Hartman
2013-03-19 15:03                     ` Jörn Engel
2013-03-19  2:11           ` [PATCH v3] " Nicholas A. Bellinger
2013-03-19  2:39             ` Greg Kroah-Hartman
2013-03-19  2:46               ` Nicholas A. Bellinger

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:04ec9cb dfblob:b98c158 dfblob:4972e6e dfblob:c40eaf6 )
 OR (
bs:"[PATCH v2] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130318231154.GC9685@logfs.org \
    --to=joern@logfs.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nab@linux-iscsi.org \
    --cc=target-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.