From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Jörn Engel" <joern@logfs.org>
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
linux-kernel@vger.kernel.org,
target-devel <target-devel@vger.kernel.org>
Subject: Re: [PATCH v4] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race
Date: Mon, 18 Mar 2013 22:09:54 -0700 [thread overview]
Message-ID: <20130319050954.GA23390@kroah.com> (raw)
In-Reply-To: <20130319033112.GA11307@logfs.org>
On Mon, Mar 18, 2013 at 11:31:12PM -0400, Jörn Engel wrote:
> On Mon, 18 March 2013 18:53:54 -0700, Greg Kroah-Hartman wrote:
> > On Mon, Mar 18, 2013 at 07:34:13PM -0400, Jörn Engel wrote:
> > > ---
> > > drivers/target/target_core_transport.c | 17 +++++++++++------
> > > include/linux/kref.h | 26 ++++++++++++++++++++++++++
> > > 2 files changed, 37 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
> > > index 04ec9cb..b98c158 100644
> > > --- a/drivers/target/target_core_transport.c
> > > +++ b/drivers/target/target_core_transport.c
> > > @@ -2207,21 +2207,19 @@ static void target_release_cmd_kref(struct kref *kref)
> > > {
> > > struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
> > > struct se_session *se_sess = se_cmd->se_sess;
> > > - unsigned long flags;
> > >
> > > - spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
> > > if (list_empty(&se_cmd->se_cmd_list)) {
> > > - spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
> > > + spin_unlock(&se_sess->sess_cmd_lock);
> >
> > Wait, who has this locked? You took out the call to spin_lock_* above.
>
> The spinlock needs to be taken atomically wrt. the final kref_put. So
> either the kref_put was not final and we don't end up calling
> target_release_cmd_kref() or it was and the spinlock is already taken
> when calling the release function. You could call that the central
> bit of the patch. ;)
Ah, ok.
> > And why not _irqstore() anymore?
>
> Because I thought the resulting code would be horrible. But going
> through the excercise, it does seem half as bad as I feared. In fact,
> I rather like it now.
You changed the kref code too, does it work better now?
>
> Jörn
>
> --
> Happiness isn't having what you want, it's wanting what you have.
> -- unknown
>
>
> It is possible for one thread to to take se_sess->sess_cmd_lock in
> core_tmr_abort_task() before taking a reference count on
> se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
> se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.
>
> This introduces kref_put_spinlock_irqsave() and uses it in
> target_put_sess_cmd() to close the race window.
>
> Signed-off-by: Joern Engel <joern@logfs.org>
> ---
> drivers/target/target_core_transport.c | 7 +++----
> include/linux/kref.h | 32 ++++++++++++++++++++++++++++++++
> 2 files changed, 35 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
> index 04ec9cb..7e856b9 100644
> --- a/drivers/target/target_core_transport.c
> +++ b/drivers/target/target_core_transport.c
> @@ -2203,13 +2203,11 @@ out:
> return ret;
> }
>
> -static void target_release_cmd_kref(struct kref *kref)
> +static void target_release_cmd_kref(struct kref *kref, unsigned long flags)
> {
> struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
> struct se_session *se_sess = se_cmd->se_sess;
> - unsigned long flags;
>
> - spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
Why pass flags to a release function?
I don't think you can do that, but it's been a while since I looked at
the spinlock code.
greg k-h
next prev parent reply other threads:[~2013-03-19 5:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 22:28 [PATCH] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race Jörn Engel
2013-03-19 0:04 ` Greg Kroah-Hartman
2013-03-18 22:56 ` Jörn Engel
2013-03-19 0:27 ` Greg Kroah-Hartman
2013-03-18 23:11 ` [PATCH v2] " Jörn Engel
2013-03-18 23:34 ` [PATCH v3] " Jörn Engel
2013-03-19 1:53 ` Greg Kroah-Hartman
2013-03-19 3:31 ` [PATCH v4] " Jörn Engel
2013-03-19 5:09 ` Greg Kroah-Hartman [this message]
2013-03-19 3:58 ` Jörn Engel
2013-03-19 13:38 ` Greg Kroah-Hartman
2013-03-19 15:03 ` Jörn Engel
2013-03-19 2:11 ` [PATCH v3] " Nicholas A. Bellinger
2013-03-19 2:39 ` Greg Kroah-Hartman
2013-03-19 2:46 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130319050954.GA23390@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=joern@logfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.