Re: [PATCH v4] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

On Mon, Mar 18, 2013 at 11:58:03PM -0400, Jörn Engel wrote:
> On Mon, 18 March 2013 22:09:54 -0700, Greg Kroah-Hartman wrote:
> > On Mon, Mar 18, 2013 at 11:31:12PM -0400, Jörn Engel wrote:
> > > On Mon, 18 March 2013 18:53:54 -0700, Greg Kroah-Hartman wrote:
> > 
> > > > And why not _irqstore() anymore?
> > > 
> > > Because I thought the resulting code would be horrible.  But going
> > > through the excercise, it does seem half as bad as I feared.  In fact,
> > > I rather like it now.
> > 
> > You changed the kref code too, does it work better now?
> 
> It compiles.  I don't have a good testcase, so the procedure is to
> throw it into the test infrastructure and wait a week.

Really?  Please make a test cast to test it out properly.

> > > It is possible for one thread to to take se_sess->sess_cmd_lock in
> > > core_tmr_abort_task() before taking a reference count on
> > > se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
> > > se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.
> > > 
> > > This introduces kref_put_spinlock_irqsave() and uses it in
> > > target_put_sess_cmd() to close the race window.
> > > 
> > > Signed-off-by: Joern Engel <joern@logfs.org>
> > > ---
> > >  drivers/target/target_core_transport.c |    7 +++----
> > >  include/linux/kref.h                   |   32 ++++++++++++++++++++++++++++++++
> > >  2 files changed, 35 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
> > > index 04ec9cb..7e856b9 100644
> > > --- a/drivers/target/target_core_transport.c
> > > +++ b/drivers/target/target_core_transport.c
> > > @@ -2203,13 +2203,11 @@ out:
> > >  	return ret;
> > >  }
> > >  
> > > -static void target_release_cmd_kref(struct kref *kref)
> > > +static void target_release_cmd_kref(struct kref *kref, unsigned long flags)
> > >  {
> > >  	struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
> > >  	struct se_session *se_sess = se_cmd->se_sess;
> > > -	unsigned long flags;
> > >  
> > > -	spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
> > 
> > Why pass flags to a release function?
> > 
> > I don't think you can do that, but it's been a while since I looked at
> > the spinlock code.
> 
> The alternative would be to call local_irq_restore(flags); from
> kref_put_spinlock_irqsave() and not pass the flags.  Getting rid of
> the extra parameter would be nice.  But I'm not sure I want to prove
> that
> 	spin_unlock(lock);
> 	local_irq_restore(flags);
> is the same as 
> 	spin_unlock_irqrestore(lock, flags);
> on all architectures and with all combinations of CONFIG options.

It should be.

> I think it should be, but I wouldn't bet half a cookie on it.

That's why we have the code readable for everyone to see :)

I suggest doing some research and determining if this is true or not,
please, before I can accept this.

greg k-h