From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: Joern Engel <joern@logfs.org>,
Nicholas Bellinger <nab@linux-iscsi.org>,
Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 48/78] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race
Date: Tue, 28 May 2013 14:19:57 -0700 [thread overview]
Message-ID: <1369776027-17859-49-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1369776027-17859-1-git-send-email-kamal@canonical.com>
3.8.13.1 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joern Engel <joern@logfs.org>
commit ccf5ae83a6cf3d9cfe9a7038bfe7cd38ab03d5e1 upstream.
It is possible for one thread to to take se_sess->sess_cmd_lock in
core_tmr_abort_task() before taking a reference count on
se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.
This introduces kref_put_spinlock_irqsave() and uses it in
target_put_sess_cmd() to close the race window.
Signed-off-by: Joern Engel <joern@logfs.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/target_core_transport.c | 11 +++++------
include/linux/kref.h | 33 +++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index fcf880f..e26f673 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2209,21 +2209,19 @@ static void target_release_cmd_kref(struct kref *kref)
{
struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
struct se_session *se_sess = se_cmd->se_sess;
- unsigned long flags;
- spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
if (list_empty(&se_cmd->se_cmd_list)) {
- spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+ spin_unlock(&se_sess->sess_cmd_lock);
se_cmd->se_tfo->release_cmd(se_cmd);
return;
}
if (se_sess->sess_tearing_down && se_cmd->cmd_wait_set) {
- spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+ spin_unlock(&se_sess->sess_cmd_lock);
complete(&se_cmd->cmd_wait_comp);
return;
}
list_del(&se_cmd->se_cmd_list);
- spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+ spin_unlock(&se_sess->sess_cmd_lock);
se_cmd->se_tfo->release_cmd(se_cmd);
}
@@ -2234,7 +2232,8 @@ static void target_release_cmd_kref(struct kref *kref)
*/
int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
{
- return kref_put(&se_cmd->cmd_kref, target_release_cmd_kref);
+ return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref,
+ &se_sess->sess_cmd_lock);
}
EXPORT_SYMBOL(target_put_sess_cmd);
diff --git a/include/linux/kref.h b/include/linux/kref.h
index 4972e6e..7419c02 100644
--- a/include/linux/kref.h
+++ b/include/linux/kref.h
@@ -19,6 +19,7 @@
#include <linux/atomic.h>
#include <linux/kernel.h>
#include <linux/mutex.h>
+#include <linux/spinlock.h>
struct kref {
atomic_t refcount;
@@ -95,6 +96,38 @@ static inline int kref_put(struct kref *kref, void (*release)(struct kref *kref)
return kref_sub(kref, 1, release);
}
+/**
+ * kref_put_spinlock_irqsave - decrement refcount for object.
+ * @kref: object.
+ * @release: pointer to the function that will clean up the object when the
+ * last reference to the object is released.
+ * This pointer is required, and it is not acceptable to pass kfree
+ * in as this function.
+ * @lock: lock to take in release case
+ *
+ * Behaves identical to kref_put with one exception. If the reference count
+ * drops to zero, the lock will be taken atomically wrt dropping the reference
+ * count. The release function has to call spin_unlock() without _irqrestore.
+ */
+static inline int kref_put_spinlock_irqsave(struct kref *kref,
+ void (*release)(struct kref *kref),
+ spinlock_t *lock)
+{
+ unsigned long flags;
+
+ WARN_ON(release == NULL);
+ if (atomic_add_unless(&kref->refcount, -1, 1))
+ return 0;
+ spin_lock_irqsave(lock, flags);
+ if (atomic_dec_and_test(&kref->refcount)) {
+ release(kref);
+ local_irq_restore(flags);
+ return 1;
+ }
+ spin_unlock_irqrestore(lock, flags);
+ return 0;
+}
+
static inline int kref_put_mutex(struct kref *kref,
void (*release)(struct kref *kref),
struct mutex *lock)
--
1.8.1.2
next prev parent reply other threads:[~2013-05-28 21:19 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-28 21:19 [ 3.8.y.z extended stable ] Linux 3.8.13.1 stable review Kamal Mostafa
2013-05-28 21:19 ` [PATCH 01/78] drm/i915: Revert hdmi HDP pin checks Kamal Mostafa
2013-05-28 21:19 ` [PATCH 02/78] ARM: S5PV210: Fix PL330 DMA controller clkdev entries Kamal Mostafa
2013-05-28 21:19 ` [PATCH 03/78] NFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_lock_delegation_recall Kamal Mostafa
2013-05-28 21:19 ` [PATCH 04/78] blkcg: fix "scheduling while atomic" in blk_queue_bypass_start Kamal Mostafa
2013-05-28 21:19 ` [PATCH 05/78] audit: Syscall rules are not applied to existing processes on non-x86 Kamal Mostafa
2013-05-28 21:19 ` [PATCH 06/78] menuconfig: Fix memory leak introduced by jump keys feature Kamal Mostafa
2013-05-28 21:19 ` [PATCH 07/78] iommu/amd: Workaround for ERBT1312 Kamal Mostafa
2013-05-28 21:19 ` [PATCH 08/78] drivers/rtc/rtc-at91rm9200.c: fix missing iounmap Kamal Mostafa
2013-05-28 21:19 ` [PATCH 09/78] drm/mm: fix dump table BUG Kamal Mostafa
2013-05-28 21:19 ` [PATCH 10/78] ASoC: wm8994: missing break in wm8994_aif3_hw_params() Kamal Mostafa
2013-05-28 21:19 ` [PATCH 11/78] tile: support new Tilera hypervisor Kamal Mostafa
2013-05-28 21:19 ` [PATCH 12/78] [SCSI] sd: fix array cache flushing bug causing performance problems Kamal Mostafa
2013-05-28 21:19 ` [PATCH 13/78] ath9k: fix key allocation error handling for powersave keys Kamal Mostafa
2013-05-28 21:19 ` [PATCH 14/78] target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio Kamal Mostafa
2013-05-28 21:19 ` [PATCH 15/78] ext4: limit group search loop for non-extent files Kamal Mostafa
2013-05-28 21:19 ` [PATCH 16/78] xen/vcpu/pvhvm: Fix vcpu hotplugging hanging Kamal Mostafa
2013-05-28 21:19 ` [PATCH 17/78] ALSA: HDA: Fix Oops caused by dereference NULL pointer Kamal Mostafa
2013-05-28 21:19 ` [PATCH 18/78] iscsi-target: Fix processing of OOO commands Kamal Mostafa
2013-05-28 21:19 ` [PATCH 19/78] audit: vfs: fix audit_inode call in O_CREAT case of do_last Kamal Mostafa
2013-05-28 21:19 ` [PATCH 20/78] ACPICA: Fix possible buffer overflow during a field unit read operation Kamal Mostafa
2013-05-28 21:19 ` [PATCH 21/78] qmi_wwan, cdc-ether: add ADU960S Kamal Mostafa
2013-05-28 21:19 ` [PATCH 22/78] qmi_wwan/cdc_ether: add device IDs for Dell 5804 (Novatel E371) WWAN card Kamal Mostafa
2013-05-28 21:19 ` [PATCH 23/78] B43: Handle DMA RX descriptor underrun Kamal Mostafa
2013-05-28 21:19 ` [PATCH 24/78] mwifiex: clear is_suspended flag when interrupt is received early Kamal Mostafa
2013-05-28 21:19 ` [PATCH 25/78] mwifiex: fix memory leak issue when driver unload Kamal Mostafa
2013-05-28 21:19 ` [PATCH 26/78] mwifiex: fix setting of multicast filter Kamal Mostafa
2013-05-28 21:19 ` [PATCH 27/78] ARM: OMAP: RX-51: change probe order of touchscreen and panel SPI devices Kamal Mostafa
2013-05-28 21:19 ` [PATCH 28/78] hp_accel: Ignore the error from lis3lv02d_poweron() at resume Kamal Mostafa
2013-05-28 21:19 ` [PATCH 29/78] KVM: VMX: fix halt emulation while emulating invalid guest sate Kamal Mostafa
2013-05-28 21:19 ` [PATCH 30/78] nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error Kamal Mostafa
2013-05-28 21:19 ` [PATCH 31/78] shm: fix null pointer deref when userspace specifies invalid hugepage size Kamal Mostafa
2013-05-28 21:19 ` [PATCH 32/78] dm stripe: fix regression in stripe_width calculation Kamal Mostafa
2013-05-28 21:19 ` [PATCH 33/78] dm snapshot: fix error return code in snapshot_ctr Kamal Mostafa
2013-05-28 21:19 ` [PATCH 34/78] mm: teach mm by current context info to not do I/O during memory allocation Kamal Mostafa
2013-05-28 21:19 ` [PATCH 35/78] dm bufio: avoid a possible __vmalloc deadlock Kamal Mostafa
2013-05-28 21:19 ` [PATCH 36/78] dm table: fix write same support Kamal Mostafa
2013-05-28 21:19 ` [PATCH 37/78] tick: Cleanup NOHZ per cpu data on cpu down Kamal Mostafa
2013-05-28 21:19 ` [PATCH 38/78] ACPI / EC: Restart transaction even when the IBF flag set Kamal Mostafa
2013-05-28 21:19 ` [PATCH 39/78] drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register Kamal Mostafa
2013-05-28 21:19 ` [PATCH 40/78] drm/mgag200: Fix framebuffer base address programming Kamal Mostafa
2013-05-28 21:19 ` [PATCH 41/78] drm/radeon: check incoming cliprects pointer Kamal Mostafa
2013-05-28 21:19 ` [PATCH 42/78] arm64: debug: clear mdscr_el1 instead of taking the OS lock Kamal Mostafa
2013-05-28 21:19 ` [PATCH 43/78] ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldn't clear upper 32 bits of the old/new value Kamal Mostafa
2013-05-28 21:19 ` [PATCH 44/78] powerpc/kexec: Fix kexec when using VMX optimised memcpy Kamal Mostafa
2013-05-28 21:19 ` [PATCH 45/78] powerpc: Bring all threads online prior to migration/hibernation Kamal Mostafa
2013-05-28 21:19 ` [PATCH 46/78] arm64: mm: Fix operands of clz in __flush_dcache_all Kamal Mostafa
2013-05-28 21:19 ` [PATCH 47/78] timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE Kamal Mostafa
2013-05-28 21:19 ` Kamal Mostafa [this message]
2013-05-28 21:19 ` [PATCH 49/78] tracing: Fix leaks of filter preds Kamal Mostafa
2013-05-28 21:19 ` [PATCH 50/78] usermodehelper: check subprocess_info->path != NULL Kamal Mostafa
2013-05-28 21:20 ` [PATCH 51/78] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow Kamal Mostafa
2013-05-28 21:20 ` [PATCH 52/78] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex Kamal Mostafa
2013-05-28 21:20 ` [PATCH 53/78] btrfs: don't stop searching after encountering the wrong item Kamal Mostafa
2013-05-28 21:20 ` [PATCH 54/78] watchdog: Fix race condition in registration code Kamal Mostafa
2013-05-28 21:20 ` [PATCH 55/78] pch_dma: Use GFP_ATOMIC because called from interrupt context Kamal Mostafa
2013-05-28 21:20 ` [PATCH 56/78] ARM: EXYNOS5: Fix kernel dump in AFTR idle mode Kamal Mostafa
2013-05-28 21:20 ` [PATCH 57/78] drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe() Kamal Mostafa
2013-05-28 21:20 ` [PATCH 58/78] tcp: force a dst refcount when prequeue packet Kamal Mostafa
2013-05-28 21:20 ` [PATCH 59/78] sfc: Fix naming of MTD partitions for FPGA bitfiles Kamal Mostafa
2013-05-28 21:20 ` [PATCH 60/78] net: tun: release the reference of tun device in tun_recvmsg Kamal Mostafa
2013-05-28 21:20 ` [PATCH 61/78] net: mac802154: comparision issue of type cast, finding by EXTRA_CFLAGS=-W Kamal Mostafa
2013-05-28 21:20 ` [PATCH 62/78] tcp: reset timer after any SYNACK retransmit Kamal Mostafa
2013-05-28 21:20 ` [PATCH 63/78] 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA) Kamal Mostafa
2013-05-28 21:20 ` [PATCH 64/78] net_sched: act_ipt forward compat with xtables Kamal Mostafa
2013-05-28 21:20 ` [PATCH 65/78] net: use netdev_features_t in skb_needs_linearize() Kamal Mostafa
2013-05-28 21:20 ` [PATCH 66/78] net: vlan,ethtool: netdev_features_t is more than 32 bit Kamal Mostafa
2013-05-28 21:20 ` [PATCH 67/78] bridge: fix race with topology change timer Kamal Mostafa
2013-05-28 21:20 ` [PATCH 68/78] packet: tpacket_v3: do not trigger bug() on wrong header status Kamal Mostafa
2013-05-28 21:20 ` [PATCH 69/78] virtio: don't expose u16 in userspace api Kamal Mostafa
2013-05-28 21:20 ` [PATCH 70/78] 3c59x: fix freeing nonexistent resource on driver unload Kamal Mostafa
2013-05-28 21:20 ` [PATCH 71/78] 3c59x: fix PCI resource management Kamal Mostafa
2013-05-28 21:20 ` [PATCH 72/78] if_cablemodem.h: Add parenthesis around ioctl macros Kamal Mostafa
2013-05-28 21:20 ` [PATCH 73/78] macvlan: fix passthru mode race between dev removal and rx path Kamal Mostafa
2013-05-28 21:20 ` [PATCH 74/78] ipv6: do not clear pinet6 field Kamal Mostafa
2013-05-28 21:20 ` [PATCH 75/78] ipv6,gre: do not leak info to user-space Kamal Mostafa
2013-05-28 21:20 ` [PATCH 76/78] xfrm6: release dev before returning error Kamal Mostafa
2013-05-28 21:20 ` [PATCH 77/78] drm/i915: add HAS_DDI check Kamal Mostafa
2013-05-28 21:20 ` [PATCH 78/78] drm/i915: don't intel_crt_init on any ULT machines Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1369776027-17859-49-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=joern@logfs.org \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).