From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Rob Millner <rlm@daterainc.com>,
Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [PATCH 4.4 53/91] target: Fix multi-session dynamic se_node_acl double free OOPs
Date: Fri, 10 Mar 2017 10:08:52 +0100 [thread overview]
Message-ID: <20170310083903.422466047@linuxfoundation.org> (raw)
In-Reply-To: <20170310083900.730556986@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 01d4d673558985d9a118e1e05026633c3e2ade9b upstream.
This patch addresses a long-standing bug with multi-session
(eg: iscsi-target + iser-target) se_node_acl dynamic free
withini transport_deregister_session().
This bug is caused when a storage endpoint is configured with
demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1)
initiators, and initiator login creates a new dynamic node acl
and attaches two sessions to it.
After that, demo-mode for the storage instance is disabled via
configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and
the existing dynamic acl is never converted to an explicit ACL.
The end result is dynamic acl resources are released twice when
the sessions are shutdown in transport_deregister_session().
If the storage instance is not changed to disable demo-mode,
or the dynamic acl is converted to an explict ACL, or there
is only a single session associated with the dynamic ACL,
the bug is not triggered.
To address this big, move the release of dynamic se_node_acl
memory into target_complete_nacl() so it's only freed once
when se_node_acl->acl_kref reaches zero.
(Drop unnecessary list_del_init usage - HCH)
Reported-by: Rob Millner <rlm@daterainc.com>
Tested-by: Rob Millner <rlm@daterainc.com>
Cc: Rob Millner <rlm@daterainc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_transport.c | 70 ++++++++++++++++++++-------------
include/target/target_core_base.h | 1
2 files changed, 44 insertions(+), 27 deletions(-)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -423,8 +423,20 @@ static void target_complete_nacl(struct
{
struct se_node_acl *nacl = container_of(kref,
struct se_node_acl, acl_kref);
+ struct se_portal_group *se_tpg = nacl->se_tpg;
- complete(&nacl->acl_free_comp);
+ if (!nacl->dynamic_stop) {
+ complete(&nacl->acl_free_comp);
+ return;
+ }
+
+ mutex_lock(&se_tpg->acl_node_mutex);
+ list_del(&nacl->acl_list);
+ mutex_unlock(&se_tpg->acl_node_mutex);
+
+ core_tpg_wait_for_nacl_pr_ref(nacl);
+ core_free_device_list_for_node(nacl, se_tpg);
+ kfree(nacl);
}
void target_put_nacl(struct se_node_acl *nacl)
@@ -465,12 +477,39 @@ EXPORT_SYMBOL(transport_deregister_sessi
void transport_free_session(struct se_session *se_sess)
{
struct se_node_acl *se_nacl = se_sess->se_node_acl;
+
/*
* Drop the se_node_acl->nacl_kref obtained from within
* core_tpg_get_initiator_node_acl().
*/
if (se_nacl) {
+ struct se_portal_group *se_tpg = se_nacl->se_tpg;
+ const struct target_core_fabric_ops *se_tfo = se_tpg->se_tpg_tfo;
+ unsigned long flags;
+
se_sess->se_node_acl = NULL;
+
+ /*
+ * Also determine if we need to drop the extra ->cmd_kref if
+ * it had been previously dynamically generated, and
+ * the endpoint is not caching dynamic ACLs.
+ */
+ mutex_lock(&se_tpg->acl_node_mutex);
+ if (se_nacl->dynamic_node_acl &&
+ !se_tfo->tpg_check_demo_mode_cache(se_tpg)) {
+ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags);
+ if (list_empty(&se_nacl->acl_sess_list))
+ se_nacl->dynamic_stop = true;
+ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags);
+
+ if (se_nacl->dynamic_stop)
+ list_del(&se_nacl->acl_list);
+ }
+ mutex_unlock(&se_tpg->acl_node_mutex);
+
+ if (se_nacl->dynamic_stop)
+ target_put_nacl(se_nacl);
+
target_put_nacl(se_nacl);
}
if (se_sess->sess_cmd_map) {
@@ -484,16 +523,12 @@ EXPORT_SYMBOL(transport_free_session);
void transport_deregister_session(struct se_session *se_sess)
{
struct se_portal_group *se_tpg = se_sess->se_tpg;
- const struct target_core_fabric_ops *se_tfo;
- struct se_node_acl *se_nacl;
unsigned long flags;
- bool drop_nacl = false;
if (!se_tpg) {
transport_free_session(se_sess);
return;
}
- se_tfo = se_tpg->se_tpg_tfo;
spin_lock_irqsave(&se_tpg->session_lock, flags);
list_del(&se_sess->sess_list);
@@ -501,34 +536,15 @@ void transport_deregister_session(struct
se_sess->fabric_sess_ptr = NULL;
spin_unlock_irqrestore(&se_tpg->session_lock, flags);
- /*
- * Determine if we need to do extra work for this initiator node's
- * struct se_node_acl if it had been previously dynamically generated.
- */
- se_nacl = se_sess->se_node_acl;
-
- mutex_lock(&se_tpg->acl_node_mutex);
- if (se_nacl && se_nacl->dynamic_node_acl) {
- if (!se_tfo->tpg_check_demo_mode_cache(se_tpg)) {
- list_del(&se_nacl->acl_list);
- se_tpg->num_node_acls--;
- drop_nacl = true;
- }
- }
- mutex_unlock(&se_tpg->acl_node_mutex);
-
- if (drop_nacl) {
- core_tpg_wait_for_nacl_pr_ref(se_nacl);
- core_free_device_list_for_node(se_nacl, se_tpg);
- se_sess->se_node_acl = NULL;
- kfree(se_nacl);
- }
pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n",
se_tpg->se_tpg_tfo->get_fabric_name());
/*
* If last kref is dropping now for an explicit NodeACL, awake sleeping
* ->acl_free_comp caller to wakeup configfs se_node_acl->acl_group
* removal context from within transport_free_session() code.
+ *
+ * For dynamic ACL, target_put_nacl() uses target_complete_nacl()
+ * to release all remaining generate_node_acl=1 created ACL resources.
*/
transport_free_session(se_sess);
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -544,6 +544,7 @@ struct se_node_acl {
/* Used to signal demo mode created ACL, disabled by default */
bool dynamic_node_acl;
bool acl_stop:1;
+ bool dynamic_stop;
u32 queue_depth;
u32 acl_index;
enum target_prot_type saved_prot_type;
next prev parent reply other threads:[~2017-03-10 9:08 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-10 9:07 [PATCH 4.4 00/91] 4.4.53-stable review Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 01/91] MIPS: Fix special case in 64 bit IP checksumming Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 03/91] MIPS: OCTEON: Fix copy_from_user fault handling for large buffers Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 04/91] MIPS: Lantiq: Keep ethernet enabled during boot Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 05/91] MIPS: Clear ISA bit correctly in get_frame_info() Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 06/91] MIPS: Prevent unaligned accesses during stack unwinding Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 07/91] MIPS: Fix get_frame_info() handling of microMIPS function size Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 08/91] MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 09/91] MIPS: Calculate microMIPS ra properly when unwinding the stack Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 10/91] MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 11/91] [media] am437x-vpfe: always assign bpp variable Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 12/91] [media] uvcvideo: Fix a wrong macro Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 13/91] [media] media: fix dm1105.c build error Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 14/91] ARM: at91: define LPDDR types Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 15/91] ARM: dts: at91: Enable DMA on sama5d4_xplained console Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 16/91] ARM: dts: at91: Enable DMA on sama5d2_xplained console Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 17/91] ALSA: hda/realtek - Cannot adjust speakers volume on a Dell AIO Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 18/91] ALSA: hda - fix Lewisburg audio issue Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 19/91] ALSA: timer: Reject user params with too small ticks Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 20/91] ALSA: ctxfi: Fallback DMA mask to 32bit Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 21/91] ALSA: seq: Fix link corruption by event error handling Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 22/91] ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 23/91] ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 24/91] staging: rtl: fix possible NULL pointer dereference Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 25/91] regulator: Fix regulator_summary for deviceless consumers Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 26/91] iommu/vt-d: Fix some macros that are incorrectly specified in intel-iommu Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 27/91] iommu/vt-d: Tylersburg isoch identity map check is done too late Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 28/91] mm/page_alloc: fix nodes for reclaim in fast path Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 29/91] mm: vmpressure: fix sending wrong events on underflow Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 30/91] mm: do not access page->mapping directly on page_endio Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 31/91] ipc/shm: Fix shmat mmap nil-page protection Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 32/91] dm cache: fix corruption seen when using cache > 2TB Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 33/91] dm stats: fix a leaked s->histogram_boundaries array Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 34/91] scsi: storvsc: use tagged SRB requests if supported by the device Greg Kroah-Hartman
2017-03-10 14:56 ` Ben Hutchings
2017-03-10 15:21 ` Greg Kroah-Hartman
2017-03-10 15:29 ` KY Srinivasan
2017-03-10 9:08 ` [PATCH 4.4 35/91] scsi: storvsc: properly handle SRB_ERROR when sense message is present Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 36/91] scsi: storvsc: properly set residual data length on errors Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 37/91] scsi: aacraid: Reorder Adapter status check Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 38/91] scsi: use scsi_device_from_queue() for scsi_dh Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 39/91] sd: get disk reference in sd_check_events() Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 40/91] Fix: Disable sys_membarrier when nohz_full is enabled Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 41/91] jbd2: dont leak modified metadata buffers on an aborted journal Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 42/91] block/loop: fix race between I/O and set_status Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 43/91] loop: fix LO_FLAGS_PARTSCAN hang Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 44/91] ext4: Include forgotten start block on fallocate insert range Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 45/91] ext4: do not polute the extents cache while shifting extents Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 46/91] ext4: trim allocation requests to group size Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 47/91] ext4: fix data corruption in data=journal mode Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 48/91] ext4: fix inline data error paths Greg Kroah-Hartman
2017-03-10 16:48 ` Ben Hutchings
2017-03-12 5:22 ` Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 49/91] ext4: preserve the needs_recovery flag when the journal is aborted Greg Kroah-Hartman
2017-03-10 16:58 ` Ben Hutchings
2017-03-10 20:14 ` Theodore Ts'o
2017-03-11 5:27 ` Ben Hutchings
2017-03-10 9:08 ` [PATCH 4.4 50/91] ext4: return EROFS if device is r/o and journal replay is needed Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 52/91] target: Obtain se_node_acl->acl_kref during get_initiator_node_acl Greg Kroah-Hartman
2017-03-10 9:08 ` Greg Kroah-Hartman [this message]
2017-03-10 9:08 ` [PATCH 4.4 54/91] ath5k: drop bogus warning on drv_set_key with unsupported cipher Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 55/91] ath9k: fix race condition in enabling/disabling IRQs Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 56/91] ath9k: use correct OTP register offsets for the AR9340 and AR9550 Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 57/91] crypto: testmgr - Pad aes_ccm_enc_tv_template vector Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 58/91] fuse: add missing FR_FORCE Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 59/91] arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2 Greg Kroah-Hartman
2017-03-10 9:08 ` [PATCH 4.4 60/91] iio: pressure: mpl115: do not rely on structure field ordering Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 61/91] iio: pressure: mpl3115: " Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 62/91] can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 63/91] w1: dont leak refcount on slave attach failure in w1_attach_slave_device() Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 64/91] w1: ds2490: USB transfer buffers need to be DMAable Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 65/91] usb: musb: da8xx: Remove CPPI 3.0 quirk and methods Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 66/91] usb: host: xhci: plat: check hcc_params after add hcd Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 67/91] usb: gadget: udc: fsl: Add missing complete function Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 68/91] hv: allocate synic pages for all present CPUs Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 69/91] hv: init percpu_list in hv_synic_alloc() Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 70/91] Drivers: hv: util: kvp: Fix a rescind processing issue Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 71/91] Drivers: hv: util: Fcopy: " Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 72/91] Drivers: hv: util: Backup: " Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 73/91] RDMA/core: Fix incorrect structure packing for booleans Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 74/91] rdma_cm: fail iwarp accepts w/o connection params Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 75/91] gfs2: Add missing rcu locking for glock lookup Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 76/91] rtlwifi: Fix alignment issues Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 77/91] rtlwifi: rtl8192c-common: Fix "BUG: KASAN: Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 78/91] nfsd: minor nfsd_setattr cleanup Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 79/91] nfsd: special case truncates some more Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 80/91] NFSv4: Fix memory and state leak in _nfs4_open_and_get_state Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 81/91] NFSv4: fix getacl head length estimation Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 82/91] NFSv4: fix getacl ERANGE for some ACL buffer sizes Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 83/91] rtc: sun6i: Add some locking Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 84/91] rtc: sun6i: Switch to the external oscillator Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 85/91] md linear: fix a race between linear_add() and linear_congested() Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 87/91] dmaengine: ipu: Make sure the interrupt routine checks all interrupts Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 88/91] powerpc/xmon: Fix data-breakpoint Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 89/91] MIPS: IP22: Reformat inline assembler code to modern standards Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 90/91] MIPS: IP22: Fix build error due to binutils 2.25 uselessnes Greg Kroah-Hartman
2017-03-10 9:09 ` [PATCH 4.4 91/91] scsi: lpfc: Correct WQ creation for pagesize Greg Kroah-Hartman
2017-03-10 18:35 ` [PATCH 4.4 00/91] 4.4.53-stable review Guenter Roeck
2017-03-10 19:15 ` Shuah Khan
[not found] ` <58c2d01c.cdd8190a.421eb.b1d4@mx.google.com>
[not found] ` <m2pohoes9u.fsf@baylibre.com>
2017-03-13 8:56 ` Thomas Petazzoni
2017-03-14 17:08 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170310083903.422466047@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=rlm@daterainc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).