tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

target: Fix percpu_ref_put race in transport_lun_remove_cmd

This patch fixes a percpu_ref_put race for se_lun->lun_ref in
transport_lun_remove_cmd() where ->lun_ref could end up being
put more than once per command via different target completion
and fabric release contexts.

It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that
percpu_ref_put() is only ever called once per se_cmd.

This bug was manifesting itself as a LUN shutdown regression
bug in >= v3.13 code, where percpu_ref_kill() would end up
hanging indefinately due to the incorrect percpu_ref count.

(Change se_cmd->lun_ref_active from bool -> int to force at
least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang)

Reported-by: Tommy Apel <tommyapeldk@gmail.com>
Cc: Tommy Apel <tommyapeldk@gmail.com>
Cc: <stable@vger.kernel.org> #3.13+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

Nicholas Bellinger 5259a06e ee291e63

+4 -3
unified split
+3 -2
drivers/target/target_core_transport.c
··· 594 { 595 struct se_lun *lun = cmd->se_lun; 596 597 - if (!lun || !cmd->lun_ref_active) 598 return; 599 600 - percpu_ref_put(&lun->lun_ref); 601 } 602 603 void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
··· 594 { 595 struct se_lun *lun = cmd->se_lun; 596 597 + if (!lun) 598 return; 599 600 + if (cmpxchg(&cmd->lun_ref_active, true, false)) 601 + percpu_ref_put(&lun->lun_ref); 602 } 603 604 void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
+1 -1
include/target/target_core_base.h
··· 552 void *priv; 553 554 /* Used for lun->lun_ref counting */ 555 - bool lun_ref_active; 556 557 /* DIF related members */ 558 enum target_prot_op prot_op;
··· 552 void *priv; 553 554 /* Used for lun->lun_ref counting */ 555 + int lun_ref_active; 556 557 /* DIF related members */ 558 enum target_prot_op prot_op;