[PATCH] libfc: unsafe refcounting in fc_rport_work()

Hannes Reinecke <hare@xxxxxxx> · Wed, 20 Apr 2016 15:24:21 +0200

When pushing items on a workqueue we cannot take reference
when the workqueue item is executed, as the structure might
already been freed at that time.
So instead we need to take a reference before adding it
to the workqueue, thereby ensuring that the workqueue item
will always be valid.

Signed-off-by: Hannes Reinecke <hare@xxxxxxx>
---
 drivers/scsi/libfc/fc_rport.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c
index 589ff9a..8b08263f 100644
--- a/drivers/scsi/libfc/fc_rport.c
+++ b/drivers/scsi/libfc/fc_rport.c
@@ -263,7 +263,6 @@ static void fc_rport_work(struct work_struct *work)
 		ids = rdata->ids;
 		rdata->event = RPORT_EV_NONE;
 		rdata->major_retries = 0;
-		kref_get(&rdata->kref);
 		mutex_unlock(&rdata->rp_mutex);
 
 		if (!rport)
@@ -297,7 +296,6 @@ static void fc_rport_work(struct work_struct *work)
 			FC_RPORT_DBG(rdata, "lld callback ev %d\n", event);
 			rdata->lld_event_callback(lport, rdata, event);
 		}
-		kref_put(&rdata->kref, lport->tt.rport_destroy);
 		break;
 
 	case RPORT_EV_FAILED:
@@ -377,6 +375,7 @@ static void fc_rport_work(struct work_struct *work)
 		mutex_unlock(&rdata->rp_mutex);
 		break;
 	}
+	kref_put(&rdata->kref, lport->tt.rport_destroy);
 }
 
 /**
@@ -438,8 +437,15 @@ static void fc_rport_enter_delete(struct fc_rport_priv *rdata,
 
 	fc_rport_state_enter(rdata, RPORT_ST_DELETE);
 
-	if (rdata->event == RPORT_EV_NONE)
-		queue_work(rport_event_queue, &rdata->event_work);
+	if (rdata->event == RPORT_EV_NONE) {
+		if (!kref_get_unless_zero(&rdata->kref)) {
+			FC_RPORT_DBG(rdata, "port already deleted\n");
+			return;
+		}
+		if (!queue_work(rport_event_queue, &rdata->event_work))
+			kref_put(&rdata->kref,
+				 rdata->local_port->tt.rport_destroy);
+	}
 	rdata->event = event;
 }
 
@@ -487,8 +493,15 @@ static void fc_rport_enter_ready(struct fc_rport_priv *rdata)
 
 	FC_RPORT_DBG(rdata, "Port is Ready\n");
 
-	if (rdata->event == RPORT_EV_NONE)
-		queue_work(rport_event_queue, &rdata->event_work);
+	if (rdata->event == RPORT_EV_NONE) {
+		if (!kref_get_unless_zero(&rdata->kref)) {
+			FC_RPORT_DBG(rdata, "port already deleted\n");
+			return;
+		}
+		if (!queue_work(rport_event_queue, &rdata->event_work))
+			kref_put(&rdata->kref,
+				 rdata->local_port->tt.rport_destroy);
+	}
 	rdata->event = RPORT_EV_READY;
 }
 
-- 
1.8.5.6

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






