Re: FAILED: patch "[PATCH] target: Fix percpu_ref_put race in transport_lun_remove_cmd" failed to apply to 3.13-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2014-02-10 at 15:57 -0800, Greg KH wrote:
> On Mon, Feb 10, 2014 at 12:54:59PM -0800, Nicholas A. Bellinger wrote:
> > Hi Greg,
> > 
> > On Mon, 2014-02-10 at 11:44 -0800, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> > > The patch below does not apply to the 3.13-stable tree.
> > > If someone wants it applied there, or to any other stable or longterm
> > > tree, then please email the backport, including the original git commit
> > > id to <stable@xxxxxxxxxxxxxxx>.
> > > 
> > > thanks,
> > > 
> > > greg k-h
> > > 
> > > 
> > > ------------------ original commit in Linus's tree ------------------
> > > 
> > > From 5259a06ef97068b710f45d092a587e8d740f750f Mon Sep 17 00:00:00 2001
> > > From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
> > > Date: Tue, 28 Jan 2014 17:56:30 -0800
> > > Subject: [PATCH] target: Fix percpu_ref_put race in transport_lun_remove_cmd
> > > 
> > > This patch fixes a percpu_ref_put race for se_lun->lun_ref in
> > > transport_lun_remove_cmd() where ->lun_ref could end up being
> > > put more than once per command via different target completion
> > > and fabric release contexts.
> > > 
> > > It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that
> > > percpu_ref_put() is only ever called once per se_cmd.
> > > 
> > > This bug was manifesting itself as a LUN shutdown regression
> > > bug in >= v3.13 code, where percpu_ref_kill() would end up
> > > hanging indefinately due to the incorrect percpu_ref count.
> > > 
> > > (Change se_cmd->lun_ref_active from bool -> int to force at
> > >  least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang)
> > > 
> > > Reported-by: Tommy Apel <tommyapeldk@xxxxxxxxx>
> > > Cc: Tommy Apel <tommyapeldk@xxxxxxxxx>
> > > Cc: <stable@xxxxxxxxxxxxxxx> #3.13+
> > > Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
> > > 

<SNIP>

> > There is a small context change in target_core_base.h on this one..
> > 
> > Please apply for v3.13.y code.
> > 
> > Thank you,
> > 
> > --nab
> > 
> > diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
> > index 91953da..dee2be1 100644
> > --- a/drivers/target/target_core_transport.c
> > +++ b/drivers/target/target_core_transport.c
> > @@ -568,10 +568,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
> >  {
> >         struct se_lun *lun = cmd->se_lun;
> >  
> > -       if (!lun || !cmd->lun_ref_active)
> > +       if (!lun)
> >                 return;
> 
> This patch is corrupted and can't be applied at all, please fix your
> email client to not convert tabs to spaces :(
> 
> Care to try it again?
> 

Ugh, sorry.  Here it is again.

Thanks Greg,

--nab

>From 384c780a3b6e854e1ba90c5b64374301867f2c78 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Date: Tue, 28 Jan 2014 17:56:30 -0800
Subject: [PATCH] target: Fix percpu_ref_put race in transport_lun_remove_cmd

commit 5259a06ef97068b710f45d092a587e8d740f750f upstream.

This patch fixes a percpu_ref_put race for se_lun->lun_ref in
transport_lun_remove_cmd() where ->lun_ref could end up being
put more than once per command via different target completion
and fabric release contexts.

It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that
percpu_ref_put() is only ever called once per se_cmd.

This bug was manifesting itself as a LUN shutdown regression
bug in >= v3.13 code, where percpu_ref_kill() would end up
hanging indefinately due to the incorrect percpu_ref count.

(Change se_cmd->lun_ref_active from bool -> int to force at
 least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang)

Reported-by: Tommy Apel <tommyapeldk@xxxxxxxxx>
Cc: Tommy Apel <tommyapeldk@xxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx> #3.13+
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
---
 drivers/target/target_core_transport.c |    5 +++--
 include/target/target_core_base.h      |    2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 91953da..dee2be1 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -568,10 +568,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
 {
 	struct se_lun *lun = cmd->se_lun;
 
-	if (!lun || !cmd->lun_ref_active)
+	if (!lun)
 		return;
 
-	percpu_ref_put(&lun->lun_ref);
+	if (cmpxchg(&cmd->lun_ref_active, true, false))
+		percpu_ref_put(&lun->lun_ref);
 }
 
 void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
index 321301c..e3569f8 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -497,7 +497,7 @@ struct se_cmd {
 	void			*priv;
 
 	/* Used for lun->lun_ref counting */
-	bool			lun_ref_active;
+	int			lun_ref_active;
 };
 
 struct se_ua {
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]