Patch "target: Fix percpu_ref_put race in transport_lun_remove_cmd" has been added to the 3.13-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 10 Feb 2014 16:14:37 -0800

This is a note to let you know that I've just added the patch titled

    target: Fix percpu_ref_put race in transport_lun_remove_cmd

to the 3.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     target-fix-percpu_ref_put-race-in-transport_lun_remove_cmd.patch
and it can be found in the queue-3.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 5259a06ef97068b710f45d092a587e8d740f750f Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Date: Tue, 28 Jan 2014 17:56:30 -0800
Subject: target: Fix percpu_ref_put race in transport_lun_remove_cmd

From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>

commit 5259a06ef97068b710f45d092a587e8d740f750f upstream.

This patch fixes a percpu_ref_put race for se_lun->lun_ref in
transport_lun_remove_cmd() where ->lun_ref could end up being
put more than once per command via different target completion
and fabric release contexts.

It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that
percpu_ref_put() is only ever called once per se_cmd.

This bug was manifesting itself as a LUN shutdown regression
bug in >= v3.13 code, where percpu_ref_kill() would end up
hanging indefinately due to the incorrect percpu_ref count.

(Change se_cmd->lun_ref_active from bool -> int to force at
 least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang)

Reported-by: Tommy Apel <tommyapeldk@xxxxxxxxx>
Cc: Tommy Apel <tommyapeldk@xxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/target/target_core_transport.c |    5 +++--
 include/target/target_core_base.h      |    2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -568,10 +568,11 @@ static void transport_lun_remove_cmd(str
 {
 	struct se_lun *lun = cmd->se_lun;
 
-	if (!lun || !cmd->lun_ref_active)
+	if (!lun)
 		return;
 
-	percpu_ref_put(&lun->lun_ref);
+	if (cmpxchg(&cmd->lun_ref_active, true, false))
+		percpu_ref_put(&lun->lun_ref);
 }
 
 void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -497,7 +497,7 @@ struct se_cmd {
 	void			*priv;
 
 	/* Used for lun->lun_ref counting */
-	bool			lun_ref_active;
+	int			lun_ref_active;
 };
 
 struct se_ua {


Patches currently in stable-queue which might be from nab@xxxxxxxxxxxxxxx are

queue-3.13/percpu_ida-make-percpu_ida_alloc-callers-accept-task-state-bitmask.patch
queue-3.13/target-fix-percpu_ref_put-race-in-transport_lun_remove_cmd.patch
queue-3.13/iscsi-target-fix-connection-reset-hang-with-percpu_ida_alloc.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







