The patch below does not apply to the 3.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <[email protected]>.
thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 5259a06ef97068b710f45d092a587e8d740f750f Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger <[email protected]> Date: Tue, 28 Jan 2014 17:56:30 -0800 Subject: [PATCH] target: Fix percpu_ref_put race in transport_lun_remove_cmd This patch fixes a percpu_ref_put race for se_lun->lun_ref in transport_lun_remove_cmd() where ->lun_ref could end up being put more than once per command via different target completion and fabric release contexts. It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that percpu_ref_put() is only ever called once per se_cmd. This bug was manifesting itself as a LUN shutdown regression bug in >= v3.13 code, where percpu_ref_kill() would end up hanging indefinately due to the incorrect percpu_ref count. (Change se_cmd->lun_ref_active from bool -> int to force at least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang) Reported-by: Tommy Apel <[email protected]> Cc: Tommy Apel <[email protected]> Cc: <[email protected]> #3.13+ Signed-off-by: Nicholas Bellinger <[email protected]> diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 51a9736be726..c50fd9f11aab 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -594,10 +594,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd) { struct se_lun *lun = cmd->se_lun; - if (!lun || !cmd->lun_ref_active) + if (!lun) return; - percpu_ref_put(&lun->lun_ref); + if (cmpxchg(&cmd->lun_ref_active, true, false)) + percpu_ref_put(&lun->lun_ref); } void transport_cmd_finish_abort(struct se_cmd *cmd, int remove) diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h index d28418645b00..909dacbd230f 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h @@ -552,7 +552,7 @@ struct se_cmd { void *priv; /* Used for lun->lun_ref counting */ - bool lun_ref_active; + int lun_ref_active; /* DIF related members */ enum target_prot_op prot_op; -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
