Hi Greg,
On Mon, 2014-02-10 at 11:44 -0800, [email protected] wrote:
> The patch below does not apply to the 3.13-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <[email protected]>.
>
> thanks,
>
> greg k-h
>
>
> ------------------ original commit in Linus's tree ------------------
>
> From 5259a06ef97068b710f45d092a587e8d740f750f Mon Sep 17 00:00:00 2001
> From: Nicholas Bellinger <[email protected]>
> Date: Tue, 28 Jan 2014 17:56:30 -0800
> Subject: [PATCH] target: Fix percpu_ref_put race in transport_lun_remove_cmd
>
> This patch fixes a percpu_ref_put race for se_lun->lun_ref in
> transport_lun_remove_cmd() where ->lun_ref could end up being
> put more than once per command via different target completion
> and fabric release contexts.
>
> It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that
> percpu_ref_put() is only ever called once per se_cmd.
>
> This bug was manifesting itself as a LUN shutdown regression
> bug in >= v3.13 code, where percpu_ref_kill() would end up
> hanging indefinately due to the incorrect percpu_ref count.
>
> (Change se_cmd->lun_ref_active from bool -> int to force at
> least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang)
>
> Reported-by: Tommy Apel <[email protected]>
> Cc: Tommy Apel <[email protected]>
> Cc: <[email protected]> #3.13+
> Signed-off-by: Nicholas Bellinger <[email protected]>
>
> diff --git a/drivers/target/target_core_transport.c
> b/drivers/target/target_core_transport.c
> index 51a9736be726..c50fd9f11aab 100644
> --- a/drivers/target/target_core_transport.c
> +++ b/drivers/target/target_core_transport.c
> @@ -594,10 +594,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
> {
> struct se_lun *lun = cmd->se_lun;
>
> - if (!lun || !cmd->lun_ref_active)
> + if (!lun)
> return;
>
> - percpu_ref_put(&lun->lun_ref);
> + if (cmpxchg(&cmd->lun_ref_active, true, false))
> + percpu_ref_put(&lun->lun_ref);
> }
>
> void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
> diff --git a/include/target/target_core_base.h
> b/include/target/target_core_base.h
> index d28418645b00..909dacbd230f 100644
> --- a/include/target/target_core_base.h
> +++ b/include/target/target_core_base.h
> @@ -552,7 +552,7 @@ struct se_cmd {
> void *priv;
>
> /* Used for lun->lun_ref counting */
> - bool lun_ref_active;
> + int lun_ref_active;
>
> /* DIF related members */
> enum target_prot_op prot_op;
>
There is a small context change in target_core_base.h on this one..
Please apply for v3.13.y code.
Thank you,
--nab
diff --git a/drivers/target/target_core_transport.c
b/drivers/target/target_core_transport.c
index 91953da..dee2be1 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -568,10 +568,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
{
struct se_lun *lun = cmd->se_lun;
- if (!lun || !cmd->lun_ref_active)
+ if (!lun)
return;
- percpu_ref_put(&lun->lun_ref);
+ if (cmpxchg(&cmd->lun_ref_active, true, false))
+ percpu_ref_put(&lun->lun_ref);
}
void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
diff --git a/include/target/target_core_base.h
b/include/target/target_core_base.h
index 321301c..e3569f8 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -497,7 +497,7 @@ struct se_cmd {
void *priv;
/* Used for lun->lun_ref counting */
- bool lun_ref_active;
+ int lun_ref_active;
};
struct se_ua {
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
