Skip to content

Commit 5259a06

Browse files
author
Nicholas Bellinger
committed
target: Fix percpu_ref_put race in transport_lun_remove_cmd
This patch fixes a percpu_ref_put race for se_lun->lun_ref in transport_lun_remove_cmd() where ->lun_ref could end up being put more than once per command via different target completion and fabric release contexts. It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that percpu_ref_put() is only ever called once per se_cmd. This bug was manifesting itself as a LUN shutdown regression bug in >= v3.13 code, where percpu_ref_kill() would end up hanging indefinately due to the incorrect percpu_ref count. (Change se_cmd->lun_ref_active from bool -> int to force at least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang) Reported-by: Tommy Apel <tommyapeldk@gmail.com> Cc: Tommy Apel <tommyapeldk@gmail.com> Cc: <stable@vger.kernel.org> #3.13+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
1 parent ee291e6 commit 5259a06

File tree

2 files changed

+4
-3
lines changed

2 files changed

+4
-3
lines changed

drivers/target/target_core_transport.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -594,10 +594,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
594594
{
595595
struct se_lun *lun = cmd->se_lun;
596596

597-
if (!lun || !cmd->lun_ref_active)
597+
if (!lun)
598598
return;
599599

600-
percpu_ref_put(&lun->lun_ref);
600+
if (cmpxchg(&cmd->lun_ref_active, true, false))
601+
percpu_ref_put(&lun->lun_ref);
601602
}
602603

603604
void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)

include/target/target_core_base.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -552,7 +552,7 @@ struct se_cmd {
552552
void *priv;
553553

554554
/* Used for lun->lun_ref counting */
555-
bool lun_ref_active;
555+
int lun_ref_active;
556556

557557
/* DIF related members */
558558
enum target_prot_op prot_op;

0 commit comments

Comments
 (0)