Skip to content

Commit

Permalink
target: Fix percpu_ref_put race in transport_lun_remove_cmd
Browse files Browse the repository at this point in the history
This patch fixes a percpu_ref_put race for se_lun->lun_ref in
transport_lun_remove_cmd() where ->lun_ref could end up being
put more than once per command via different target completion
and fabric release contexts.

It adds a cmpxchg() for se_cmd->lun_ref_active to ensure that
percpu_ref_put() is only ever called once per se_cmd.

This bug was manifesting itself as a LUN shutdown regression
bug in >= v3.13 code, where percpu_ref_kill() would end up
hanging indefinately due to the incorrect percpu_ref count.

(Change se_cmd->lun_ref_active from bool -> int to force at
 least a 4-byte cmpxchg with MIPS ll/sc ins. - Fengguang)

Reported-by: Tommy Apel <[email protected]>
Cc: Tommy Apel <[email protected]>
Cc: <[email protected]> #3.13+
Signed-off-by: Nicholas Bellinger <[email protected]>
  • Loading branch information
Nicholas Bellinger committed Jan 30, 2014
1 parent ee291e6 commit 5259a06
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
5 changes: 3 additions & 2 deletions drivers/target/target_core_transport.c
Original file line number Diff line number Diff line change
Expand Up @@ -594,10 +594,11 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd)
{
struct se_lun *lun = cmd->se_lun;

if (!lun || !cmd->lun_ref_active)
if (!lun)
return;

percpu_ref_put(&lun->lun_ref);
if (cmpxchg(&cmd->lun_ref_active, true, false))
percpu_ref_put(&lun->lun_ref);
}

void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
Expand Down
2 changes: 1 addition & 1 deletion include/target/target_core_base.h
Original file line number Diff line number Diff line change
Expand Up @@ -552,7 +552,7 @@ struct se_cmd {
void *priv;

/* Used for lun->lun_ref counting */
bool lun_ref_active;
int lun_ref_active;

/* DIF related members */
enum target_prot_op prot_op;
Expand Down

0 comments on commit 5259a06

Please sign in to comment.