diff options
| author | Joern Engel <joern@logfs.org> | 2013-05-13 16:30:06 -0400 |
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-05-15 04:47:35 -0400 |
| commit | ccf5ae83a6cf3d9cfe9a7038bfe7cd38ab03d5e1 (patch) | |
| tree | cb3966328bce7584d4c24434490dc21a67ecb48b /drivers/target | |
| parent | a1321ddd27e65c6ada5b9a12cae4ee2612d76893 (diff) | |
target: close target_put_sess_cmd() vs. core_tmr_abort_task() race
It is possible for one thread to to take se_sess->sess_cmd_lock in
core_tmr_abort_task() before taking a reference count on
se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.
This introduces kref_put_spinlock_irqsave() and uses it in
target_put_sess_cmd() to close the race window.
Signed-off-by: Joern Engel <joern@logfs.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/target')
| -rw-r--r-- | drivers/target/target_core_transport.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index c3477fa60942..4a793362309d 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c | |||
| @@ -2211,21 +2211,19 @@ static void target_release_cmd_kref(struct kref *kref) | |||
| 2211 | { | 2211 | { |
| 2212 | struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref); | 2212 | struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref); |
| 2213 | struct se_session *se_sess = se_cmd->se_sess; | 2213 | struct se_session *se_sess = se_cmd->se_sess; |
| 2214 | unsigned long flags; | ||
| 2215 | 2214 | ||
| 2216 | spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); | ||
| 2217 | if (list_empty(&se_cmd->se_cmd_list)) { | 2215 | if (list_empty(&se_cmd->se_cmd_list)) { |
| 2218 | spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); | 2216 | spin_unlock(&se_sess->sess_cmd_lock); |
| 2219 | se_cmd->se_tfo->release_cmd(se_cmd); | 2217 | se_cmd->se_tfo->release_cmd(se_cmd); |
| 2220 | return; | 2218 | return; |
| 2221 | } | 2219 | } |
| 2222 | if (se_sess->sess_tearing_down && se_cmd->cmd_wait_set) { | 2220 | if (se_sess->sess_tearing_down && se_cmd->cmd_wait_set) { |
| 2223 | spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); | 2221 | spin_unlock(&se_sess->sess_cmd_lock); |
| 2224 | complete(&se_cmd->cmd_wait_comp); | 2222 | complete(&se_cmd->cmd_wait_comp); |
| 2225 | return; | 2223 | return; |
| 2226 | } | 2224 | } |
| 2227 | list_del(&se_cmd->se_cmd_list); | 2225 | list_del(&se_cmd->se_cmd_list); |
| 2228 | spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); | 2226 | spin_unlock(&se_sess->sess_cmd_lock); |
| 2229 | 2227 | ||
| 2230 | se_cmd->se_tfo->release_cmd(se_cmd); | 2228 | se_cmd->se_tfo->release_cmd(se_cmd); |
| 2231 | } | 2229 | } |
| @@ -2236,7 +2234,8 @@ static void target_release_cmd_kref(struct kref *kref) | |||
| 2236 | */ | 2234 | */ |
| 2237 | int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd) | 2235 | int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd) |
| 2238 | { | 2236 | { |
| 2239 | return kref_put(&se_cmd->cmd_kref, target_release_cmd_kref); | 2237 | return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref, |
| 2238 | &se_sess->sess_cmd_lock); | ||
| 2240 | } | 2239 | } |
| 2241 | EXPORT_SYMBOL(target_put_sess_cmd); | 2240 | EXPORT_SYMBOL(target_put_sess_cmd); |
| 2242 | 2241 | ||