Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-26 04:42:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
73d4e580cc
linux/drivers/target
History
Nicholas Bellinger 73d4e580cc target: Fix kref->refcount underflow in transport_cmd_finish_abort 
This patch fixes a se_cmd->cmd_kref underflow during CMD_T_ABORTED
when a fabric driver drops it's second reference from below the
target_core_tmr.c based callers of transport_cmd_finish_abort().

Recently with the conversion of kref to refcount_t, this bug was
manifesting itself as:

[705519.601034] refcount_t: underflow; use-after-free.
[705519.604034] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 20116.512 msecs
[705539.719111] ------------[ cut here ]------------
[705539.719117] WARNING: CPU: 3 PID: 26510 at lib/refcount.c:184 refcount_sub_and_test+0x33/0x51

Since the original kref atomic_t based kref_put() didn't check for
underflow and only invoked the final callback when zero was reached,
this bug did not manifest in practice since all se_cmd memory is
using preallocated tags.

To address this, go ahead and propigate the existing return from
transport_put_cmd() up via transport_cmd_finish_abort(), and
change transport_cmd_finish_abort() + core_tmr_handle_tas_abort()
callers to only do their local target_put_sess_cmd() if necessary.

Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
Tested-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
Cc: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.14+
Tested-by: Gary Guo <ghg@datera.io>
Tested-by: Chu Yuan Lin <cyl@datera.io>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2017-06-08 22:24:18 -07:00
..
iscsi iscsi-target: Always wait for kthread_should_stop() before kthread exit 2017-05-31 15:12:57 -07:00
loopback target: Minimize #include directives 2016-12-09 10:22:28 -08:00
sbp sbp-target: Add an #include directive 2016-12-09 10:20:10 -08:00
tcm_fc Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-03-02 14:52:05 -08:00
Kconfig block: make scsi_request and scsi ioctl support optional 2017-01-31 10:53:05 -07:00
Makefile
target_core_alua.c target: Fix ALUA transition state race between multiple initiators 2017-03-30 23:12:40 -07:00
target_core_alua.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_configfs.c target: fixup error message in target_tg_pt_gp_tg_pt_gp_id_store() 2017-05-01 22:21:53 -07:00
target_core_device.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-05-12 11:44:13 -07:00
target_core_fabric_configfs.c target: Avoid mappedlun symlink creation during lun shutdown 2017-03-30 01:36:52 -07:00
target_core_fabric_lib.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-07-04 14:13:43 -07:00
target_core_file.c target/fileio: Fix zero-length READ and WRITE handling 2017-05-07 16:05:16 -07:00
target_core_file.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_hba.c target: Fix target_sense_desc_format NULL pointer dereference 2015-09-24 23:17:23 -07:00
target_core_iblock.c target/iblock: convert iblock_req.pending from atomic_t to refcount_t 2017-05-01 22:20:43 -07:00
target_core_iblock.h target/iblock: convert iblock_req.pending from atomic_t to refcount_t 2017-05-01 22:20:43 -07:00
target_core_internal.h target: Fix kref->refcount underflow in transport_cmd_finish_abort 2017-06-08 22:24:18 -07:00
target_core_pr.c target/user: PGR Support 2017-05-01 22:21:45 -07:00
target_core_pr.h target/pr: update PR out action code table 2017-05-01 22:20:44 -07:00
target_core_pscsi.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-05-12 11:44:13 -07:00
target_core_pscsi.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_rd.c target: Improve size determinations in two functions 2017-05-01 22:21:30 -07:00
target_core_rd.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_sbc.c Revert "target: Fix VERIFY and WRITE VERIFY command parsing" 2017-05-11 01:01:05 -07:00
target_core_spc.c target: Remove enum transport_lunflags_table 2016-03-10 21:48:55 -08:00
target_core_stat.c target: Add counters for ABORT_TASK success + failure 2017-02-26 16:21:06 -08:00
target_core_tmr.c target: Fix kref->refcount underflow in transport_cmd_finish_abort 2017-06-08 22:24:18 -07:00
target_core_tpg.c target: Don't force session reset if queue_depth does not change 2017-05-04 20:01:40 -07:00
target_core_transport.c target: Fix kref->refcount underflow in transport_cmd_finish_abort 2017-06-08 22:24:18 -07:00
target_core_ua.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-07-04 14:13:43 -07:00
target_core_ua.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_user.c tcmu: fix crash during device removal 2017-05-23 19:50:49 -07:00
target_core_xcopy.c target: Use correct SCSI status during EXTENDED_COPY exception 2017-02-08 07:46:54 -08:00
target_core_xcopy.h target: check for XCOPY parameter truncation 2017-01-10 08:41:27 -08:00