From patchwork Thu Jul 30 06:15:23 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Nicholas A. Bellinger" <nab@daterainc.com>
X-Patchwork-Id: 6898711
Return-Path: <linux-scsi-owner@kernel.org>
X-Original-To: patchwork-linux-scsi@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id CBB4AC05AC
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 30 Jul 2015 06:20:25 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D51B020453
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 30 Jul 2015 06:20:24 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 912AE20451
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 30 Jul 2015 06:20:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753264AbbG3GUW (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Thu, 30 Jul 2015 02:20:22 -0400
Received: from mail-ob0-f180.google.com ([209.85.214.180]:34622 "EHLO
	mail-ob0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751153AbbG3GUU (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Thu, 30 Jul 2015 02:20:20 -0400
Received: by obre1 with SMTP id e1so24072840obr.1
	for <linux-scsi@vger.kernel.org>;
	Wed, 29 Jul 2015 23:20:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=wpSfDNH53e6JnZ5U+uvsaCeNBKUUjpdEMdlZf93D0Co=;
	b=Dfmkf2C0ETkQI61jTESQhsq2oHhEn6k1P43lSPzXR+gZnSpgFBKlK9fj7WFQzchZPG
	sVTnQISUqJ6uR4OsZ9mxIXkJQYV1Krfmu1gozGLiH4/Uhl5UuwHEYoAT3Zki3w54r+px
	92qqvO50jMIAkHf4ATJeyz5dZi1J91rX5xuO0gd8QNHccVqR5CCpOUBztL2w1GMwprkO
	EUYSLs+p8eMbkoJMryfyejvgkWJub3hO5dao+WNtPcrtn7VNHOFOhXNdFBAuYFGTN6q1
	Ot78+P7jZf4dcz42w0RmfR/P/45vU9N7LvmOp2jCSM+PdckQphp/LmBdg4rKZjd4uSlK
	03ag==
X-Gm-Message-State: 
 ALoCoQkRH4xbc6OyIzGC9ZDxnhSyp2EbObtQFdFLbOo3RV4kHVgZ9xutGY3koOW5lJ2B5ONBhOr1
X-Received: by 10.60.173.7 with SMTP id bg7mr43676858oec.86.1438237219455;
	Wed, 29 Jul 2015 23:20:19 -0700 (PDT)
Received: from localhost.localdomain (mail.linux-iscsi.org. [67.23.28.174])
	by smtp.gmail.com with ESMTPSA id
	o100sm637oik.18.2015.07.29.23.20.18
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Wed, 29 Jul 2015 23:20:18 -0700 (PDT)
From: "Nicholas A. Bellinger" <nab@daterainc.com>
To: target-devel <target-devel@vger.kernel.org>
Cc: linux-scsi <linux-scsi@vger.kernel.org>,
	Nicholas Bellinger <nab@linux-iscsi.org>,
	"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
	Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.de>,
	Sagi Grimberg <sagig@mellanox.com>
Subject: [PATCH] target: Wait RCU grace-period before backend/fabric unload
Date: Thu, 30 Jul 2015 06:15:23 +0000
Message-Id: <1438236923-17889-1-git-send-email-nab@daterainc.com>
X-Mailer: git-send-email 1.7.2.5
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Nicholas Bellinger <nab@linux-iscsi.org>

This patch addresses a v4.2-rc1 regression where backend driver
struct module unload immediately after ->free_device() has done
an internal call_rcu(), results in IRQ rcu_process_callbacks()
use-after-free paging OOPsen.

It adds a explicit synchronize_rcu() in target_backend_unregister()
to wait a full RCU grace period before releasing target_backend_ops
memory, and allowing TBO->module exit to proceed.

Also, go ahead and do the same for target_unregister_template()
to ensure se_deve_entry->rcu_head -> kfree_rcu() grace period has
passed, before allowing target_core_fabric_ops->owner module exit
to proceed.

Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
 drivers/target/target_core_configfs.c | 10 +++++++++-
 drivers/target/target_core_hba.c      | 10 +++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index c2e9fea..b4c3ae0 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -457,8 +457,16 @@ void target_unregister_template(const struct target_core_fabric_ops *fo)
 		if (!strcmp(t->tf_ops->name, fo->name)) {
 			BUG_ON(atomic_read(&t->tf_access_cnt));
 			list_del(&t->tf_list);
+			mutex_unlock(&g_tf_lock);
+			/*
+			 * Allow any outstanding fabric se_deve_entry->rcu_head
+			 * grace periods to expire post kfree_rcu(), before allowing
+			 * fabric driver unload of target_core_fabric_ops->module
+			 * to proceed.
+			 */
+			synchronize_rcu();
 			kfree(t);
-			break;
+			return;
 		}
 	}
 	mutex_unlock(&g_tf_lock);
diff --git a/drivers/target/target_core_hba.c b/drivers/target/target_core_hba.c
index 62ea4e8..0fb830b 100644
--- a/drivers/target/target_core_hba.c
+++ b/drivers/target/target_core_hba.c
@@ -84,8 +84,16 @@ void target_backend_unregister(const struct target_backend_ops *ops)
 	list_for_each_entry(tb, &backend_list, list) {
 		if (tb->ops == ops) {
 			list_del(&tb->list);
+			mutex_unlock(&backend_mutex);
+			/*
+			 * Allow any outstanding backend driver ->rcu_head grace
+			 * period to expire post ->free_device() -> call_rcu(),
+			 * before allowing backend driver module unload of
+			 * target_backend_ops->owner to proceed.
+			 */
+			synchronize_rcu();
 			kfree(tb);
-			break;
+			return;
 		}
 	}
 	mutex_unlock(&backend_mutex);