From patchwork Sun Jan 10 20:28:44 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Nicholas A. Bellinger" X-Patchwork-Id: 7997841 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 3CF11BEEE5 for ; Sun, 10 Jan 2016 20:32:16 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3BE4B20382 for ; Sun, 10 Jan 2016 20:32:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2524B2037F for ; Sun, 10 Jan 2016 20:32:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757499AbcAJUbX (ORCPT ); Sun, 10 Jan 2016 15:31:23 -0500 Received: from mail-ob0-f176.google.com ([209.85.214.176]:33087 "EHLO mail-ob0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757477AbcAJUbC (ORCPT ); Sun, 10 Jan 2016 15:31:02 -0500 Received: by mail-ob0-f176.google.com with SMTP id bx1so365370961obb.0 for ; Sun, 10 Jan 2016 12:31:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daterainc-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=jqLproZvbWdijRQZb9fdZl1E3MxKV6WvwV9jUfPGWFY=; b=ac4wMAk0hxWQmes+JxwvX47Iv1UsuGszvuPQzt+TL05MY5dQkcUrG1op7r6Zp1yA2j R9b1Ojc4bJ7KX7wG59i/6qyasGbpTvevUzW2sJYivKpzLaliUmMY404peBPiZcN4zKQQ bGw2mip9vtTF3IJA6pqTkHOjqcmZ5npG3lMrRUpUMdV5kGQB+CGUCUcjPi9RVO0IuDpN Vs4IFBk1NaOddL9I+Z+zwSuyHwXBLhvitbaZCYu6+Ohjtkud/Sbv7n/LC2NqI1CruHvR 653z8+SNdw2GXF9kxJwK0LYoPJGRyXLljKj3OwOR0kTZ8zULLgUHvVxIjzWdj1DnMKH8 Iu4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jqLproZvbWdijRQZb9fdZl1E3MxKV6WvwV9jUfPGWFY=; b=GoKcWq8SnRHRDmPqePr8zskSGj8G2ZfigS7JrCBf4nrtSj9rMCzCbMvcaadmdKLv5i 2VuLsv9JxZ+sqD8/5lEHGeW/VUH+TZW4YWDTbWL5WOW9QUaXEuezDP8AsjI0ZXIGXOPg 35SHlFYbSFSduAHBEDlnAfD/V0Te3ZkO5pjTkJfrKPQYho0moyIm5jKD/gsI4nRrFFMw Z4DAQKTSTmdGNYG9oX0h3A6QCuW0UAMGz64E/59ts83alXmlPvndMXNrYoiI7+5wZpZm pN41p3xnh8iRN8lIRy+VxVOpOQ/rhJyXwI/9x86BDTTgenMMVSq8gj7vTuo2WCvkCtFI mofg== X-Gm-Message-State: ALoCoQkf04NwZI7mWNS9/KMBbqDeg439tCWQ6m1BAkUz4kkY4B7ecdYQprv1skmSv168qh5bZqNcAFIWEStzUrrAyIvsg5Ff3Q== X-Received: by 10.60.136.197 with SMTP id qc5mr42657110oeb.79.1452457861444; Sun, 10 Jan 2016 12:31:01 -0800 (PST) Received: from localhost.localdomain (mail.linux-iscsi.org. [67.23.28.174]) by smtp.gmail.com with ESMTPSA id co3sm8026500obb.15.2016.01.10.12.31.00 (version=TLS1 cipher=AES128-SHA bits=128/128); Sun, 10 Jan 2016 12:31:01 -0800 (PST) From: "Nicholas A. Bellinger" To: target-devel Cc: linux-scsi , lkml , Sagi Grimberg , Christoph Hellwig , Hannes Reinecke , Andy Grover , Vasu Dev , Vu Pham , Nicholas Bellinger Subject: [PATCH-v2 4/4] target: Obtain se_node_acl->acl_kref during get_initiator_node_acl Date: Sun, 10 Jan 2016 20:28:44 +0000 Message-Id: <1452457724-10629-5-git-send-email-nab@daterainc.com> X-Mailer: git-send-email 1.7.2.5 In-Reply-To: <1452457724-10629-1-git-send-email-nab@daterainc.com> References: <1452457724-10629-1-git-send-email-nab@daterainc.com> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Nicholas Bellinger This patch addresses a long standing race where obtaining se_node_acl->acl_kref in __transport_register_session() happens a bit too late, and leaves open the potential for core_tpg_del_initiator_node_acl() to hit a NULL pointer dereference. Instead, take ->acl_kref in core_tpg_get_initiator_node_acl() while se_portal_group->acl_node_mutex is held, and move the final target_put_nacl() from transport_deregister_session() into transport_free_session() so that fabric driver login failure handling using the modern method to still work as expected. Also, update core_tpg_check_initiator_node_acl() to take an extra reference for dynamically generated acls for demo-mode, before returning to fabric caller. Note the existing wait_for_completion(&acl->acl_free_comp) in core_tpg_del_initiator_node_acl() does not change. Cc: Sagi Grimberg Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Andy Grover Signed-off-by: Nicholas Bellinger --- drivers/target/target_core_tpg.c | 18 +++++++++++++++++- drivers/target/target_core_transport.c | 18 ++++++++++++------ 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c index 66a2c6f..5221aee 100644 --- a/drivers/target/target_core_tpg.c +++ b/drivers/target/target_core_tpg.c @@ -75,9 +75,16 @@ struct se_node_acl *core_tpg_get_initiator_node_acl( unsigned char *initiatorname) { struct se_node_acl *acl; - + /* + * Obtain the acl_kref now, which will be dropped upon the + * release of se_sess memory within transport_free_session(). + */ mutex_lock(&tpg->acl_node_mutex); acl = __core_tpg_get_initiator_node_acl(tpg, initiatorname); + if (acl) { + if (!kref_get_unless_zero(&acl->acl_kref)) + acl = NULL; + } mutex_unlock(&tpg->acl_node_mutex); return acl; @@ -240,6 +247,15 @@ struct se_node_acl *core_tpg_check_initiator_node_acl( acl = target_alloc_node_acl(tpg, initiatorname); if (!acl) return NULL; + /* + * When allocating a dynamically generated node_acl, go ahead + * and take the extra kref now before returning to the fabric + * driver caller. + * + * Note this reference will be released at session shutdown + * time within transport_free_session() code. + */ + kref_get(&acl->acl_kref); acl->dynamic_node_acl = 1; /* diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 7b05ebf..c5035b9 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -341,7 +341,6 @@ void __transport_register_session( &buf[0], PR_REG_ISID_LEN); se_sess->sess_bin_isid = get_unaligned_be64(&buf[0]); } - kref_get(&se_nacl->acl_kref); spin_lock_irq(&se_nacl->nacl_sess_lock); /* @@ -464,6 +463,15 @@ EXPORT_SYMBOL(transport_deregister_session_configfs); void transport_free_session(struct se_session *se_sess) { + struct se_node_acl *se_nacl = se_sess->se_node_acl; + /* + * Drop the se_node_acl->nacl_kref obtained from within + * core_tpg_get_initiator_node_acl(). + */ + if (se_nacl) { + se_sess->se_node_acl = NULL; + target_put_nacl(se_nacl); + } if (se_sess->sess_cmd_map) { percpu_ida_destroy(&se_sess->sess_tag_pool); kvfree(se_sess->sess_cmd_map); @@ -478,7 +486,7 @@ void transport_deregister_session(struct se_session *se_sess) const struct target_core_fabric_ops *se_tfo; struct se_node_acl *se_nacl; unsigned long flags; - bool comp_nacl = true, drop_nacl = false; + bool drop_nacl = false; if (!se_tpg) { transport_free_session(se_sess); @@ -510,18 +518,16 @@ void transport_deregister_session(struct se_session *se_sess) if (drop_nacl) { core_tpg_wait_for_nacl_pr_ref(se_nacl); core_free_device_list_for_node(se_nacl, se_tpg); + se_sess->se_node_acl = NULL; kfree(se_nacl); - comp_nacl = false; } pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n", se_tpg->se_tpg_tfo->get_fabric_name()); /* * If last kref is dropping now for an explicit NodeACL, awake sleeping * ->acl_free_comp caller to wakeup configfs se_node_acl->acl_group - * removal context. + * removal context from within transport_free_session() code. */ - if (se_nacl && comp_nacl) - target_put_nacl(se_nacl); transport_free_session(se_sess); }