From patchwork Wed Oct 7 14:53:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maurizio Lombardi X-Patchwork-Id: 11820783 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CE93C17D2 for ; Wed, 7 Oct 2020 14:53:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A6EBD212CC for ; Wed, 7 Oct 2020 14:53:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="cVZ8XSb9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728701AbgJGOx5 (ORCPT ); Wed, 7 Oct 2020 10:53:57 -0400 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:20379 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728677AbgJGOxy (ORCPT ); Wed, 7 Oct 2020 10:53:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602082433; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=odS/FADxguwMdYrBZ1VHdSAflMyHx/SE0+n5W31X5qs=; b=cVZ8XSb9HkGfAmkoUOCWkAeeq0qUixRoS5YjK0OC8mvt06lCDE4FkUsVnuoleJdClFG7+Y 99C8sbGSeDKENf5IJXaO4X4n8VTq40/udNe596Tl1FUwHWwjQ87CYJGAWPLi9oUivZo12G Q5Vw4Nj++tDiGwK77kb6+HMXxFSh5fI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-450-FH9_0ImGN--dthyhol7aEQ-1; Wed, 07 Oct 2020 10:53:52 -0400 X-MC-Unique: FH9_0ImGN--dthyhol7aEQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0C76E890E7A; Wed, 7 Oct 2020 14:53:32 +0000 (UTC) Received: from nangaparbat.redhat.com (unknown [10.35.206.121]) by smtp.corp.redhat.com (Postfix) with ESMTP id 173E560BEC; Wed, 7 Oct 2020 14:53:29 +0000 (UTC) From: Maurizio Lombardi To: martin.petersen@oracle.com Cc: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org, bvanassche@acm.org, michael.christie@oracle.com Subject: [PATCH 1/2] target: iscsi: prevent a race condition in iscsit_unmap_cmd() Date: Wed, 7 Oct 2020 16:53:25 +0200 Message-Id: <20201007145326.56850-2-mlombard@redhat.com> In-Reply-To: <20201007145326.56850-1-mlombard@redhat.com> References: <20201007145326.56850-1-mlombard@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org A potential race condition may occur in iscsit_unmap_cmd() if the __iscsit_free_cmd() function is called by two different threads. This patch adds a spinlock to serialize the calls to iscsit_unmap_cmd() Signed-off-by: Maurizio Lombardi --- drivers/target/iscsi/iscsi_target_login.c | 1 + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- include/target/iscsi/iscsi_target_core.h | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c index 893d1b406c29..e16ceee87bba 100644 --- a/drivers/target/iscsi/iscsi_target_login.c +++ b/drivers/target/iscsi/iscsi_target_login.c @@ -1110,6 +1110,7 @@ static struct iscsi_conn *iscsit_alloc_conn(struct iscsi_np *np) spin_lock_init(&conn->nopin_timer_lock); spin_lock_init(&conn->response_queue_lock); spin_lock_init(&conn->state_lock); + spin_lock_init(&conn->unmap_cmd_lock); timer_setup(&conn->nopin_response_timer, iscsit_handle_nopin_response_timeout, 0); diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c index 45ba07c6ec27..3082f5bde9fa 100644 --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -755,8 +755,11 @@ void __iscsit_free_cmd(struct iscsi_cmd *cmd, bool check_queues) iscsit_remove_cmd_from_response_queue(cmd, conn); } - if (conn && conn->conn_transport->iscsit_unmap_cmd) + if (conn && conn->conn_transport->iscsit_unmap_cmd) { + spin_lock(&conn->unmap_cmd_lock); conn->conn_transport->iscsit_unmap_cmd(conn, cmd); + spin_unlock(&conn->unmap_cmd_lock); + } } void iscsit_free_cmd(struct iscsi_cmd *cmd, bool shutdown) diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h index 1eccb2ac7d02..ae7ac0134c8c 100644 --- a/include/target/iscsi/iscsi_target_core.h +++ b/include/target/iscsi/iscsi_target_core.h @@ -575,6 +575,7 @@ struct iscsi_conn { spinlock_t nopin_timer_lock; spinlock_t response_queue_lock; spinlock_t state_lock; + spinlock_t unmap_cmd_lock; /* libcrypto RX and TX contexts for crc32c */ struct ahash_request *conn_rx_hash; struct ahash_request *conn_tx_hash; From patchwork Wed Oct 7 14:53:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maurizio Lombardi X-Patchwork-Id: 11820779 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 57D8617D2 for ; Wed, 7 Oct 2020 14:53:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 33460212CC for ; Wed, 7 Oct 2020 14:53:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="bixlT/QR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728697AbgJGOxx (ORCPT ); Wed, 7 Oct 2020 10:53:53 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:51950 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728677AbgJGOxw (ORCPT ); Wed, 7 Oct 2020 10:53:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602082431; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sdsd8Ng3fG6CochuxToB2XwYhkI5DE+revworc2rIdo=; b=bixlT/QRnfwNUE3wqZixzcnucVaosXM2hM4mYkYw+c+HvCNFfAISVLZdpZxa/QkR6vDSxq IvREOnQ71OKDg1KE5pdpQ+abs0//VDHujfOqRIgpB6NHtklRIowHT4b7Ga6byt1ziKyrPK 7XJsMb2YVuFkgn5kaZiVJWQfrlpyp5Q= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-377-j750TGzTO1KSvOhH6bVcPQ-1; Wed, 07 Oct 2020 10:53:47 -0400 X-MC-Unique: j750TGzTO1KSvOhH6bVcPQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 08535101FFD6; Wed, 7 Oct 2020 14:53:35 +0000 (UTC) Received: from nangaparbat.redhat.com (unknown [10.35.206.121]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9080560BEC; Wed, 7 Oct 2020 14:53:32 +0000 (UTC) From: Maurizio Lombardi To: martin.petersen@oracle.com Cc: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org, bvanassche@acm.org, michael.christie@oracle.com Subject: [PATCH 2/2] target: iscsi: fix a race condition when aborting a task Date: Wed, 7 Oct 2020 16:53:26 +0200 Message-Id: <20201007145326.56850-3-mlombard@redhat.com> In-Reply-To: <20201007145326.56850-1-mlombard@redhat.com> References: <20201007145326.56850-1-mlombard@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org The iscsit_release_commands_from_conn() function does the following operations: 1) locks the cmd_lock spinlock 2) Scans the list of commands and sets the CMD_T_FABRIC_STOP flag 3) Releases the cmd_lock spinlock 4) Rescans the list again and clears the i_conn_node link of each command If an abort task timer is fired between 3) and 4), it will find the CMD_T_FABRIC_STOP flag set and won't call list_del_init(); therefore it may end up calling __iscsit_free_cmd() with a non-empty i_conn_node list, thus triggering the warning. Considering that: - we expect list_del_init() to be executed by iscsit_release_commands_from_conn() when the CMD_T_FABRIC_STOP is set. - iscsit_aborted_task() is the only function that calls __iscsit_free_cmd() directly, while all the other functions call iscsit_free_cmd(). - the warning in __iscsit_free_cmd() is a duplicate (the same warning can be found in iscsit_free_cmd(). We can fix the bug by simply removing the warning from __iscsit_free_cmd() kernel: ------------[ cut here ]------------ kernel: WARNING: CPU: 1 PID: 21173 at drivers/target/iscsi/iscsi_target_util.c:720 __iscsit_free_cmd+0x26e/0x290 [iscsi_target_mod] ... kernel: CPU: 1 PID: 21173 Comm: kworker/u8:3 Kdump: loaded Not tainted 3.10.0-1062.4.1.el7.x86_64 #1 kernel: Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/17/2015 kernel: Workqueue: tmr-user target_tmr_work [target_core_mod] kernel: Call Trace: kernel: [] dump_stack+0x19/0x1b kernel: [] __warn+0xd8/0x100 kernel: [] warn_slowpath_null+0x1d/0x20 kernel: [] __iscsit_free_cmd+0x26e/0x290 [iscsi_target_mod] kernel: [] iscsit_aborted_task+0x64/0x70 [iscsi_target_mod] kernel: [] lio_aborted_task+0x2a/0x30 [iscsi_target_mod] kernel: [] transport_cmd_finish_abort+0x66/0xb0 [target_core_mod] kernel: [] core_tmr_abort_task+0x102/0x180 [target_core_mod] kernel: [] target_tmr_work+0x152/0x170 [target_core_mod] kernel: [] process_one_work+0x17f/0x440 kernel: [] worker_thread+0x126/0x3c0 kernel: [] ? manage_workers.isra.26+0x2a0/0x2a0 kernel: [] kthread+0xd1/0xe0 kernel: [] ? insert_kthread_work+0x40/0x40 kernel: [] ret_from_fork_nospec_begin+0x21/0x21 kernel: [] ? insert_kthread_work+0x40/0x40 kernel: ---[ end trace ed2119501826ec7a ]--- Signed-off-by: Maurizio Lombardi --- drivers/target/iscsi/iscsi_target_util.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c index 3082f5bde9fa..61233755ece0 100644 --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -741,8 +741,6 @@ void __iscsit_free_cmd(struct iscsi_cmd *cmd, bool check_queues) { struct iscsi_conn *conn = cmd->conn; - WARN_ON(!list_empty(&cmd->i_conn_node)); - if (cmd->data_direction == DMA_TO_DEVICE) { iscsit_stop_dataout_timer(cmd); iscsit_free_r2ts_from_list(cmd);