Re: [PATCH v3] target: close target_put_sess_cmd() vs.core_tmr_abort_task() race
From: Greg Kroah-Hartman
Date: Mon Mar 18 2013 - 21:52:43 EST
On Mon, Mar 18, 2013 at 07:34:13PM -0400, Jörn Engel wrote:
> And because I'm lame and stupid, here's v3.
>
> It is possible for one thread to to take se_sess->sess_cmd_lock in
> core_tmr_abort_task() before taking a reference count on
> se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
> se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.
>
> This introduces kref_put_and_lock() and uses it in
> target_put_sess_cmd() to close the race window.
>
> Signed-off-by: Joern Engel <joern@xxxxxxxxx>
> ---
> drivers/target/target_core_transport.c | 17 +++++++++++------
> include/linux/kref.h | 26 ++++++++++++++++++++++++++
> 2 files changed, 37 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
> index 04ec9cb..b98c158 100644
> --- a/drivers/target/target_core_transport.c
> +++ b/drivers/target/target_core_transport.c
> @@ -2207,21 +2207,19 @@ static void target_release_cmd_kref(struct kref *kref)
> {
> struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
> struct se_session *se_sess = se_cmd->se_sess;
> - unsigned long flags;
>
> - spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
> if (list_empty(&se_cmd->se_cmd_list)) {
> - spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
> + spin_unlock(&se_sess->sess_cmd_lock);
Wait, who has this locked? You took out the call to spin_lock_* above.
And why not _irqstore() anymore?
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/