• Nicholas Bellinger's avatar
    target: Fix kref->refcount underflow in transport_cmd_finish_abort · 3909b401
    Nicholas Bellinger authored
    commit 73d4e580 upstream.
    
    This patch fixes a se_cmd->cmd_kref underflow during CMD_T_ABORTED
    when a fabric driver drops it's second reference from below the
    target_core_tmr.c based callers of transport_cmd_finish_abort().
    
    Recently with the conversion of kref to refcount_t, this bug was
    manifesting itself as:
    
    [705519.601034] refcount_t: underflow; use-after-free.
    [705519.604034] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 20116.512 msecs
    [705539.719111] ------------[ cut here ]------------
    [705539.719117] WARNING: CPU: 3 PID: 26510 at lib/refcount.c:184 refcount_sub_and_test+0x33/0x51
    
    Since the original kref atomic_t based kref_put() didn't check for
    underflow and only invoked the final callback when zero was reached,
    this bug did not manifest in practice since all se_cmd memory is
    using preallocated tags.
    
    To address this, go ahead and propigate the existing return from
    transport_put_cmd() up via transport_cmd_finish_abort(), and
    change transport_cmd_finish_abort() + core_tmr_handle_tas_abort()
    callers to only do their local target_put_sess_cmd() if necessary.
    Reported-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
    Tested-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: Hannes Reinecke <hare@suse.de>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
    Cc: Sagi Grimberg <sagig@mellanox.com>
    Tested-by: default avatarGary Guo <ghg@datera.io>
    Tested-by: default avatarChu Yuan Lin <cyl@datera.io>
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    [bwh: Backported to 3.16: adjust context]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    3909b401
target_core_transport.c 84.2 KB