diff options
| author | Nicholas Bellinger <[email protected]> | 2017-06-02 20:00:17 -0700 | 
|---|---|---|
| committer | Nicholas Bellinger <[email protected]> | 2017-06-08 22:24:18 -0700 | 
| commit | 73d4e580ccc5c3e05cea002f18111f66c9c07034 (patch) | |
| tree | c2cfd9bfb4fe98f67467c64dd5fb53ba18d4ac98 /drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | |
| parent | 5e0cf5e6c43b9e19fc0284f69e5cd2b4a47523b0 (diff) | |
target: Fix kref->refcount underflow in transport_cmd_finish_abort
This patch fixes a se_cmd->cmd_kref underflow during CMD_T_ABORTED
when a fabric driver drops it's second reference from below the
target_core_tmr.c based callers of transport_cmd_finish_abort().
Recently with the conversion of kref to refcount_t, this bug was
manifesting itself as:
[705519.601034] refcount_t: underflow; use-after-free.
[705519.604034] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 20116.512 msecs
[705539.719111] ------------[ cut here ]------------
[705539.719117] WARNING: CPU: 3 PID: 26510 at lib/refcount.c:184 refcount_sub_and_test+0x33/0x51
Since the original kref atomic_t based kref_put() didn't check for
underflow and only invoked the final callback when zero was reached,
this bug did not manifest in practice since all se_cmd memory is
using preallocated tags.
To address this, go ahead and propigate the existing return from
transport_put_cmd() up via transport_cmd_finish_abort(), and
change transport_cmd_finish_abort() + core_tmr_handle_tas_abort()
callers to only do their local target_put_sess_cmd() if necessary.
Reported-by: Bart Van Assche <[email protected]>
Tested-by: Bart Van Assche <[email protected]>
Cc: Mike Christie <[email protected]>
Cc: Hannes Reinecke <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Himanshu Madhani <[email protected]>
Cc: Sagi Grimberg <[email protected]>
Cc: [email protected] # 3.14+
Tested-by: Gary Guo <[email protected]>
Tested-by: Chu Yuan Lin <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h')
0 files changed, 0 insertions, 0 deletions