[thirdparty/kernel/stable-queue.git] / releases / 4.14.34 / nvme_fcloop-fix-abort-race-condition.patch

From foo@baz Mon Apr  9 13:58:16 CEST 2018
From: James Smart <jsmart2021@gmail.com>
Date: Wed, 29 Nov 2017 16:47:30 -0800
Subject: nvme_fcloop: fix abort race condition

From: James Smart <jsmart2021@gmail.com>


[ Upstream commit 278e096063f1914fccfc77a617be9fc8dbb31b0e ]

A test case revealed a race condition of an i/o completing on a thread
parallel to the delete_association generating the aborts for the
outstanding ios on the controller.  The i/o completion was freeing the
target fcloop context, thus the abort task referenced the just-freed
memory.

Correct by clearing the target/initiator cross pointers in the io
completion and abort tasks before calling the callbacks. On aborts
that detect already finished io's, ensure the complete context is
called.

Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/target/fcloop.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -374,6 +374,7 @@ fcloop_tgt_fcprqst_done_work(struct work
 
 	spin_lock(&tfcp_req->reqlock);
 	fcpreq = tfcp_req->fcpreq;
+	tfcp_req->fcpreq = NULL;
 	spin_unlock(&tfcp_req->reqlock);
 
 	if (tport->remoteport && fcpreq) {
@@ -615,11 +616,7 @@ fcloop_fcp_abort(struct nvme_fc_local_po
 
 	if (!tfcp_req)
 		/* abort has already been called */
-		return;
-
-	if (rport->targetport)
-		nvmet_fc_rcv_fcp_abort(rport->targetport,
-					&tfcp_req->tgt_fcp_req);
+		goto finish;
 
 	/* break initiator/target relationship for io */
 	spin_lock(&tfcp_req->reqlock);
@@ -627,6 +624,11 @@ fcloop_fcp_abort(struct nvme_fc_local_po
 	tfcp_req->fcpreq = NULL;
 	spin_unlock(&tfcp_req->reqlock);
 
+	if (rport->targetport)
+		nvmet_fc_rcv_fcp_abort(rport->targetport,
+					&tfcp_req->tgt_fcp_req);
+
+finish:
 	/* post the aborted io completion */
 	fcpreq->status = -ECANCELED;
 	schedule_work(&inireq->iniwork);
Commit	Line	Data
df1b7722 GKH	1	From foo@baz Mon Apr 9 13:58:16 CEST 2018
	2	From: James Smart <jsmart2021@gmail.com>
	3	Date: Wed, 29 Nov 2017 16:47:30 -0800
	4	Subject: nvme_fcloop: fix abort race condition
	5
	6	From: James Smart <jsmart2021@gmail.com>
	7
	8
	9	[ Upstream commit 278e096063f1914fccfc77a617be9fc8dbb31b0e ]
	10
	11	A test case revealed a race condition of an i/o completing on a thread
	12	parallel to the delete_association generating the aborts for the
	13	outstanding ios on the controller. The i/o completion was freeing the
	14	target fcloop context, thus the abort task referenced the just-freed
	15	memory.
	16
	17	Correct by clearing the target/initiator cross pointers in the io
	18	completion and abort tasks before calling the callbacks. On aborts
	19	that detect already finished io's, ensure the complete context is
	20	called.
	21
	22	Signed-off-by: James Smart <james.smart@broadcom.com>
	23	Signed-off-by: Christoph Hellwig <hch@lst.de>
	24	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26	---
	27	drivers/nvme/target/fcloop.c \| 12 +++++++-----
	28	1 file changed, 7 insertions(+), 5 deletions(-)
	29
	30	--- a/drivers/nvme/target/fcloop.c
	31	+++ b/drivers/nvme/target/fcloop.c
	32	@@ -374,6 +374,7 @@ fcloop_tgt_fcprqst_done_work(struct work
	33
	34	spin_lock(&tfcp_req->reqlock);
	35	fcpreq = tfcp_req->fcpreq;
	36	+ tfcp_req->fcpreq = NULL;
	37	spin_unlock(&tfcp_req->reqlock);
	38
	39	if (tport->remoteport && fcpreq) {
	40	@@ -615,11 +616,7 @@ fcloop_fcp_abort(struct nvme_fc_local_po
	41
	42	if (!tfcp_req)
	43	/* abort has already been called */
	44	- return;
	45	-
	46	- if (rport->targetport)
	47	- nvmet_fc_rcv_fcp_abort(rport->targetport,
	48	- &tfcp_req->tgt_fcp_req);
	49	+ goto finish;
	50
	51	/* break initiator/target relationship for io */
	52	spin_lock(&tfcp_req->reqlock);
	53	@@ -627,6 +624,11 @@ fcloop_fcp_abort(struct nvme_fc_local_po
	54	tfcp_req->fcpreq = NULL;
	55	spin_unlock(&tfcp_req->reqlock);
	56
	57	+ if (rport->targetport)
	58	+ nvmet_fc_rcv_fcp_abort(rport->targetport,
	59	+ &tfcp_req->tgt_fcp_req);
	60	+
	61	+finish:
	62	/* post the aborted io completion */
	63	fcpreq->status = -ECANCELED;
	64	schedule_work(&inireq->iniwork);