[03/21] lpfc: Correct nvmet buffer free race condition

Message ID	20190522004911.573-4-jsmart2021@gmail.com (mailing list archive)
State	Mainlined
Commit	4767c58af96e1c6a2dad307c6e5bb75d6c646815
Headers	show Return-Path: <linux-scsi-owner@kernel.org> From: James Smart <jsmart2021@gmail.com> To: linux-scsi@vger.kernel.org Cc: James Smart <jsmart2021@gmail.com>, Dick Kennedy <dick.kennedy@broadcom.com> Subject: [PATCH 03/21] lpfc: Correct nvmet buffer free race condition Date: Tue, 21 May 2019 17:48:53 -0700 Message-Id: <20190522004911.573-4-jsmart2021@gmail.com> In-Reply-To: <20190522004911.573-1-jsmart2021@gmail.com> References: <20190522004911.573-1-jsmart2021@gmail.com> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk
Series	lpfc: Update lpfc to revision 12.2.0.3 \| expand [00/21] lpfc: Update lpfc to revision 12.2.0.3 [01/21] lpfc: Fix alloc context on oas lun creations [02/21] lpfc: Fix nvmet target abort cmd matching [03/21] lpfc: Correct nvmet buffer free race condition [04/21] lpfc: Revise message when stuck due to unresponsive adapter [05/21] lpfc: Separate CQ processing for nvmet_fc upcalls [06/21] lpfc: Fix nvmet handling of received ABTS for unmapped frames [07/21] lpfc: Revert message logging on unsupported topology [08/21] lpfc: Fix PT2PT PLOGI collison stopping discovery [09/21] lpfc: Prevent 'use after free' memory overwrite in nvmet LS handling. [10/21] lpfc: Cancel queued work for an IO when processing a received ABTS. [11/21] lpfc: Fix hardlockup in scsi_cmd_iocb_cmpl [12/21] lpfc: Rework misleading nvme not supported in firmware message [13/21] lpfc: Fix memory leak in abnormal exit path from lpfc_eq_create. [14/21] lpfc: Fix incorrect logical link speed on trunks when links down [15/21] lpfc: Fix oops when driver is loaded with 1 interrupt vector [16/21] lpfc: Fix poor use of hardware queues if fewer irq vectors [17/21] lpfc: Fix fcp_rsp_len checking on lun reset [18/21] lpfc: Fix FDMI fc4type for nvme support [19/21] lpfc: Fix BFS crash with t10-dif enabled. [20/21] lpfc: Fix kernel warnings related to smp_processor_id() [21/21] lpfc: Update lpfc version to 12.2.0.3

Message ID

20190522004911.573-4-jsmart2021@gmail.com (mailing list archive)

State

Mainlined

Commit

4767c58af96e1c6a2dad307c6e5bb75d6c646815

Headers

From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>,
        Dick Kennedy <dick.kennedy@broadcom.com>
Subject: [PATCH 03/21] lpfc: Correct nvmet buffer free race condition
Date: Tue, 21 May 2019 17:48:53 -0700
Message-Id: <20190522004911.573-4-jsmart2021@gmail.com>
In-Reply-To: <20190522004911.573-1-jsmart2021@gmail.com>
References: <20190522004911.573-1-jsmart2021@gmail.com>
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk

Series

lpfc: Update lpfc to revision 12.2.0.3 | expand

Commit Message

James Smart May 22, 2019, 12:48 a.m. UTC

A race condition resulted in receive buffers being placed in the
free list twice.

Change the locking and handling to check whether the "other" path
will be freeing the entry in a later thread and skip it if it is.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
 drivers/scsi/lpfc/lpfc_nvmet.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c
index c9011579aa0f..3a11861b7ad6 100644
--- a/drivers/scsi/lpfc/lpfc_nvmet.c
+++ b/drivers/scsi/lpfc/lpfc_nvmet.c
@@ -343,16 +343,23 @@  lpfc_nvmet_ctxbuf_post(struct lpfc_hba *phba, struct lpfc_nvmet_ctxbuf *ctx_buf)
 	}
 
 	if (ctxp->rqb_buffer) {
-		nvmebuf = ctxp->rqb_buffer;
 		spin_lock_irqsave(&ctxp->ctxlock, iflag);
-		ctxp->rqb_buffer = NULL;
-		if (ctxp->flag & LPFC_NVMET_CTX_REUSE_WQ) {
-			ctxp->flag &= ~LPFC_NVMET_CTX_REUSE_WQ;
-			spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
-			nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf);
+		nvmebuf = ctxp->rqb_buffer;
+		/* check if freed in another path whilst acquiring lock */
+		if (nvmebuf) {
+			ctxp->rqb_buffer = NULL;
+			if (ctxp->flag & LPFC_NVMET_CTX_REUSE_WQ) {
+				ctxp->flag &= ~LPFC_NVMET_CTX_REUSE_WQ;
+				spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+				nvmebuf->hrq->rqbp->rqb_free_buffer(phba,
+								    nvmebuf);
+			} else {
+				spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+				/* repost */
+				lpfc_rq_buf_free(phba, &nvmebuf->hbuf);
+			}
 		} else {
 			spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
-			lpfc_rq_buf_free(phba, &nvmebuf->hbuf); /* repost */
 		}
 	}
 	ctxp->state = LPFC_NVMET_STE_FREE;

[03/21] lpfc: Correct nvmet buffer free race condition

Commit Message

Patch