ACK: [PATCH][X] UBUNTU: SAUCE: (no-up) virtio-scsi: Fix race in target free
Stefan Bader
stefan.bader at canonical.com
Fri Apr 20 08:36:00 UTC 2018
On 19.04.2018 21:40, Jay Vosburgh wrote:
> BugLink: http://bugs.launchpad.net/bugs/1765241
>
> A race condition exists in virtio_scsi between the completion of
> a request and the freeing of the target structure. The race is between
> (a) virtscsi_complete_cmd that, first, wakes up a task waiting for a
> completion, then, second, releases a reference in the target structure
> and (b) the woken up task freeing that target structure.
>
> The race appears to exist in all verisons of virtio_scsi, but
> most kernels are not impacted due to a coincidental RCU sync in the
> "(b)" path above that will effectively wait for the "(a)" path to
> complete. The Ubuntu Xenial 4.4 kernel since commit be2a20802abbde
> lacks any RCU sync in the "(b)" code path, thus opening the race window.
>
> The fix is to wait for any outstanding requests to release their
> references prior to freeing the target structure.
>
> Signed-off-by: Jay Vosburgh <jay.vosburgh at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
>
> ---
Sounds reasonable and safe enough.
-Stefan
> drivers/scsi/virtio_scsi.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
> index 8ef905cbfc9c..e2da31286793 100644
> --- a/drivers/scsi/virtio_scsi.c
> +++ b/drivers/scsi/virtio_scsi.c
> @@ -785,6 +785,10 @@ static int virtscsi_target_alloc(struct scsi_target *starget)
> static void virtscsi_target_destroy(struct scsi_target *starget)
> {
> struct virtio_scsi_target_state *tgt = starget->hostdata;
> +
> + /* we can race with concurrent virtscsi_complete_cmd */
> + while (atomic_read(&tgt->reqs))
> + cpu_relax();
> kfree(tgt);
> }
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180420/8917c517/attachment.sig>
More information about the kernel-team
mailing list