Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751824AbbESUZg (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 May 2015 16:25:36 -0400
Received: from mail.ispras.ru ([83.149.199.45]:54691 "EHLO mail.ispras.ru"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750825AbbESUZd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 May 2015 16:25:33 -0400
Message-ID: <555B9C3A.40106@ispras.ru>
Date: Tue, 19 May 2015 23:25:30 +0300
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
CC: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
        linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org,
        Sagi Grimberg <sagig@mellanox.com>
Subject: [BUG] iscsi-target: deadlock because of iscsit_get_tpg()
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1537
Lines: 57

Hello,

Our tool reports a potential double lock because of quite strange code
in iscsit_get_tpg().

drivers/target/iscsi/iscsi_target_tpg.c:
int iscsit_get_tpg(
	struct iscsi_portal_group *tpg)
{
	int ret;

	ret = mutex_lock_interruptible(&tpg->tpg_access_lock);
	return ((ret != 0) || signal_pending(current)) ? -1 : 0;
}

If mutex_lock_interruptible() successfully acquires the mutex, but there
is a pending signal, the function returns error, but it leaves the mutex
held. Callers do not expect such behaviour that can lead to a deadlock.

Why the check for pending signal is needed here?

Found by Linux Driver Verification project (linuxtesting.org).


Similar dangerous pattern presents in a couple of other places:

drivers/target/iscsi/iscsi_target.c:
int iscsit_access_np(struct iscsi_np *np, struct iscsi_portal_group *tpg)
{
...
	ret = down_interruptible(&tpg->np_login_sem);
	if ((ret != 0) || signal_pending(current))
		return -1;


drivers/target/target_core_sbc.c:
static sense_reason_t
sbc_compare_and_write(struct se_cmd *cmd)
{
...
	rc = down_interruptible(&dev->caw_sem);
	if ((rc != 0) || signal_pending(current)) {
		cmd->transport_complete_callback = NULL;
		return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
	}


--
Alexey Khoroshilov
Linux Verification Center, ISPRAS


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/