From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: dgilbert@interlog.com, tonyb@cybernetics.com, hch@infradead.org,
linux-scsi@vger.kernel.org
Subject: Re: [PATCH 1/2] sg: fix races during device removal (v6)
Date: Wed, 28 Jan 2009 15:06:52 +0000 [thread overview]
Message-ID: <1233155212.3236.10.camel@localhost.localdomain> (raw)
In-Reply-To: <20090128105144C.fujita.tomonori@lab.ntt.co.jp>
On Wed, 2009-01-28 at 10:51 +0900, FUJITA Tomonori wrote:
> On Mon, 26 Jan 2009 08:57:20 -0500
> Douglas Gilbert <dgilbert@interlog.com> wrote:
>
> > Tony Battersby wrote:
> > > sg has the following problems related to device removal:
> > >
> > > * opening a sg fd races with removing a device
> > > * closing a sg fd races with removing a device
> > > * /proc/scsi/sg/* access races with removing a device
> > > * command completion races with removing a device
> > > * command completion races with closing a sg fd
> > > * can rmmod sg with active commands
> > >
> > > These problems can cause kernel oopses, memory-use-after-free, or
> > > double-free errors. This patch fixes these problems by using krefs
> > > to manage the lifetime of sg_device and sg_fd.
> > >
> > > Each command submitted to the midlevel holds a reference to sg_fd
> > > until the completion callback. This ensures that sg_fd doesn't go
> > > away if the fd is closed with commands still outstanding.
> > >
> > > sg_fd gets the reference of sg_device (with scsi_device) and also
> > > makes sure that the sg module doesn't go away.
> > >
> > > /proc/scsi/sg/* functions don't play nicely with krefs because they
> > > give information about sg_fds which have been closed but not yet
> > > freed due to still having outstanding commands and sg_devices which
> > > have been removed but not yet freed due to still being referenced
> > > by one or more sg_fds. To deal with this safely without removing
> > > functionality, /proc functions now access sg_device and sg_fd while
> > > holding a lock instead of using kref_get()/kref_put().
> > >
> > > Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
> > > ---
> > >
> > > This version changes BUG_ON() to WARN_ON()/return as suggested by
> > > Stefan Richter.
> > >
> > > The second patch "[PATCH 2/2] sg: fix races with ioctl(SG_IO) (v2)"
> > > is still the same as before, so I am not resending it.
> > >
> > > sg.c | 418 ++++++++++++++++++++++++++++++++-----------------------------------
> > > 1 file changed, 201 insertions(+), 217 deletions(-)
> > >
> > > --- linux-2.6.29-rc2/drivers/scsi/sg.c.orig 2009-01-21 14:34:05.000000000 -0500
> > > +++ linux-2.6.29-rc2/drivers/scsi/sg.c 2009-01-21 14:36:00.000000000 -0500
> >
> > Tony,
> > We seem to have consensus on this version (v6 20090121).
> >
> > Thanks for you work.
> >
> > Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
>
> Can we also get your ACK on:
>
> [PATCH 2/2] sg: fix races with ioctl(SG_IO) (v2)
>
> http://marc.info/?l=linux-scsi&m=123248892909435&w=2
Actually, using maintainer's prerogative, I was taking this as ack to
both.
James
next prev parent reply other threads:[~2009-01-28 15:06 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-05 19:07 [PATCH 0/2] sg: fix races during device removal (v2) Tony Battersby
2009-01-08 23:21 ` Douglas Gilbert
2009-01-10 17:26 ` FUJITA Tomonori
2009-01-12 21:09 ` Tony Battersby
2009-01-13 16:24 ` FUJITA Tomonori
2009-01-14 20:31 ` Tony Battersby
2009-01-14 21:39 ` Greg KH
2009-01-14 21:59 ` Tony Battersby
2009-01-14 22:33 ` Stefan Richter
2009-01-14 22:53 ` Tony Battersby
2009-01-14 23:47 ` Stefan Richter
2009-01-15 14:47 ` Tony Battersby
2009-01-15 16:22 ` Stefan Richter
2009-01-15 16:44 ` Stefan Richter
2009-01-15 18:17 ` Tony Battersby
2009-01-15 18:47 ` Stefan Richter
2009-01-15 19:14 ` Stefan Richter
2009-01-15 19:20 ` Tony Battersby
2009-01-15 20:43 ` Stefan Richter
2009-01-15 21:43 ` Tony Battersby
2009-01-15 21:58 ` Stefan Richter
2009-01-15 22:23 ` Tony Battersby
2009-01-15 23:24 ` Stefan Richter
2009-01-16 14:16 ` Tony Battersby
2009-01-16 0:53 ` Stefan Richter
2009-01-16 8:09 ` Stefan Richter
2009-01-19 6:57 ` FUJITA Tomonori
2009-01-19 15:02 ` Tony Battersby
2009-01-19 23:03 ` [PATCH 1/2] sg: fix races during device removal (v4) Tony Battersby
2009-01-20 1:06 ` FUJITA Tomonori
2009-01-20 21:58 ` [PATCH 1/2] sg: fix races during device removal (v5) Tony Battersby
2009-01-21 18:25 ` Stefan Richter
2009-01-21 19:23 ` Tony Battersby
2009-01-21 19:45 ` [PATCH 1/2] sg: fix races during device removal (v6) Tony Battersby
2009-01-25 12:46 ` FUJITA Tomonori
2009-01-26 13:57 ` Douglas Gilbert
2009-01-28 1:51 ` FUJITA Tomonori
2009-01-28 15:06 ` James Bottomley [this message]
2009-01-20 22:00 ` [PATCH 2/2] sg: fix races with ioctl(SG_IO) (v2) Tony Battersby
2009-01-25 12:46 ` FUJITA Tomonori
2009-01-19 23:06 ` [PATCH 2/2] sg: fix races with ioctl(SG_IO) Tony Battersby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1233155212.3236.10.camel@localhost.localdomain \
--to=james.bottomley@hansenpartnership.com \
--cc=dgilbert@interlog.com \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=hch@infradead.org \
--cc=linux-scsi@vger.kernel.org \
--cc=tonyb@cybernetics.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.