From: Tejun Heo <tj@kernel.org>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Mike Christie <michaelc@cs.wisc.edu>,
linux-scsi <linux-scsi@vger.kernel.org>,
James Bottomley <jbottomley@parallels.com>,
Jens Axboe <axboe@kernel.dk>, Chanho Min <chanho.min@lge.com>
Subject: Re: [PATCH] Fix a use-after-free triggered by device removal
Date: Wed, 12 Sep 2012 13:53:38 -0700 [thread overview]
Message-ID: <20120912205338.GV7677@google.com> (raw)
In-Reply-To: <504EDD54.9000408@acm.org>
Hello,
On Tue, Sep 11, 2012 at 08:42:28AM +0200, Bart Van Assche wrote:
> Good question. As far as I can see calling request_queue.request_fn() is
> fine as long as the caller holds a reference on the queue. If e.g.
> scsi_request_fn() would get invoked after blk_drain_queue() finished it
> will return immediately because it was invoked with an empty request
> queue. So we should be fine as long as all blk_run_queue() callers
> either hold a reference on the request queue itself or on the sdev that
> owns the request queue. As far as I can see if patch
> http://marc.info/?l=linux-scsi&m=134453905402413 gets accepted then all
> callers in the SCSI core of blk_run_queue() will hold a (direct or
> indirect) reference on the request_queue before invoking blk_run_queue()
> or __blk_run_queue().
It's been quite a while since I really looked through the code and I'm
feeling a bit dense but what you describe seems like a two-pronged
approach where the drain stalling, when properly done, should be
enough.
The problem at hand IIUC is ->request_fn() being invoked when
request_queue itself is alive but the underlying driver is gone. We
already make sure that a new request is not queued once drain is
complete but there's no guarantee about calling into ->request_fn()
and this is what you want to fix, right?
I think this is something which the block layer proper should handle
correctly and expose sane interface. ie. if the caller has
request_queue reference, it should be safe to call __blk_run_queue()
no matter what. As long as SCSI follows proper shutdown procedure, it
shouldn't need to worry about this.
Am I hopelessly confused somewhere?
Thanks.
--
tejun
next prev parent reply other threads:[~2012-09-12 20:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-03 14:12 [PATCH] Fix a use-after-free triggered by device removal Bart Van Assche
2012-09-06 16:27 ` Michael Christie
2012-09-06 17:58 ` Bart Van Assche
2012-09-06 18:14 ` Mike Christie
2012-09-06 18:52 ` Bart Van Assche
2012-09-06 23:20 ` Tejun Heo
2012-09-07 6:57 ` Bart Van Assche
2012-09-10 23:38 ` Tejun Heo
2012-09-11 6:42 ` Bart Van Assche
2012-09-12 20:53 ` Tejun Heo [this message]
2012-09-13 7:26 ` Bart Van Assche
2012-09-13 16:53 ` Tejun Heo
2012-09-13 18:27 ` Bart Van Assche
2012-09-13 19:25 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120912205338.GV7677@google.com \
--to=tj@kernel.org \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=chanho.min@lge.com \
--cc=jbottomley@parallels.com \
--cc=linux-scsi@vger.kernel.org \
--cc=michaelc@cs.wisc.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.