From: Mike Christie <michaelc@cs.wisc.edu>
To: open-iscsi@googlegroups.com
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH] iscsi_tcp: fix potential lockup with write commands
Date: Thu, 25 Oct 2007 17:17:43 -0500 [thread overview]
Message-ID: <47211607.5090801@cs.wisc.edu> (raw)
In-Reply-To: <4720F358.8030307@cybernetics.com>
Tony Battersby wrote:
> There is a race condition in iscsi_tcp.c that may cause it to forget
> that it received a R2T from the target. This race may cause a data-out
> command (such as a write) to lock up. The race occurs here:
>
> static int
> iscsi_send_unsol_pdu(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
> {
> struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data;
> int rc;
>
> if (tcp_ctask->xmstate & XMSTATE_UNS_HDR) {
> BUG_ON(!ctask->unsol_count);
> tcp_ctask->xmstate &= ~XMSTATE_UNS_HDR; <---- RACE
> ...
>
> static int
> iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
> {
> ...
> tcp_ctask->xmstate |= XMSTATE_SOL_HDR_INIT; <---- RACE
> ...
>
> While iscsi_xmitworker() (called from scsi_queue_work()) is preparing to
> send unsolicited data, iscsi_tcp_data_recv() (called from
> tcp_read_sock()) interrupts it upon receipt of a R2T from the target.
> Both contexts do read-modify-write of tcp_ctask->xmstate. Usually, gcc
> on x86 will make &= and |= atomic on UP (not guaranteed of course), but
> in this case iscsi_send_unsol_pdu() reads the value of xmstate before
> clearing the bit, which causes gcc to read xmstate into a CPU register,
> test it, clear the bit, and then store it back to memory. If the recv
> interrupt happens during this sequence, then the XMSTATE_SOL_HDR_INIT
> bit set by the recv interrupt will be lost, and the R2T will be
> forgotten.
>
> The patch below (against 2.6.24-rc1) converts accesses of xmstate to use
> set_bit, clear_bit, and test_bit instead of |= and &=. I have tested
> this patch and verified that it fixes the problem. Another possible
> approach would be to hold a lock during most of the rx/tx setup and
> post-processing, and drop the lock only for the actual rx/tx.
>
> Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
We are going to remove that code in 2.6.25. Your patch looks good for
2.6.24. Nice debugging, and thanks for the patch and nice write up. I
think someone else was in the middle of hunting for this right now too.
James, could you please apply for the next round of 2.6.24 bug fixes?
Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
prev parent reply other threads:[~2007-10-25 22:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-25 19:49 [PATCH] iscsi_tcp: fix potential lockup with write commands Tony Battersby
2007-10-25 22:17 ` Mike Christie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47211607.5090801@cs.wisc.edu \
--to=michaelc@cs.wisc.edu \
--cc=linux-scsi@vger.kernel.org \
--cc=open-iscsi@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.