* dm-table-rework-reference-counting.patch
@ 2009-01-06 7:16 Kiyoshi Ueda
2009-01-06 21:27 ` dm-table-rework-reference-counting.patch Mikulas Patocka
0 siblings, 1 reply; 3+ messages in thread
From: Kiyoshi Ueda @ 2009-01-06 7:16 UTC (permalink / raw)
To: Alasdair G Kergon, Mikulas Patocka; +Cc: device-mapper development
Hi Alasdair, Mikulas,
Although I'm not sure this is correct, don't we need to convert
the following 2 dm_table_put()s to dm_table_destroy()?
Otherwise, the created table won't be destroyed and memory leak
will happen in such error cases?
drivers/md/dm-ioctl.c:table_load()
1060 r = dm_table_create(&t, get_mode(param), param->target_count, md);
1061 if (r)
1062 goto out;
1063
1064 r = populate_table(t, param, param_size);
1065 if (r) {
1066 dm_table_put(t);
1067 goto out;
1068 }
1069
1070 down_write(&_hash_lock);
1071 hc = dm_get_mdptr(md);
1072 if (!hc || hc->md != md) {
1073 DMWARN("device has been removed from the dev hash table.");
1074 dm_table_put(t);
1075 up_write(&_hash_lock);
1076 r = -ENXIO;
1077 goto out;
1078 }
Thanks,
Kiyoshi Ueda
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: dm-table-rework-reference-counting.patch
2009-01-06 7:16 dm-table-rework-reference-counting.patch Kiyoshi Ueda
@ 2009-01-06 21:27 ` Mikulas Patocka
2009-01-07 5:23 ` self deadlock possibility during device deletion (Was: dm-table-rework-reference-counting.patch) Kiyoshi Ueda
0 siblings, 1 reply; 3+ messages in thread
From: Mikulas Patocka @ 2009-01-06 21:27 UTC (permalink / raw)
To: Kiyoshi Ueda; +Cc: device-mapper development, Alasdair G Kergon
Hi
You are right, thanks for the review. I grepped for other uses of
dm_table_put and they seem correct - just these two were bad.
Alasdair: push this patch to Linus soon.
Another point: it looks somehow scary to free the table before unlocking
_hash_lock --- most of the time, _hash_lock is took only on behalf of
userspace ioctls (no problem with that), but it is also took in
dm_copy_name_and_uuid that can be called from uevent code:
dm_table_event -> event_callback -> dm_send_uevents -> takes _hash_lock
And dm_table_event is called directly from targets, targets wait for
dm_table_event to finish in their destructor --- so calling the destructor
with locked _hash_lock seems to be a deadlock possibility --- what do you
think?
Mikulas
On Tue, 6 Jan 2009, Kiyoshi Ueda wrote:
> Hi Alasdair, Mikulas,
>
> Although I'm not sure this is correct, don't we need to convert
> the following 2 dm_table_put()s to dm_table_destroy()?
> Otherwise, the created table won't be destroyed and memory leak
> will happen in such error cases?
>
> drivers/md/dm-ioctl.c:table_load()
> 1060 r = dm_table_create(&t, get_mode(param), param->target_count, md);
> 1061 if (r)
> 1062 goto out;
> 1063
> 1064 r = populate_table(t, param, param_size);
> 1065 if (r) {
> 1066 dm_table_put(t);
> 1067 goto out;
> 1068 }
> 1069
> 1070 down_write(&_hash_lock);
> 1071 hc = dm_get_mdptr(md);
> 1072 if (!hc || hc->md != md) {
> 1073 DMWARN("device has been removed from the dev hash table.");
> 1074 dm_table_put(t);
> 1075 up_write(&_hash_lock);
> 1076 r = -ENXIO;
> 1077 goto out;
> 1078 }
>
> Thanks,
> Kiyoshi Ueda
>
Fix an error introduced in dm-table-rework-reference-counting.patch.
When there is failure after table initialization, we need to use
dm_table_destroy, not dm_table_put, to free the table.
dm_table_put may be used only after dm_table_get.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
CC: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
---
drivers/md/dm-ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: linux-2.6.28-devel/drivers/md/dm-ioctl.c
===================================================================
--- linux-2.6.28-devel.orig/drivers/md/dm-ioctl.c 2009-01-06 22:06:01.000000000 +0100
+++ linux-2.6.28-devel/drivers/md/dm-ioctl.c 2009-01-06 22:07:05.000000000 +0100
@@ -1063,7 +1063,7 @@ static int table_load(struct dm_ioctl *p
r = populate_table(t, param, param_size);
if (r) {
- dm_table_put(t);
+ dm_table_destroy(t);
goto out;
}
@@ -1071,7 +1071,7 @@ static int table_load(struct dm_ioctl *p
hc = dm_get_mdptr(md);
if (!hc || hc->md != md) {
DMWARN("device has been removed from the dev hash table.");
- dm_table_put(t);
+ dm_table_destroy(t);
up_write(&_hash_lock);
r = -ENXIO;
goto out;
^ permalink raw reply [flat|nested] 3+ messages in thread
* self deadlock possibility during device deletion (Was: dm-table-rework-reference-counting.patch)
2009-01-06 21:27 ` dm-table-rework-reference-counting.patch Mikulas Patocka
@ 2009-01-07 5:23 ` Kiyoshi Ueda
0 siblings, 0 replies; 3+ messages in thread
From: Kiyoshi Ueda @ 2009-01-07 5:23 UTC (permalink / raw)
To: Alasdair G Kergon, Mikulas Patocka; +Cc: device-mapper development
Hi Mikulas, Alasdair,
Mikulas Patocka wrote:
> > Hi
> >
> > You are right, thanks for the review. I grepped for other uses of
> > dm_table_put and they seem correct - just these two were bad.
> >
> > Alasdair: push this patch to Linus soon.
Thank you for the rapid work.
> > Another point: it looks somehow scary to free the table before unlocking
> > _hash_lock --- most of the time, _hash_lock is took only on behalf of
> > userspace ioctls (no problem with that), but it is also took in
> > dm_copy_name_and_uuid that can be called from uevent code:
> >
> > dm_table_event -> event_callback -> dm_send_uevents -> takes _hash_lock
> > And dm_table_event is called directly from targets, targets wait for
> > dm_table_event to finish in their destructor --- so calling the destructor
> > with locked _hash_lock seems to be a deadlock possibility --- what do you
> > think?
You are right, although there is no such target now.
But there is already a code path that could cause such a deadlock.
If a mapped_device is being deleted while there are pending uevents
in md->uevent_list, the ioctl for the deletion should cause
self-deadlock, because __hash_remove() calls dm_table_event()
with _hash_lock locked:
drivers/md/dm-ioctl.c:__hash_remove()
220 static void __hash_remove(struct hash_cell *hc)
221 {
222 struct dm_table *table;
223
224 /* remove from the dev hash */
225 list_del(&hc->uuid_list);
226 list_del(&hc->name_list);
227 dm_set_mdptr(hc->md, NULL);
228
229 table = dm_get_table(hc->md);
230 if (table) {
231 dm_table_event(table);
232 dm_table_put(table);
233 }
We should unlock _hash_lock before handling event flush.
> > Mikulas
Thanks,
Kiyoshi Ueda
> > On Tue, 6 Jan 2009, Kiyoshi Ueda wrote:
> >
>> >> Hi Alasdair, Mikulas,
>> >>
>> >> Although I'm not sure this is correct, don't we need to convert
>> >> the following 2 dm_table_put()s to dm_table_destroy()?
>> >> Otherwise, the created table won't be destroyed and memory leak
>> >> will happen in such error cases?
>> >>
>> >> drivers/md/dm-ioctl.c:table_load()
>> >> 1060 r = dm_table_create(&t, get_mode(param), param->target_count, md);
>> >> 1061 if (r)
>> >> 1062 goto out;
>> >> 1063
>> >> 1064 r = populate_table(t, param, param_size);
>> >> 1065 if (r) {
>> >> 1066 dm_table_put(t);
>> >> 1067 goto out;
>> >> 1068 }
>> >> 1069
>> >> 1070 down_write(&_hash_lock);
>> >> 1071 hc = dm_get_mdptr(md);
>> >> 1072 if (!hc || hc->md != md) {
>> >> 1073 DMWARN("device has been removed from the dev hash table.");
>> >> 1074 dm_table_put(t);
>> >> 1075 up_write(&_hash_lock);
>> >> 1076 r = -ENXIO;
>> >> 1077 goto out;
>> >> 1078 }
>> >>
>> >> Thanks,
>> >> Kiyoshi Ueda
>> >>
> >
> > Fix an error introduced in dm-table-rework-reference-counting.patch.
> >
> > When there is failure after table initialization, we need to use
> > dm_table_destroy, not dm_table_put, to free the table.
> >
> > dm_table_put may be used only after dm_table_get.
> >
> > Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
> > CC: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
> >
> > ---
> > drivers/md/dm-ioctl.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > Index: linux-2.6.28-devel/drivers/md/dm-ioctl.c
> > ===================================================================
> > --- linux-2.6.28-devel.orig/drivers/md/dm-ioctl.c 2009-01-06 22:06:01.000000000 +0100
> > +++ linux-2.6.28-devel/drivers/md/dm-ioctl.c 2009-01-06 22:07:05.000000000 +0100
> > @@ -1063,7 +1063,7 @@ static int table_load(struct dm_ioctl *p
> >
> > r = populate_table(t, param, param_size);
> > if (r) {
> > - dm_table_put(t);
> > + dm_table_destroy(t);
> > goto out;
> > }
> >
> > @@ -1071,7 +1071,7 @@ static int table_load(struct dm_ioctl *p
> > hc = dm_get_mdptr(md);
> > if (!hc || hc->md != md) {
> > DMWARN("device has been removed from the dev hash table.");
> > - dm_table_put(t);
> > + dm_table_destroy(t);
> > up_write(&_hash_lock);
> > r = -ENXIO;
> > goto out;
> >
> > --
> > dm-devel mailing list
> > dm-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-01-07 5:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-06 7:16 dm-table-rework-reference-counting.patch Kiyoshi Ueda
2009-01-06 21:27 ` dm-table-rework-reference-counting.patch Mikulas Patocka
2009-01-07 5:23 ` self deadlock possibility during device deletion (Was: dm-table-rework-reference-counting.patch) Kiyoshi Ueda
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.