From: Chris Boot <bootc@bootc.net>
To: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Tejun Heo <tj@kernel.org>,
linux1394-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] firewire-sbp2: fix panic after rmmod with slow targets
Date: Mon, 22 Aug 2011 21:43:36 +0100 [thread overview]
Message-ID: <4E52BF78.8060809@bootc.net> (raw)
In-Reply-To: <20110822163526.5b76d535@stein>
On 22/08/2011 15:35, Stefan Richter wrote:
> On Aug 22 Chris Boot wrote:
>> If firewire-sbp2 starts a login to a target that doesn't complete ORBs
>> in a timely manner (and has to retry the login), and the module is
>> removed before the operation times out, you end up with a null-pointer
>> dereference and a kernel panic.
>>
>> This happens because the code in sbp2_remove() just does a
>> sbp2_target_put(), assuming it will be the last remaining reference. If
>> there are jobs in the workqueue, this is not the case, and the module is
>> successfully unloaded while references still exist.
> The problem is not that sbp2_target_put()'s caller assumes that it is
> putting the last reference. sbp2_target_put()'s very purpose is to clean
> up when, and only when, the last reference is gone.
Yes that's what I meant by my message, but I guess I wasn't clear
enough. I edited it a bit with the second revision, I hope it's a bit
clearer now.
[snip]
>> Signed-off-by: Chris Boot<bootc@bootc.net>
>> ---
>> drivers/firewire/sbp2.c | 5 +++++
>> 1 files changed, 5 insertions(+), 0 deletions(-)
>>
>> diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c
>> index 41841a3..3867aaa 100644
>> --- a/drivers/firewire/sbp2.c
>> +++ b/drivers/firewire/sbp2.c
>> @@ -1198,6 +1198,11 @@ static int sbp2_remove(struct device *dev)
>> {
>> struct fw_unit *unit = fw_unit(dev);
>> struct sbp2_target *tgt = dev_get_drvdata(&unit->device);
>> + struct sbp2_logical_unit *lu, *next;
>> +
>> + list_for_each_entry_safe(lu, next,&tgt->lu_list, link) {
>> + cancel_delayed_work_sync(&lu->work);
>> + }
>>
>> sbp2_target_put(tgt);
>> return 0;
> list_for_each_entry() is sufficient here. You are not changing the list
> while you iterate over it.
>
> Would you please resend the patch with list_for_each_entry()?
Done.
> More importantly, I think the whole sbp2_target instance reference
> counting can be removed with his work canceling in place. But I have not
> analyzed this fully yet, and I don't expect you to do this for me. Though
> if you like to do so, that would of course be welcome.
If you don't mind I'll let you do that as I'm not yet familiar enough
with the kernel - only enough to be dangerous! :-)
Chris
next prev parent reply other threads:[~2011-08-22 20:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1314017561-1976-1-git-send-email-bootc@bootc.net>
2011-08-22 14:35 ` [PATCH] firewire-sbp2: fix panic after rmmod with slow targets Stefan Richter
2011-08-22 20:38 ` Chris Boot
2011-08-22 22:38 ` Chris Boot
2011-08-22 22:56 ` [PATCH] [v3] " Chris Boot
2011-08-22 23:21 ` Stefan Richter
2011-08-22 20:43 ` Chris Boot [this message]
2011-08-22 13:07 [PATCH] " Chris Boot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E52BF78.8060809@bootc.net \
--to=bootc@bootc.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=stefanr@s5r6.in-berlin.de \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.