Re: [PATCH] ses: Fix racy cleanup of /sys in remove_dev()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Calvin Owens <calvinowens@fb.com>
To: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ses: Fix racy cleanup of /sys in remove_dev()
Date: Thu, 2 Jun 2016 15:50:09 -0700	[thread overview]
Message-ID: <5750B821.7010600@fb.com> (raw)
In-Reply-To: <4912ec551a8ec01181cc3e7ad1e01d3d36758810.1463170976.git.calvinowens@fb.com>

On 05/13/2016 01:28 PM, Calvin Owens wrote:
> Currently we free the resources backing the enclosure device before we
> call device_unregister(). This is racy: during rmmod of low-level SCSI
> drivers that hook into enclosure, we end up with a small window of time
> during which writing to /sys can OOPS. Example trace with mpt3sas:

Ping?

>    general protection fault: 0000 [#1] SMP KASAN
>    Modules linked in: mpt3sas(-) <...>
>    RIP: [<ffffffffa0388a98>] ses_get_page2_descriptor.isra.6+0x38/0x220 [ses]
>    Call Trace:
>     [<ffffffffa0389d14>] ses_set_fault+0xf4/0x400 [ses]
>     [<ffffffffa0361069>] set_component_fault+0xa9/0xf0 [enclosure]
>     [<ffffffff8205bffc>] dev_attr_store+0x3c/0x70
>     [<ffffffff81677df5>] sysfs_kf_write+0x115/0x180
>     [<ffffffff81675725>] kernfs_fop_write+0x275/0x3a0
>     [<ffffffff8151f810>] __vfs_write+0xe0/0x3e0
>     [<ffffffff8152281f>] vfs_write+0x13f/0x4a0
>     [<ffffffff81526731>] SyS_write+0x111/0x230
>     [<ffffffff828b401b>] entry_SYSCALL_64_fastpath+0x13/0x94
>
> Fortunately the solution is extremely simple: call device_unregister()
> before we free the resources, and the race no longer exists. The driver
> core holds a reference over ->remove_dev(), so AFAICT this is safe.
>
> Signed-off-by: Calvin Owens <calvinowens@fb.com>
> ---
>   drivers/scsi/ses.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 53ef1cb..0e8601a 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -778,6 +778,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
>   	if (!edev)
>   		return;
>
> +	enclosure_unregister(edev);
> +
>   	ses_dev = edev->scratch;
>   	edev->scratch = NULL;
>
> @@ -789,7 +791,6 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
>   	kfree(edev->component[0].scratch);
>
>   	put_device(&edev->edev);
> -	enclosure_unregister(edev);
>   }
>
>   static void ses_intf_remove(struct device *cdev,
>

WARNING: multiple messages have this Message-ID (diff)

From: Calvin Owens <calvinowens@fb.com>
To: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: <linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ses: Fix racy cleanup of /sys in remove_dev()
Date: Thu, 2 Jun 2016 15:50:09 -0700	[thread overview]
Message-ID: <5750B821.7010600@fb.com> (raw)
In-Reply-To: <4912ec551a8ec01181cc3e7ad1e01d3d36758810.1463170976.git.calvinowens@fb.com>

On 05/13/2016 01:28 PM, Calvin Owens wrote:
> Currently we free the resources backing the enclosure device before we
> call device_unregister(). This is racy: during rmmod of low-level SCSI
> drivers that hook into enclosure, we end up with a small window of time
> during which writing to /sys can OOPS. Example trace with mpt3sas:

Ping?

>    general protection fault: 0000 [#1] SMP KASAN
>    Modules linked in: mpt3sas(-) <...>
>    RIP: [<ffffffffa0388a98>] ses_get_page2_descriptor.isra.6+0x38/0x220 [ses]
>    Call Trace:
>     [<ffffffffa0389d14>] ses_set_fault+0xf4/0x400 [ses]
>     [<ffffffffa0361069>] set_component_fault+0xa9/0xf0 [enclosure]
>     [<ffffffff8205bffc>] dev_attr_store+0x3c/0x70
>     [<ffffffff81677df5>] sysfs_kf_write+0x115/0x180
>     [<ffffffff81675725>] kernfs_fop_write+0x275/0x3a0
>     [<ffffffff8151f810>] __vfs_write+0xe0/0x3e0
>     [<ffffffff8152281f>] vfs_write+0x13f/0x4a0
>     [<ffffffff81526731>] SyS_write+0x111/0x230
>     [<ffffffff828b401b>] entry_SYSCALL_64_fastpath+0x13/0x94
>
> Fortunately the solution is extremely simple: call device_unregister()
> before we free the resources, and the race no longer exists. The driver
> core holds a reference over ->remove_dev(), so AFAICT this is safe.
>
> Signed-off-by: Calvin Owens <calvinowens@fb.com>
> ---
>   drivers/scsi/ses.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
> index 53ef1cb..0e8601a 100644
> --- a/drivers/scsi/ses.c
> +++ b/drivers/scsi/ses.c
> @@ -778,6 +778,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
>   	if (!edev)
>   		return;
>
> +	enclosure_unregister(edev);
> +
>   	ses_dev = edev->scratch;
>   	edev->scratch = NULL;
>
> @@ -789,7 +791,6 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
>   	kfree(edev->component[0].scratch);
>
>   	put_device(&edev->edev);
> -	enclosure_unregister(edev);
>   }
>
>   static void ses_intf_remove(struct device *cdev,
>

next prev parent reply	other threads:[~2016-06-02 22:50 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-13 20:28 [PATCH] ses: Fix racy cleanup of /sys in remove_dev() Calvin Owens
2016-05-13 20:28 ` Calvin Owens
2016-06-02 22:50 ` Calvin Owens [this message]
2016-06-02 22:50   ` Calvin Owens
2016-06-15 20:24   ` Calvin Owens
2016-06-15 20:24     ` Calvin Owens
2016-07-28  1:04     ` Calvin Owens
2016-07-28  1:04       ` Calvin Owens
2016-07-29  1:23       ` Martin K. Petersen
2016-07-29  1:23         ` Martin K. Petersen
2016-08-12 17:45         ` James Bottomley
  -- strict thread matches above, loose matches on Subject: below --
2017-08-24 13:13 Hannes Reinecke
2017-08-25 21:36 ` Martin K. Petersen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5750B821.7010600@fb.com \
    --to=calvinowens@fb.com \
    --cc=jejb@linux.vnet.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.