Re: [PATCH v2] blk-throttle: fix race between blkcg_bio_issue_check and cgroup_rmdir

public inbox for linux-block@vger.kernel.org
 help / color / mirror / Atom feed

From: Joseph Qi <joseph.qi@linux.alibaba.com>
To: Tejun Heo <tj@kernel.org>, xuejiufei <jiufei.xue@linux.alibaba.com>
Cc: Jens Axboe <axboe@kernel.dk>,
	Caspar Zhang <caspar@linux.alibaba.com>,
	linux-block <linux-block@vger.kernel.org>,
	cgroups@vger.kernel.org
Subject: Re: [PATCH v2] blk-throttle: fix race between blkcg_bio_issue_check and cgroup_rmdir
Date: Tue, 27 Feb 2018 11:18:43 +0800	[thread overview]
Message-ID: <fedb0810-2305-de99-7578-37069ba292a8@linux.alibaba.com> (raw)
In-Reply-To: <ac3f48fc-e306-5df3-1c30-cd3b385d971f@linux.alibaba.com>

Hi Tejun,

Could you please help take a look at this and give a confirmation?

Thanks,
Joseph

On 18/2/24 09:45, Joseph Qi wrote:
> Hi Tejun,
> 
> On 18/2/23 22:23, Tejun Heo wrote:
>> Hello,
>>
>> On Fri, Feb 23, 2018 at 09:56:54AM +0800, xuejiufei wrote:
>>>> On Thu, Feb 22, 2018 at 02:14:34PM +0800, Joseph Qi wrote:
>>>>> I still don't get how css_tryget can work here.
>>>>>
>>>>> The race happens when:
>>>>> 1) writeback kworker has found the blkg with rcu;
>>>>> 2) blkcg is during offlining and blkg_destroy() has already been called.
>>>>> Then, writeback kworker will take queue lock and access the blkg with
>>>>> refcount 0.
>>>>
>>>> Yeah, then tryget would fail and it should go through the root.
>>>>
>>> In this race, the refcount of blkg becomes zero and is destroyed.
>>> However css may still have refcount, and css_tryget can return success
>>> before other callers put the refcount.
>>> So I don't get how css_tryget can fix this race? Or I wonder if we can
>>> add another function blkg_tryget?
>>
>> IIRC, as long as the blkcg and the device are there, the blkgs aren't
>> gonna be destroyed.  So, if you have a ref to the blkcg through
>> tryget, the blkg shouldn't go away.
>>
> 
> Maybe we have misunderstanding here.
> 
> In this case, blkg doesn't go away as we have rcu protect, but
> blkg_destroy() can be called, in which blkg_put() will put the last
> refcnt and then schedule __blkg_release_rcu().
> 
> css refcnt can't prevent blkcg css from offlining, instead it is css
> online_cnt.
> 
> css_tryget() will only get a refcnt of blkcg css, but can't be
> guaranteed to fail when css is confirmed to kill.
> 
> The race sequence:
> writeback kworker                   cgroup_rmdir
>                                       cgroup_destroy_locked
>                                         kill_css
>                                           css_killed_ref_fn
>                                             css_killed_work_fn
>                                               offline_css
>                                                 blkcg_css_offline
>   blkcg_bio_issue_check
>     rcu_read_lock
>     blkg_lookup
>                                                   spin_trylock(q->queue_lock)
>                                                   blkg_destroy
>                                                   spin_unlock(q->queue_lock)
>     blk_throtl_bio
>       spin_lock_irq(q->queue_lock)
>       spin_unlock_irq(q->queue_lock)
>     rcu_read_unlock
> 
> Thanks,
> Joseph
>

next prev parent reply	other threads:[~2018-02-27  3:18 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-07  8:40 [PATCH v2] blk-throttle: fix race between blkcg_bio_issue_check and cgroup_rmdir Joseph Qi
2018-02-07 21:38 ` Tejun Heo
2018-02-08  2:29   ` Joseph Qi
2018-02-08 15:23     ` Tejun Heo
2018-02-09  2:15       ` Joseph Qi
2018-02-12 17:11         ` Tejun Heo
2018-02-22  6:14           ` Joseph Qi
2018-02-22 15:18             ` Tejun Heo
2018-02-23  1:56               ` xuejiufei
2018-02-23 14:23                 ` Tejun Heo
2018-02-24  1:45                   ` Joseph Qi
2018-02-27  3:18                     ` Joseph Qi [this message]
2018-02-27 18:33                     ` Tejun Heo
2018-02-28  6:52                       ` Joseph Qi
2018-03-04 20:23                         ` Tejun Heo
2018-03-05  1:17                           ` Joseph Qi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fedb0810-2305-de99-7578-37069ba292a8@linux.alibaba.com \
    --to=joseph.qi@linux.alibaba.com \
    --cc=axboe@kernel.dk \
    --cc=caspar@linux.alibaba.com \
    --cc=cgroups@vger.kernel.org \
    --cc=jiufei.xue@linux.alibaba.com \
    --cc=linux-block@vger.kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox