From: James Bottomley <jejb@linux.vnet.ibm.com>
To: Bart Van Assche <Bart.VanAssche@wdc.com>,
"hch@lst.de" <hch@lst.de>,
"yanaijie@huawei.com" <yanaijie@huawei.com>
Cc: "zhaohongjiang@huawei.com" <zhaohongjiang@huawei.com>,
"jthumshirn@suse.de" <jthumshirn@suse.de>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>,
"hare@suse.de" <hare@suse.de>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"miaoxie@huawei.com" <miaoxie@huawei.com>
Subject: Re: [PATCH] scsi: fix race condition when removing target
Date: Thu, 30 Nov 2017 15:56:18 -0800 [thread overview]
Message-ID: <1512086178.3020.35.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1512058117.2774.1.camel@wdc.com>
On Thu, 2017-11-30 at 16:08 +0000, Bart Van Assche wrote:
> On Thu, 2017-11-30 at 09:18 +0800, Jason Yan wrote:
> >
> > Hi Bart, I chose the approach in my patch because it has been used
> > in scsi_device_get() for years and been proved safe. I think using
> > kobject_get_unless_zero() is safe here and can fix this issue too.
> > And this approach is beneficial to all users.
>
> Hello Jason,
>
> A possible approach is that we start with your patch and defer any
> get_device() changes until after your patch has been applied.
It's possible, but not quite good enough: the same race can be produced
with any of our sdev lists that are deleted in the release callback,
because there could be a released device on any one of them. The only
way to mediate it properly is to get a reference in the iterator using
kobject_get_unless_zero().
It's a bit like a huge can of worms, there's another problem every time
I look. However, this is something like the mechanism that could work
(and if get_device() ever gets fixed, we can put it in place of
kobject_get_unless_zero()).
James
---
diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c
index 6be77b3aa8a5..c3246f26c02c 100644
--- a/drivers/scsi/53c700.c
+++ b/drivers/scsi/53c700.c
@@ -1169,6 +1169,7 @@ process_script_interrupt(__u32 dsps, __u32 dsp, struct scsi_cmnd *SCp,
}
+ put_device(&SDp->sdev_gendev);
} else if(dsps == A_RESELECTED_DURING_SELECTION) {
/* This section is full of debugging code because I've
diff --git a/drivers/scsi/esp_scsi.c b/drivers/scsi/esp_scsi.c
index c3fc34b9964d..7736f3fb2501 100644
--- a/drivers/scsi/esp_scsi.c
+++ b/drivers/scsi/esp_scsi.c
@@ -1198,6 +1198,7 @@ static int esp_reconnect(struct esp *esp)
goto do_reset;
}
lp = dev->hostdata;
+ put_device(&dev->sdev_gendev);
ent = lp->non_tagged_cmd;
if (!ent) {
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index a7e4fba724b7..c96c11716152 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -677,11 +677,10 @@ struct scsi_device *__scsi_device_lookup_by_target(struct scsi_target *starget,
{
struct scsi_device *sdev;
- list_for_each_entry(sdev, &starget->devices, same_target_siblings) {
- if (sdev->sdev_state == SDEV_DEL)
- continue;
- if (sdev->lun ==lun)
+ __sdev_for_each_get(sdev, &starget->devices, same_target_siblings) {
+ if (sdev->sdev_state != SDEV_DEL && sdev->lun ==lun)
return sdev;
+ put_device(&sdev->sdev_gendev);
}
return NULL;
@@ -700,15 +699,16 @@ EXPORT_SYMBOL(__scsi_device_lookup_by_target);
struct scsi_device *scsi_device_lookup_by_target(struct scsi_target *starget,
u64 lun)
{
- struct scsi_device *sdev;
+ struct scsi_device *sdev, *sdev_copy;
struct Scsi_Host *shost = dev_to_shost(starget->dev.parent);
unsigned long flags;
spin_lock_irqsave(shost->host_lock, flags);
- sdev = __scsi_device_lookup_by_target(starget, lun);
+ sdev_copy = sdev = __scsi_device_lookup_by_target(starget, lun);
+ spin_unlock_irqrestore(shost->host_lock, flags);
if (sdev && scsi_device_get(sdev))
sdev = NULL;
- spin_unlock_irqrestore(shost->host_lock, flags);
+ put_device(&sdev_copy->sdev_gendev);
return sdev;
}
@@ -735,12 +735,12 @@ struct scsi_device *__scsi_device_lookup(struct Scsi_Host *shost,
{
struct scsi_device *sdev;
- list_for_each_entry(sdev, &shost->__devices, siblings) {
- if (sdev->sdev_state == SDEV_DEL)
- continue;
- if (sdev->channel == channel && sdev->id == id &&
- sdev->lun ==lun)
+ __sdev_for_each_get(sdev, &shost->__devices, siblings) {
+ if (sdev->sdev_state != SDEV_DEL &&
+ sdev->channel == channel && sdev->id == id &&
+ sdev->lun ==lun)
return sdev;
+ put_device(&sdev->sdev_gendev);
}
return NULL;
@@ -761,14 +761,15 @@ EXPORT_SYMBOL(__scsi_device_lookup);
struct scsi_device *scsi_device_lookup(struct Scsi_Host *shost,
uint channel, uint id, u64 lun)
{
- struct scsi_device *sdev;
+ struct scsi_device *sdev, *sdev_copy;
unsigned long flags;
spin_lock_irqsave(shost->host_lock, flags);
- sdev = __scsi_device_lookup(shost, channel, id, lun);
+ sdev_copy = sdev = __scsi_device_lookup(shost, channel, id, lun);
+ spin_unlock_irqrestore(shost->host_lock, flags);
if (sdev && scsi_device_get(sdev))
sdev = NULL;
- spin_unlock_irqrestore(shost->host_lock, flags);
+ put_device(&sdev_copy->sdev_gendev);
return sdev;
}
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 40124648a07b..cddd5a93e962 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -1870,11 +1870,14 @@ void scsi_forget_host(struct Scsi_Host *shost)
restart:
spin_lock_irqsave(shost->host_lock, flags);
- list_for_each_entry(sdev, &shost->__devices, siblings) {
- if (sdev->sdev_state == SDEV_DEL)
+ __sdev_for_each_get(sdev, &shost->__devices, siblings) {
+ if (sdev->sdev_state == SDEV_DEL) {
+ put_device(&sdev->sdev_gendev);
continue;
+ }
spin_unlock_irqrestore(shost->host_lock, flags);
__scsi_remove_device(sdev);
+ put_device(&sdev->sdev_gendev);
goto restart;
}
spin_unlock_irqrestore(shost->host_lock, flags);
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index f796bd61f3f0..380404ec49cd 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1375,17 +1375,7 @@ static void __scsi_remove_target(struct scsi_target *starget)
spin_lock_irqsave(shost->host_lock, flags);
restart:
- list_for_each_entry(sdev, &shost->__devices, siblings) {
- /*
- * We cannot call scsi_device_get() here, as
- * we might've been called from rmmod() causing
- * scsi_device_get() to fail the module_is_live()
- * check.
- */
- if (sdev->channel != starget->channel ||
- sdev->id != starget->id ||
- !get_device(&sdev->sdev_gendev))
- continue;
+ __sdev_for_each_get(sdev, &starget->devices, same_target_siblings) {
spin_unlock_irqrestore(shost->host_lock, flags);
scsi_remove_device(sdev);
put_device(&sdev->sdev_gendev);
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index 571ddb49b926..2e4d48d8cd68 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -380,6 +380,23 @@ extern struct scsi_device *__scsi_iterate_devices(struct Scsi_Host *,
#define __shost_for_each_device(sdev, shost) \
list_for_each_entry((sdev), &((shost)->__devices), siblings)
+/**
+ * __sdev_list_for_each_get - get a reference to each element
+ * @sdev: the scsi device to use in the body
+ * @head: the head of the list
+ * @list: the element (sdev->list) containing list members
+ *
+ * Iterator that only executes the body if it can obtain a reference
+ * to the element. This closes a race where the device release can
+ * have been called, but the element is still on the lists.
+ *
+ * The lock protecting the list (the host lock) must be held before
+ * calling this iterator
+ */
+#define __sdev_for_each_get(sdev, head, list) \
+ list_for_each_entry(sdev, head, list) \
+ if (kobject_get_unless_zero(&sdev->sdev_gendev.kobj))
+
extern int scsi_change_queue_depth(struct scsi_device *, int);
extern int scsi_track_queue_full(struct scsi_device *, int);
next prev parent reply other threads:[~2017-11-30 23:56 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 3:05 [PATCH] scsi: fix race condition when removing target Jason Yan
2017-11-29 7:41 ` Hannes Reinecke
2017-11-29 16:18 ` Bart Van Assche
2017-11-29 16:20 ` hch
2017-11-29 17:39 ` Bart Van Assche
2017-11-30 1:18 ` Jason Yan
2017-11-30 16:08 ` Bart Van Assche
2017-11-30 16:40 ` gregkh
2017-11-30 23:56 ` James Bottomley [this message]
2017-12-01 1:12 ` Finn Thain
2017-12-01 8:40 ` Jason Yan
2017-12-01 14:41 ` Ewan D. Milne
2017-12-01 15:35 ` James Bottomley
2017-12-05 12:37 ` Jason Yan
2017-12-05 15:37 ` James Bottomley
2017-12-06 0:41 ` Jason Yan
2017-12-06 2:07 ` James Bottomley
2017-12-06 2:43 ` Jason Yan
2017-11-29 17:39 ` gregkh
2017-11-29 18:49 ` Ewan D. Milne
2017-11-29 19:11 ` Bart Van Assche
2017-11-29 19:20 ` Ewan D. Milne
2017-11-29 19:50 ` Bart Van Assche
2017-11-29 17:39 ` gregkh
2017-11-29 17:47 ` Bart Van Assche
2017-11-29 16:31 ` James Bottomley
2017-11-29 16:34 ` Christoph Hellwig
2017-11-29 16:47 ` James Bottomley
2017-11-29 19:05 ` Ewan D. Milne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1512086178.3020.35.camel@linux.vnet.ibm.com \
--to=jejb@linux.vnet.ibm.com \
--cc=Bart.VanAssche@wdc.com \
--cc=gregkh@linuxfoundation.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=jthumshirn@suse.de \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=miaoxie@huawei.com \
--cc=yanaijie@huawei.com \
--cc=zhaohongjiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).