From: Bart Van Assche <bvanassche@acm.org>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-scsi <linux-scsi@vger.kernel.org>,
Joe Lawrence <jdl1291@gmail.com>, Tejun Heo <tj@kernel.org>,
Chanho Min <chanho.min@lge.com>,
David Milburn <dmilburn@redhat.com>,
Hannes Reinecke <hare@suse.de>,
Mike Christie <michaelc@cs.wisc.edu>
Subject: Re: [PATCH v11 1/9] Fix race between starved list and device removal
Date: Mon, 24 Jun 2013 18:16:14 +0200 [thread overview]
Message-ID: <51C870CE.4020900@acm.org> (raw)
In-Reply-To: <1372088320.2013.33.camel@dabdike.int.hansenpartnership.com>
On 06/24/13 17:38, James Bottomley wrote:
> I really don't like this because it's shuffling potentially fragile
> lifetime rules since you now have to have the sdev deleted from the
> starved list before final put. That becomes an unstated assumption
> within the code.
>
> The theory is that the starved list processing may be racing with a
> scsi_remove_device, so when we unlock the host lock, the device (and the
> queue) may be destroyed. OK, so I agree with this, remote a possibility
> though it may be. The easy way of fixing it without making assumptions
> is this, isn't it? All it requires is that the queue be destroyed after
> the starved list entry is deleted in the sdev release code.
>
> James
>
> ---
>
> diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
> index 86d5220..f294cc6 100644
> --- a/drivers/scsi/scsi_lib.c
> +++ b/drivers/scsi/scsi_lib.c
> @@ -434,6 +434,7 @@ static void scsi_run_queue(struct request_queue *q)
> list_splice_init(&shost->starved_list, &starved_list);
>
> while (!list_empty(&starved_list)) {
> + struct request_queue *slq;
> /*
> * As long as shost is accepting commands and we have
> * starved queues, call blk_run_queue. scsi_request_fn
> @@ -456,10 +457,21 @@ static void scsi_run_queue(struct request_queue *q)
> continue;
> }
>
> + /*
> + * once we drop the host lock, a racing scsi_remove_device may
> + * remove the sdev from the starved list and destroy it and
> + * the queue. Mitigate by taking a reference to the queue and
> + * never touching the sdev again after we drop the host lock.
> + */
> + slq = sdev->request_queue;
> + if (!blk_get_queue(slq))
> + continue;
> +
> spin_unlock(shost->host_lock);
> - spin_lock(sdev->request_queue->queue_lock);
> - __blk_run_queue(sdev->request_queue);
> - spin_unlock(sdev->request_queue->queue_lock);
> +
> + blk_run_queue(slq);
> + blk_put_queue(slq);
> +
> spin_lock(shost->host_lock);
> }
> /* put any unprocessed entries back */
Since the above patch invokes blk_put_queue() with interrupts disabled
it may cause blk_release_queue() to be invoked with interrupts disabled.
Sorry but I'm not sure whether that will work fine.
Bart.
next prev parent reply other threads:[~2013-06-24 16:16 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-12 12:48 [PATCH v11 0/9] More device removal fixes Bart Van Assche
2013-06-12 12:49 ` [PATCH v11 1/9] Fix race between starved list and device removal Bart Van Assche
2013-06-24 15:38 ` James Bottomley
2013-06-24 16:16 ` Bart Van Assche [this message]
2013-06-24 16:23 ` James Bottomley
2013-06-24 17:24 ` Mike Christie
2013-06-24 17:49 ` James Bottomley
2013-06-12 12:51 ` [PATCH v11 2/9] Remove get_device() / put_device() pair from scsi_request_fn() Bart Van Assche
2013-06-24 1:29 ` Mike Christie
2013-06-24 2:36 ` James Bottomley
2013-06-24 7:13 ` Bart Van Assche
2013-06-24 13:34 ` James Bottomley
2013-06-24 15:43 ` Bart Van Assche
2013-06-12 12:52 ` [PATCH v11 3/9] Avoid calling __scsi_remove_device() twice Bart Van Assche
2013-06-23 21:35 ` Mike Christie
2013-06-24 6:29 ` Bart Van Assche
2013-06-24 17:38 ` James Bottomley
2013-06-25 8:37 ` Bart Van Assche
2013-06-25 13:44 ` James Bottomley
2013-06-25 15:23 ` Bart Van Assche
2013-06-12 12:53 ` [PATCH v11 4/9] Disallow changing the device state via sysfs into "deleted" Bart Van Assche
2013-06-24 1:05 ` Mike Christie
2013-06-24 6:35 ` Bart Van Assche
2013-06-24 17:59 ` James Bottomley
2013-06-25 8:41 ` Bart Van Assche
2013-06-25 13:42 ` James Bottomley
2013-06-12 12:54 ` [PATCH v11 5/9] Avoid saving/restoring interrupt state inside scsi_remove_host() Bart Van Assche
2013-06-24 1:06 ` Mike Christie
2013-06-12 12:55 ` [PATCH v11 6/9] Make scsi_remove_host() wait until error handling finished Bart Van Assche
2013-06-24 1:15 ` Mike Christie
2013-06-24 6:49 ` Bart Van Assche
2013-06-24 19:19 ` James Bottomley
2013-06-24 20:04 ` Mike Christie
2013-06-24 22:27 ` James Bottomley
2013-06-25 2:26 ` Mike Christie
2013-06-25 2:56 ` Michael Christie
2013-06-25 9:01 ` Bart Van Assche
2013-06-25 13:45 ` James Bottomley
2013-06-25 15:31 ` Bart Van Assche
2013-06-25 16:13 ` Michael Christie
2013-06-25 17:40 ` James Bottomley
2013-06-25 17:47 ` Bart Van Assche
2014-01-30 19:46 ` Bart Van Assche
2014-01-31 5:58 ` James Bottomley
2014-01-31 7:52 ` Bart Van Assche
2013-06-25 11:13 ` Bart Van Assche
2013-06-12 12:56 ` PATCH v11 7/9] Avoid that scsi_device_set_state() triggers a race Bart Van Assche
2013-06-12 12:57 ` [PATCH v11 8/9] Save and restore host_scribble during error handling Bart Van Assche
2013-06-24 1:21 ` Mike Christie
2013-06-24 2:08 ` James Bottomley
2013-06-12 12:58 ` [PATCH v11 9/9] Avoid reenabling I/O after the transport became offline Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C870CE.4020900@acm.org \
--to=bvanassche@acm.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=chanho.min@lge.com \
--cc=dmilburn@redhat.com \
--cc=hare@suse.de \
--cc=jdl1291@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=michaelc@cs.wisc.edu \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).