From: Wu Fengguang <fengguang.wu@intel.com>
To: Chanho Min <chanho.min@lge.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"'Jens Axboe'" <axboe@kernel.dk>,
"'Andrew Morton'" <akpm@linux-foundation.org>,
Rabin Vincent <rabin.vincent@stericsson.com>,
Linus Walleij <linus.walleij@linaro.org>
Subject: Re: [PATCH] mm/backing-dev.c: fix crash when USB/SCSI device is detached
Date: Tue, 3 Jan 2012 12:49:33 +0800 [thread overview]
Message-ID: <20120103044933.GA31778@localhost> (raw)
In-Reply-To: <002e01ccc9c7$1928c940$4b7a5bc0$@min@lge.com>
On Tue, Jan 03, 2012 at 12:23:44PM +0900, Chanho Min wrote:
> >On Mon, Jan 02, 2012 at 06:38:21PM +0900, ����ȣ wrote:
> >> from Chanho Min <chanho.min@lge.com>
> >>
> >> System may crash in backing-dev.c when removal SCSI device is detached.
> >> bdi task is killed by bdi_unregister()/'khubd', but task's point remains.
> >> Shortly afterward, If 'wb->wakeup_timer' is expired before
> >> del_timer()/bdi_forker_thread,
> >> wakeup_timer_fn() may wake up the dead thread which cause the crash.
> >> 'bdi->wb.task' should be NULL as this patch.
> >
> >Is it some race condition between del_timer() and del_timer_sync()?
> >
> >bdi_unregister() calls
> >
> > del_timer_sync
> > bdi_wb_shutdown
> > kthread_stop
> >
> >in turn, and del_timer_sync() should guarantee wakeup_timer_fn() is
> >no longer called to access the stopped task.
> >
>
> It is not race condition. This happens when USB is removed during write-access.
> bdi_wakeup_thread_delayed is called after kthread_stop, and timer is activated again.
>
> bdi_unregister
> kthread_stop
> bdi_wakeup_thread_delayed (sys_write mostly calls this)
> timer fires
Ah OK, the timer could be restarted in the mean while, which breaks
the synchronization rule in del_timer_sync().
I noticed a related fix is merged recently, does your test kernel
contain this commit?
commit 7a401a972df8e184b3d1a3fc958c0a4ddee8d312
Author: Rabin Vincent <rabin.vincent@stericsson.com>
Date: Fri Nov 11 13:29:04 2011 +0100
backing-dev: ensure wakeup_timer is deleted
> Anyway,Is this safeguard to prevent from waking up killed thread?
This patch makes no guarantee wakeup_timer_fn() will see NULL
bdi->wb.task before the task is stopped, so there is still race
conditions. And still, the complete fix would be to prevent
wakeup_timer_fn() from being called at all.
Thanks,
Fengguang
> >> Signed-off-by: Chanho Min <chanho.min@lge.com>
> >> ---
> >> mm/backing-dev.c | 1 +
> >> 1 files changed, 1 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/mm/backing-dev.c b/mm/backing-dev.c
> >> index 71034f4..4378a5e 100644
> >> --- a/mm/backing-dev.c
> >> +++ b/mm/backing-dev.c
> >> @@ -607,6 +607,7 @@ static void bdi_wb_shutdown(struct backing_dev_info
> >> *bdi)
> >> if (bdi->wb.task) {
> >> thaw_process(bdi->wb.task);
> >> kthread_stop(bdi->wb.task);
> >> + bdi->wb.task = NULL;
> >> }
> >> }
> >>
> >> --
> >> 1.7.0.4
next prev parent reply other threads:[~2012-01-03 4:49 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <004401ccc932$444a0070$ccde0150$@min@lge.com>
2012-01-02 9:57 ` [PATCH] mm/backing-dev.c: fix crash when USB/SCSI device is detached Wu Fengguang
[not found] ` <002e01ccc9c7$1928c940$4b7a5bc0$@min@lge.com>
2012-01-03 4:49 ` Wu Fengguang [this message]
2012-01-05 8:49 Chanho Min
2012-01-15 10:28 ` Rabin Vincent
2012-01-15 12:58 ` Wu Fengguang
2012-01-15 15:41 ` Rabin Vincent
2012-01-16 2:53 ` Wu Fengguang
2012-01-16 5:28 ` Chanho Min
2012-01-16 5:50 ` Wu Fengguang
2012-01-16 5:53 ` Wu Fengguang
2012-01-16 6:34 ` Chanho Min
2012-01-18 19:43 ` Rabin Vincent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120103044933.GA31778@localhost \
--to=fengguang.wu@intel.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=chanho.min@lge.com \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rabin.vincent@stericsson.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).