From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Bart Van Assche <bart.vanassche@wdc.com>,
Mike Christie <mchristi@redhat.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.14 37/87] scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
Date: Mon, 17 Sep 2018 03:02:47 +0000 [thread overview]
Message-ID: <20180917030220.245686-37-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180917030220.245686-1-alexander.levin@microsoft.com>
From: Bart Van Assche <bart.vanassche@wdc.com>
[ Upstream commit 36d4cb460bcbe2a1323732a6e4bb9dd783284368 ]
The approach for adding a device to the devices_idr data structure and for
removing it is as follows:
* &dev->dev_group.cg_item is initialized before a device is added to
devices_idr.
* If the reference count of a device drops to zero then
target_free_device() removes the device from devices_idr.
* All devices_idr manipulations are protected by device_mutex.
This means that increasing the reference count of a device is sufficient to
prevent removal from devices_idr and also that it is safe access
dev_group.cg_item for any device that is referenced by devices_idr. Use
this to modify target_find_device() and target_for_each_device() such that
these functions no longer introduce a dependency between device_mutex and
the configfs root inode mutex.
Note: it is safe to pass a NULL pointer to config_item_put() and also to
config_item_get_unless_zero().
This patch prevents that lockdep reports the following complaint:
======================================================
WARNING: possible circular locking dependency detected
4.12.0-rc1-dbg+ #1 Not tainted
------------------------------------------------------
rmdir/12053 is trying to acquire lock:
(device_mutex#2){+.+.+.}, at: [<ffffffffa010afce>]
target_free_device+0xae/0xf0 [target_core_mod]
but task is already holding lock:
(&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff811c5c30>]
vfs_rmdir+0x50/0x140
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&sb->s_type->i_mutex_key#14){++++++}:
lock_acquire+0x59/0x80
down_write+0x36/0x70
configfs_depend_item+0x3a/0xb0 [configfs]
target_depend_item+0x13/0x20 [target_core_mod]
target_xcopy_locate_se_dev_e4_iter+0x87/0x100 [target_core_mod]
target_devices_idr_iter+0x16/0x20 [target_core_mod]
idr_for_each+0x39/0xc0
target_for_each_device+0x36/0x50 [target_core_mod]
target_xcopy_locate_se_dev_e4+0x28/0x80 [target_core_mod]
target_xcopy_do_work+0x2e9/0xdd0 [target_core_mod]
process_one_work+0x1ca/0x3f0
worker_thread+0x49/0x3b0
kthread+0x109/0x140
ret_from_fork+0x31/0x40
-> #0 (device_mutex#2){+.+.+.}:
__lock_acquire+0x101f/0x11d0
lock_acquire+0x59/0x80
__mutex_lock+0x7e/0x950
mutex_lock_nested+0x16/0x20
target_free_device+0xae/0xf0 [target_core_mod]
target_core_dev_release+0x10/0x20 [target_core_mod]
config_item_put+0x6e/0xb0 [configfs]
configfs_rmdir+0x1a6/0x300 [configfs]
vfs_rmdir+0xb7/0x140
do_rmdir+0x1f4/0x200
SyS_rmdir+0x11/0x20
entry_SYSCALL_64_fastpath+0x23/0xc2
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sb->s_type->i_mutex_key#14);
lock(device_mutex#2);
lock(&sb->s_type->i_mutex_key#14);
lock(device_mutex#2);
*** DEADLOCK ***
3 locks held by rmdir/12053:
#0: (sb_writers#10){.+.+.+}, at: [<ffffffff811e223f>]
mnt_want_write+0x1f/0x50
#1: (&sb->s_type->i_mutex_key#14/1){+.+.+.}, at: [<ffffffff811cb97e>]
do_rmdir+0x15e/0x200
#2: (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff811c5c30>]
vfs_rmdir+0x50/0x140
stack backtrace:
CPU: 3 PID: 12053 Comm: rmdir Not tainted 4.12.0-rc1-dbg+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
dump_stack+0x86/0xcf
print_circular_bug+0x1c7/0x220
__lock_acquire+0x101f/0x11d0
lock_acquire+0x59/0x80
__mutex_lock+0x7e/0x950
mutex_lock_nested+0x16/0x20
target_free_device+0xae/0xf0 [target_core_mod]
target_core_dev_release+0x10/0x20 [target_core_mod]
config_item_put+0x6e/0xb0 [configfs]
configfs_rmdir+0x1a6/0x300 [configfs]
vfs_rmdir+0xb7/0x140
do_rmdir+0x1f4/0x200
SyS_rmdir+0x11/0x20
entry_SYSCALL_64_fastpath+0x23/0xc2
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
[Rebased to handle conflict withe target_find_device removal]
Signed-off-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/target/target_core_device.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index e8dd6da164b2..84742125f773 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -904,14 +904,20 @@ struct se_device *target_find_device(int id, bool do_depend)
EXPORT_SYMBOL(target_find_device);
struct devices_idr_iter {
+ struct config_item *prev_item;
int (*fn)(struct se_device *dev, void *data);
void *data;
};
static int target_devices_idr_iter(int id, void *p, void *data)
+ __must_hold(&device_mutex)
{
struct devices_idr_iter *iter = data;
struct se_device *dev = p;
+ int ret;
+
+ config_item_put(iter->prev_item);
+ iter->prev_item = NULL;
/*
* We add the device early to the idr, so it can be used
@@ -922,7 +928,15 @@ static int target_devices_idr_iter(int id, void *p, void *data)
if (!(dev->dev_flags & DF_CONFIGURED))
return 0;
- return iter->fn(dev, iter->data);
+ iter->prev_item = config_item_get_unless_zero(&dev->dev_group.cg_item);
+ if (!iter->prev_item)
+ return 0;
+ mutex_unlock(&device_mutex);
+
+ ret = iter->fn(dev, iter->data);
+
+ mutex_lock(&device_mutex);
+ return ret;
}
/**
@@ -936,15 +950,13 @@ static int target_devices_idr_iter(int id, void *p, void *data)
int target_for_each_device(int (*fn)(struct se_device *dev, void *data),
void *data)
{
- struct devices_idr_iter iter;
+ struct devices_idr_iter iter = { .fn = fn, .data = data };
int ret;
- iter.fn = fn;
- iter.data = data;
-
mutex_lock(&device_mutex);
ret = idr_for_each(&devices_idr, target_devices_idr_iter, &iter);
mutex_unlock(&device_mutex);
+ config_item_put(iter.prev_item);
return ret;
}
--
2.17.1
next prev parent reply other threads:[~2018-09-17 3:23 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-17 3:02 [PATCH AUTOSEL 4.14 01/87] crypto: skcipher - Fix -Wstringop-truncation warnings Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 02/87] iio: adc: ina2xx: avoid kthread_stop() with stale task_struct Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 04/87] vmci: type promotion bug in qp_host_get_user_memory() Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 03/87] tsl2550: fix lux1_input error in low light Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 05/87] x86/numa_emulation: Fix emulated-to-physical node mapping Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 07/87] power: supply: axp288_charger: Fix initial constant_charge_current value Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 06/87] staging: rts5208: fix missing error check on call to rtsx_write_register Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 08/87] misc: sram: enable clock before registering regions Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 09/87] serial: sh-sci: Stop RX FIFO timer during port shutdown Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 11/87] power: vexpress: fix corruption in notifier registration Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 10/87] uwb: hwa-rc: fix memory leak at probe Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 12/87] iommu/amd: make sure TLB to be flushed before IOVA freed Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 13/87] Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 15/87] 6lowpan: iphc: reset mac_header after decompress to fix panic Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 14/87] USB: serial: kobil_sct: fix modem-status error handling Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 16/87] iommu/msm: Don't call iommu_device_{,un}link from atomic context Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 18/87] power: remove possible deadlock when unregistering power_supply Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 17/87] s390/mm: correct allocate_pgste proc_handler callback Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 19/87] md-cluster: clear another node's suspend_area after the copy is finished Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 20/87] RDMA/bnxt_re: Fix a couple off by one bugs Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 22/87] arm64: fix infinite stacktrace Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 21/87] RDMA/i40w: Hold read semaphore while looking after VMA Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 23/87] IB/core: type promotion bug in rdma_rw_init_one_mr() Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 25/87] IB/mlx4: Test port number before querying type Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 24/87] media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 26/87] powerpc/kdump: Handle crashkernel memory reservation failure Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 27/87] media: fsl-viu: fix error handling in viu_of_probe() Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 28/87] media: staging/imx: fill vb2_v4l2_buffer field entry Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 29/87] media: sta2x11: Add video_device and vb2_queue locks Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 30/87] x86/tsc: Add missing header to tsc_msr.c Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 31/87] ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 33/87] ARM: dts: ls1021a: Add missing cooling device properties for CPUs Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 32/87] x86/entry/64: Add two more instruction suffixes Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 34/87] scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 35/87] scsi: klist: Make it safe to use klists in atomic context Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 36/87] scsi: ibmvscsi: Improve strings handling Sasha Levin
2018-09-17 3:02 ` Sasha Levin [this message]
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 38/87] usb: wusbcore: security: cast sizeof to int for comparison Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 39/87] ath10k: sdio: use same endpoint id for all packets in a bundle Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 41/87] powerpc/powernv/ioda2: Reduce upper limit for DMA window size Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 40/87] ath10k: sdio: set skb len for all rx packets Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 42/87] s390/sysinfo: add missing #ifdef CONFIG_PROC_FS Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 43/87] alarmtimer: Prevent overflow for relative nanosleep Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 45/87] s390/scm_blk: correct numa_node in scm_blk_dev_setup Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 44/87] s390/dasd: correct numa_node in dasd_alloc_queue Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 46/87] s390/extmem: fix gcc 8 stringop-overflow warning Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 47/87] mtd: rawnand: atmel: add module param to avoid using dma Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 48/87] iio: accel: adxl345: convert address field usage in iio_chan_spec Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 49/87] posix-timers: Make forward callback return s64 Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 50/87] posix-timers: Sanitize overrun handling Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 51/87] ALSA: snd-aoa: add of_node_put() in error path Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 52/87] nfp: fail probe if serial or interface id is missing Sasha Levin
2018-09-17 14:03 ` Jakub Kicinski
2018-09-27 19:50 ` Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 53/87] media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 54/87] media: soc_camera: ov772x: correct setting of banding filter Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 55/87] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data Sasha Levin
2018-09-17 3:02 ` [PATCH AUTOSEL 4.14 56/87] staging: android: ashmem: Fix mmap size validation Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 57/87] drivers/tty: add error handling for pcmcia_loop_config Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 58/87] media: tm6000: add error handling for dvb_register_adapter Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 59/87] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 60/87] net: phy: xgmiitorgmii: Check read_status results Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 61/87] ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 62/87] net: phy: xgmiitorgmii: Check phy_driver ready before accessing Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 63/87] drm/sun4i: Fix releasing node when enumerating enpoints Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 64/87] ath10k: transmit queued frames after processing rx packets Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 65/87] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 67/87] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 66/87] brcmsmac: fix wrap around in conversion from constant to s16 Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 69/87] arm: dts: mediatek: Add missing cooling device properties for CPUs Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 68/87] ARM: mvebu: declare asm symbols as character arrays in pmsu.c Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 71/87] MIPS: boot: fix build rule of vmlinux.its.S Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 70/87] HID: hid-ntrig: add error handling for sysfs_create_group Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 72/87] perf/x86/intel/lbr: Fix incomplete LBR call stack Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 73/87] scsi: bnx2i: add error handling for ioremap_nocache Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 75/87] audit: Fix extended comparison of GID/EGID Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 74/87] iomap: complete partial direct I/O writes synchronously Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 77/87] EDAC, i7core: Fix memleaks and use-after-free on probe and remove Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 76/87] scsi: megaraid_sas: Update controller info during resume Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 78/87] ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 80/87] gpio: Fix wrong rounding in gpio-menz127 Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 79/87] module: exclude SHN_UNDEF symbols from kallsyms api Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 81/87] nfsd: fix corrupted reply to badly ordered compound Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 82/87] EDAC: Fix memleak in module init error path Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 83/87] fs/lock: skip lock owner pid translation in case we are in init_pid_ns Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 84/87] Input: xen-kbdfront - fix multi-touch XenStore node's locations Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 85/87] iio: 104-quad-8: Fix off-by-one error in register selection Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 86/87] ARM: dts: dra7: fix DCAN node addresses Sasha Levin
2018-09-17 3:03 ` [PATCH AUTOSEL 4.14 87/87] PCI: Whitelist Thunderbolt ports for runtime D3 Sasha Levin
2018-09-17 8:25 ` Lukas Wunner
2018-09-27 19:43 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180917030220.245686-37-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=bart.vanassche@wdc.com \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox