From: Al Viro <viro@zeniv.linux.org.uk>
To: wu000273@umn.edu
Cc: hubcap@omnibond.com, martin@omnibond.com,
devel@lists.orangefs.org, linux-kernel@vger.kernel.org,
kjlu@umn.edu
Subject: Re: [PATCH 2/2] orangefs: fix double-unlock issue in service_operation().
Date: Sat, 23 May 2020 06:41:17 +0100 [thread overview]
Message-ID: <20200523054117.GY23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20200523043551.9756-1-wu000273@umn.edu>
On Fri, May 22, 2020 at 11:35:51PM -0500, wu000273@umn.edu wrote:
> From: Qiushi Wu <wu000273@umn.edu>
>
> spin_unlock(&op->lock) is called before calling wake_up_interruptible().
> But spin_unlock() was called again after a call of the function
> "wait_for_matching_downcall" failed.
Yes, it was.
> Fix this issue by remove
> the second spin_unlock().
Why is that a bug? That's not an idle question - you could demonstrate
that if you had reproduced an unbalanced unlock experimentally, or you
could've proven it possible by analysis of the source.
The former ought to be clearly reported; the latter... AFAICS, your
reasoning is
1) at the time of wait_for_matching_downcall() call the spinlock
is not being held, since we'd unlocked it upstream of that call and had
done nothing that could have reacquired it.
2) after the return from that function we are doing unlock.
That is a bug, because one should not unlock a spinlock that is not
locked.
The gap in that proof is the unverified assumption that the locking
conditions upon return from wait_for_matching_downcall() are the same
as upon its call. IF that assumption holds, there is, indeed a bug.
Now, a look at the function in question shows
* a comment right before it claiming that it
" * Returns with op->lock taken.". Which might or might not be correct.
* one of the wait_for_completion...() called; that clearly
indicates that no spinlocks should be held upon the entry.
* unconditional spin_lock(&op->lock); right after that.
* several predicates checked, apparently some debugging
output possibly produced and a value returned. The predicates
(op_state_service(), op_state_purged()) are clearly locking-neutral -
grep shows
fs/orangefs/orangefs-kernel.h:154:#define op_state_serviced(op) ((op)->op_state & OP_VFS_STATE_SERVICED)
fs/orangefs/orangefs-kernel.h:155:#define op_state_purged(op) ((op)->op_state & OP_VFS_STATE_PURGED)
so it's plain arithmetics. The same, of course, applies to
comparisons.
In other words, the function *does* acquire that spinlock and
does not release it, regardless of the value it returns. Which
means that your patch would very likely to cause deadlocks.
prev parent reply other threads:[~2020-05-23 5:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-23 4:35 [PATCH 2/2] orangefs: fix double-unlock issue in service_operation() wu000273
2020-05-23 5:41 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200523054117.GY23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=devel@lists.orangefs.org \
--cc=hubcap@omnibond.com \
--cc=kjlu@umn.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=martin@omnibond.com \
--cc=wu000273@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox