From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Stanislaw Gruszka <sgruszka@redhat.com>,
Tejun Heo <tj@kernel.org>, Jens Axboe <axboe@kernel.dk>
Subject: [ 31/38] block: fix __blkdev_get and add_disk race condition
Date: Fri, 16 Mar 2012 16:35:18 -0700 [thread overview]
Message-ID: <20120316233450.043884482@linuxfoundation.org> (raw)
In-Reply-To: <20120316233422.GA5461@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 9f53d2fe815b4011ff930a7b6db98385d45faa68 upstream.
The following situation might occur:
__blkdev_get: add_disk:
register_disk()
get_gendisk()
disk_block_events()
disk->ev == NULL
disk_add_events()
__disk_unblock_events()
disk->ev != NULL
--ev->block
Then we unblock events, when they are suppose to be blocked. This can
trigger events related block/genhd.c warnings, but also can crash in
sd_check_events() or other places.
I'm able to reproduce crashes with the following scripts (with
connected usb dongle as sdb disk).
<snip>
DEV=/dev/sdb
ENABLE=/sys/bus/usb/devices/1-2/bConfigurationValue
function stop_me()
{
for i in `jobs -p` ; do kill $i 2> /dev/null ; done
exit
}
trap stop_me SIGHUP SIGINT SIGTERM
for ((i = 0; i < 10; i++)) ; do
while true; do fdisk -l $DEV 2>&1 > /dev/null ; done &
done
while true ; do
echo 1 > $ENABLE
sleep 1
echo 0 > $ENABLE
done
</snip>
I use the script to verify patch fixing oops in sd_revalidate_disk
http://marc.info/?l=linux-scsi&m=132935572512352&w=2
Without Jun'ichi Nomura patch titled "Fix NULL pointer dereference in
sd_revalidate_disk" or this one, script easily crash kernel within
a few seconds. With both patches applied I do not observe crash.
Unfortunately after some time (dozen of minutes), script will hung in:
[ 1563.906432] [<c08354f5>] schedule_timeout_uninterruptible+0x15/0x20
[ 1563.906437] [<c04532d5>] msleep+0x15/0x20
[ 1563.906443] [<c05d60b2>] blk_drain_queue+0x32/0xd0
[ 1563.906447] [<c05d6e00>] blk_cleanup_queue+0xd0/0x170
[ 1563.906454] [<c06d278f>] scsi_free_queue+0x3f/0x60
[ 1563.906459] [<c06d7e6e>] __scsi_remove_device+0x6e/0xb0
[ 1563.906463] [<c06d4aff>] scsi_forget_host+0x4f/0x60
[ 1563.906468] [<c06cd84a>] scsi_remove_host+0x5a/0xf0
[ 1563.906482] [<f7f030fb>] quiesce_and_remove_host+0x5b/0xa0 [usb_storage]
[ 1563.906490] [<f7f03203>] usb_stor_disconnect+0x13/0x20 [usb_storage]
Anyway I think this patch is some step forward.
As drawback, I do not teardown on sysfs file create error, because I do
not know how to nullify disk->ev (since it can be used). However add_disk
error handling practically does not exist too, and things will work
without this sysfs file, except events will not be exported to user
space.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/genhd.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -36,6 +36,7 @@ static DEFINE_IDR(ext_devt_idr);
static struct device_type disk_type;
+static void disk_alloc_events(struct gendisk *disk);
static void disk_add_events(struct gendisk *disk);
static void disk_del_events(struct gendisk *disk);
static void disk_release_events(struct gendisk *disk);
@@ -602,6 +603,8 @@ void add_disk(struct gendisk *disk)
disk->major = MAJOR(devt);
disk->first_minor = MINOR(devt);
+ disk_alloc_events(disk);
+
/* Register BDI before referencing it from bdev */
bdi = &disk->queue->backing_dev_info;
bdi_register_dev(bdi, disk_devt(disk));
@@ -1740,9 +1743,9 @@ module_param_cb(events_dfl_poll_msecs, &
&disk_events_dfl_poll_msecs, 0644);
/*
- * disk_{add|del|release}_events - initialize and destroy disk_events.
+ * disk_{alloc|add|del|release}_events - initialize and destroy disk_events.
*/
-static void disk_add_events(struct gendisk *disk)
+static void disk_alloc_events(struct gendisk *disk)
{
struct disk_events *ev;
@@ -1755,16 +1758,6 @@ static void disk_add_events(struct gendi
return;
}
- if (sysfs_create_files(&disk_to_dev(disk)->kobj,
- disk_events_attrs) < 0) {
- pr_warn("%s: failed to create sysfs files for events\n",
- disk->disk_name);
- kfree(ev);
- return;
- }
-
- disk->ev = ev;
-
INIT_LIST_HEAD(&ev->node);
ev->disk = disk;
spin_lock_init(&ev->lock);
@@ -1773,8 +1766,21 @@ static void disk_add_events(struct gendi
ev->poll_msecs = -1;
INIT_DELAYED_WORK(&ev->dwork, disk_events_workfn);
+ disk->ev = ev;
+}
+
+static void disk_add_events(struct gendisk *disk)
+{
+ if (!disk->ev)
+ return;
+
+ /* FIXME: error handling */
+ if (sysfs_create_files(&disk_to_dev(disk)->kobj, disk_events_attrs) < 0)
+ pr_warn("%s: failed to create sysfs files for events\n",
+ disk->disk_name);
+
mutex_lock(&disk_events_mutex);
- list_add_tail(&ev->node, &disk_events);
+ list_add_tail(&disk->ev->node, &disk_events);
mutex_unlock(&disk_events_mutex);
/*
next prev parent reply other threads:[~2012-03-16 23:35 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-16 23:34 [ 00/38] 3.0.25-stable review Greg KH
2012-03-16 23:34 ` [ 01/38] ASoC: neo1973: fix neo1973 wm8753 initialization Greg KH
2012-03-16 23:34 ` [ 02/38] aio: fix io_setup/io_destroy race Greg KH
2012-03-16 23:34 ` [ 03/38] aio: fix the "too late munmap()" race Greg KH
2012-03-16 23:34 ` [ 04/38] x86: Derandom delay_tsc for 64 bit Greg KH
2012-03-16 23:34 ` [ 05/38] PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled Greg KH
2012-03-19 10:20 ` Jiri Slaby
2012-03-19 15:46 ` Greg KH
2012-03-19 15:53 ` Matthew Garrett
2012-03-19 16:04 ` Jonathan Nieder
2012-03-19 16:25 ` Greg KH
2012-03-19 16:33 ` Jonathan Nieder
2012-03-16 23:34 ` [ 06/38] firewire: cdev: fix 32 bit userland on 64 bit kernel compat corner cases Greg KH
2012-03-16 23:34 ` [ 07/38] firewire: core: handle ack_busy when fetching the Config ROM Greg KH
2012-03-16 23:34 ` [ 08/38] PM / Driver core: leave runtime PM enabled during system shutdown Greg KH
2012-03-16 23:34 ` [ 09/38] rt2x00: fix random stalls Greg KH
2012-03-16 23:34 ` [ 10/38] vfs: fix return value from do_last() Greg KH
2012-03-16 23:34 ` [ 11/38] vfs: fix double put after complete_walk() Greg KH
2012-03-16 23:34 ` [ 12/38] acer-wmi: support Lenovo ideapad S205 wifi switch Greg KH
2012-03-16 23:35 ` [ 13/38] acer-wmi: Add wireless quirk for Lenovo 3000 N200 Greg KH
2012-03-16 23:35 ` [ 14/38] acer-wmi: check wireless capability flag before register rfkill Greg KH
2012-03-16 23:35 ` [ 15/38] acer-wmi: No wifi rfkill on Lenovo machines Greg KH
2012-03-16 23:35 ` [ 16/38] neighbour: Fixed race condition at tbl->nht Greg KH
2012-03-16 23:35 ` [ 17/38] ipsec: be careful of non existing mac headers Greg KH
2012-03-16 23:35 ` [ 18/38] ppp: fix ppp_mp_reconstruct bad seq errors Greg KH
2012-03-16 23:35 ` [ 19/38] tcp: fix false reordering signal in tcp_shifted_skb Greg KH
2012-03-16 23:35 ` [ 20/38] vmxnet3: Fix transport header size Greg KH
2012-03-16 23:35 ` [ 21/38] tcp: dont fragment SACKed skbs in tcp_mark_head_lost() Greg KH
2012-03-16 23:35 ` [ 22/38] bridge: check return value of ipv6_dev_get_saddr() Greg KH
2012-03-16 23:35 ` [ 23/38] tcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una Greg KH
2012-03-16 23:35 ` [ 24/38] IPv6: Fix not join all-router mcast group when forwarding set Greg KH
2012-03-16 23:35 ` [ 25/38] atl1c: dont use highprio tx queue Greg KH
2012-03-16 23:35 ` [ 26/38] usb: asix: Patch for Sitecom LN-031 Greg KH
2012-03-16 23:35 ` [ 28/38] regulator: Fix setting selector in tps6524x set_voltage function Greg KH
2012-03-16 23:35 ` [ 29/38] block: Fix NULL pointer dereference in sd_revalidate_disk Greg KH
2012-03-16 23:35 ` [ 30/38] block, sx8: fix pointer math issue getting fw version Greg KH
2012-03-16 23:35 ` Greg KH [this message]
2012-03-16 23:35 ` [ 32/38] Block: use a freezable workqueue for disk-event polling Greg KH
2012-03-16 23:35 ` [ 33/38] sfc: Fix assignment of ip_summed for pre-allocated skbs Greg KH
2012-03-16 23:35 ` [ 34/38] sparc32: Add -Av8 to assembler command line Greg KH
2012-03-16 23:35 ` [ 35/38] compat: Re-add missing asm/compat.h include to fix compile breakage on s390 Greg KH
2012-03-16 23:35 ` [ 36/38] hwmon: (w83627ehf) Fix writing into fan_stop_time for NCT6775F/NCT6776F Greg KH
2012-03-16 23:35 ` [ 37/38] hwmon: (w83627ehf) Fix memory leak in probe function Greg KH
2012-03-16 23:35 ` [ 38/38] i2c-algo-bit: Fix spurious SCL timeouts under heavy load Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120316233450.043884482@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=sgruszka@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).