Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl

From: Luis Chamberlain
Date: Wed Apr 15 2020 - 21:18:08 EST

Next message: Zenghui Yu: "Re: [PATCH 2/2] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()"
Previous message: Brian Geffon: "Re: Userfaultfd doesn't seem to break out of poll on fd close"
In reply to: Bart Van Assche: "Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl"
Next in thread: Ming Lei: "Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 15, 2020 at 07:45:18AM -0700, Bart Van Assche wrote:
> On 2020-04-14 23:16, Luis Chamberlain wrote:
> > On Tue, Apr 14, 2020 at 08:40:44AM -0700, Christoph Hellwig wrote:
> >> Hmm, where exactly does the race come in so that it can only happen
> >> after where you take the reference, but not before it? I'm probably
> >> missing something, but that just means it needs to be explained a little
> >> better :)
> >
> >>From the trace on patch 2/5:
> >
> > BLKTRACE_SETUP(loop0) #2
> > [ 13.933961] == blk_trace_ioctl(2, BLKTRACESETUP) start
> > [ 13.936758] === do_blk_trace_setup(2) start
> > [ 13.938944] === do_blk_trace_setup(2) creating directory
> > [ 13.941029] === do_blk_trace_setup(2) using what debugfs_lookup() gave
> >
> > ---> From LOOP_CTL_DEL(loop0) #2
> > [ 13.971046] === blk_trace_cleanup(7) end
> > [ 13.973175] == __blk_trace_remove(7) end
> > [ 13.975352] == blk_trace_shutdown(7) end
> > [ 13.977415] = __blk_release_queue(7) calling blk_mq_debugfs_unregister()
> > [ 13.980645] ==== blk_mq_debugfs_unregister(7) begin
> > [ 13.980696] ==== blk_mq_debugfs_unregister(7) debugfs_remove_recursive(q->debugfs_dir)
> > [ 13.983118] ==== blk_mq_debugfs_unregister(7) end q->debugfs_dir is NULL
> > [ 13.986945] = __blk_release_queue(7) blk_mq_debugfs_unregister() end
> > [ 13.993155] = __blk_release_queue(7) end
> >
> > ---> From BLKTRACE_SETUP(loop0) #2
> > [ 13.995928] === do_blk_trace_setup(2) end with ret: 0
> > [ 13.997623] == blk_trace_ioctl(2, BLKTRACESETUP) end
> >
> > The BLKTRACESETUP above works on request_queue which later
> > LOOP_CTL_DEL races on and sweeps the debugfs dir underneath us.
> > If you use this commit alone though, this doesn't fix the race issue
> > however, and that's because of both still the debugfs_lookup() use
> > and that we're still using asynchronous removal at this point.
> >
> > refcounting will just ensure we don't take the request_queue underneath
> > our noses.
>
> I think the above trace reveals a bug in the loop driver. The loop
> driver shouldn't allow the associated request queue to disappear while
> the loop device is open.

The bug was *not* in the driver, the bug was in that deferal of removal
was allowed to be asynchronous, therefore the removal from a userspace
perspective *finishes*, but its not actually really done. Back when
the removal was synchronous, the loop driver waited on cleanup, and
didn't return to userspace until it was really removed.

This is why I annotated that the move to asynch removal turns out to
actually be a userspace API regression.

> One may want to have a look at sd_open() in the
> sd driver. The scsi_disk_get() call in that function not only increases
> the reference count of the SCSI disk but also of the underlying SCSI device.

Are you saying to use this as a template for what a driver should do or
do you suspect there is a bug there? Not sure what you mean here.

Luis

Next message: Zenghui Yu: "Re: [PATCH 2/2] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()"
Previous message: Brian Geffon: "Re: Userfaultfd doesn't seem to break out of poll on fd close"
In reply to: Bart Van Assche: "Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl"
Next in thread: Ming Lei: "Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]