LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <greg@kroah.com>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
torvalds@linux-foundation.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
suparna@in.ibm.com, zach.brown@oracle.com, jmoyer@redhat.com,
bcrl@kvack.org, pbadari@us.ibm.com, kenchen@google.com
Subject: [patch 08/21] aio: fix buggy put_ioctx call in aio_complete - v2
Date: Tue, 20 Feb 2007 17:37:27 -0800 [thread overview]
Message-ID: <20070221013727.GI30227@kroah.com> (raw)
In-Reply-To: <20070221013619.GA30227@kroah.com>
[-- Attachment #1: aio-fix-buggy-put_ioctx-call-in-aio_complete-v2.patch --]
[-- Type: text/plain, Size: 4976 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: "Ken Chen" <kenchen@google.com>
An AIO bug was reported that sleeping function is being called in softirq
context:
BUG: warning at kernel/mutex.c:132/__mutex_lock_common()
Call Trace:
[<a000000100577b00>] __mutex_lock_slowpath+0x640/0x6c0
[<a000000100577ba0>] mutex_lock+0x20/0x40
[<a0000001000a25b0>] flush_workqueue+0xb0/0x1a0
[<a00000010018c0c0>] __put_ioctx+0xc0/0x240
[<a00000010018d470>] aio_complete+0x2f0/0x420
[<a00000010019cc80>] finished_one_bio+0x200/0x2a0
[<a00000010019d1c0>] dio_bio_complete+0x1c0/0x200
[<a00000010019d260>] dio_bio_end_aio+0x60/0x80
[<a00000010014acd0>] bio_endio+0x110/0x1c0
[<a0000001002770e0>] __end_that_request_first+0x180/0xba0
[<a000000100277b90>] end_that_request_chunk+0x30/0x60
[<a0000002073c0c70>] scsi_end_request+0x50/0x300 [scsi_mod]
[<a0000002073c1240>] scsi_io_completion+0x200/0x8a0 [scsi_mod]
[<a0000002074729b0>] sd_rw_intr+0x330/0x860 [sd_mod]
[<a0000002073b3ac0>] scsi_finish_command+0x100/0x1c0 [scsi_mod]
[<a0000002073c2910>] scsi_softirq_done+0x230/0x300 [scsi_mod]
[<a000000100277d20>] blk_done_softirq+0x160/0x1c0
[<a000000100083e00>] __do_softirq+0x200/0x240
[<a000000100083eb0>] do_softirq+0x70/0xc0
See report: http://marc.theaimsgroup.com/?l=linux-kernel&m=116599593200888&w=2
flush_workqueue() is not allowed to be called in the softirq context.
However, aio_complete() called from I/O interrupt can potentially call
put_ioctx with last ref count on ioctx and triggers bug. It is simply
incorrect to perform ioctx freeing from aio_complete.
The bug is trigger-able from a race between io_destroy() and aio_complete().
A possible scenario:
cpu0 cpu1
io_destroy aio_complete
wait_for_all_aios { __aio_put_req
... ctx->reqs_active--;
if (!ctx->reqs_active)
return;
}
...
put_ioctx(ioctx)
put_ioctx(ctx);
__put_ioctx
bam! Bug trigger!
The real problem is that the condition check of ctx->reqs_active in
wait_for_all_aios() is incorrect that access to reqs_active is not
being properly protected by spin lock.
This patch adds that protective spin lock, and at the same time removes
all duplicate ref counting for each kiocb as reqs_active is already used
as a ref count for each active ioctx. This also ensures that buggy call
to flush_workqueue() in softirq context is eliminated.
Signed-off-by: "Ken Chen" <kenchen@google.com>
Cc: Zach Brown <zach.brown@oracle.com>
Cc: Suparna Bhattacharya <suparna@in.ibm.com>
Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/aio.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
--- linux-2.6.19.4.orig/fs/aio.c
+++ linux-2.6.19.4/fs/aio.c
@@ -298,17 +298,23 @@ static void wait_for_all_aios(struct kio
struct task_struct *tsk = current;
DECLARE_WAITQUEUE(wait, tsk);
+ spin_lock_irq(&ctx->ctx_lock);
if (!ctx->reqs_active)
- return;
+ goto out;
add_wait_queue(&ctx->wait, &wait);
set_task_state(tsk, TASK_UNINTERRUPTIBLE);
while (ctx->reqs_active) {
+ spin_unlock_irq(&ctx->ctx_lock);
schedule();
set_task_state(tsk, TASK_UNINTERRUPTIBLE);
+ spin_lock_irq(&ctx->ctx_lock);
}
__set_task_state(tsk, TASK_RUNNING);
remove_wait_queue(&ctx->wait, &wait);
+
+out:
+ spin_unlock_irq(&ctx->ctx_lock);
}
/* wait_on_sync_kiocb:
@@ -425,7 +431,6 @@ static struct kiocb fastcall *__aio_get_
ring = kmap_atomic(ctx->ring_info.ring_pages[0], KM_USER0);
if (ctx->reqs_active < aio_ring_avail(&ctx->ring_info, ring)) {
list_add(&req->ki_list, &ctx->active_reqs);
- get_ioctx(ctx);
ctx->reqs_active++;
okay = 1;
}
@@ -538,8 +543,6 @@ int fastcall aio_put_req(struct kiocb *r
spin_lock_irq(&ctx->ctx_lock);
ret = __aio_put_req(ctx, req);
spin_unlock_irq(&ctx->ctx_lock);
- if (ret)
- put_ioctx(ctx);
return ret;
}
@@ -795,8 +798,7 @@ static int __aio_run_iocbs(struct kioctx
*/
iocb->ki_users++; /* grab extra reference */
aio_run_iocb(iocb);
- if (__aio_put_req(ctx, iocb)) /* drop extra ref */
- put_ioctx(ctx);
+ __aio_put_req(ctx, iocb);
}
if (!list_empty(&ctx->run_list))
return 1;
@@ -1014,14 +1016,10 @@ put_rq:
/* everything turned out well, dispose of the aiocb. */
ret = __aio_put_req(ctx, iocb);
- spin_unlock_irqrestore(&ctx->ctx_lock, flags);
-
if (waitqueue_active(&ctx->wait))
wake_up(&ctx->wait);
- if (ret)
- put_ioctx(ctx);
-
+ spin_unlock_irqrestore(&ctx->ctx_lock, flags);
return ret;
}
--
next prev parent reply other threads:[~2007-02-21 1:40 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070221012758.925122216@mini.kroah.org>
2007-02-21 1:36 ` [patch 00/21] 2.6.19-stable review Greg KH
2007-02-21 1:36 ` [patch 01/21] V4L: cx88: Fix lockup on suspend Greg KH
2007-02-22 1:00 ` Chuck Ebbert
2007-02-22 1:14 ` Michael Krufky
2007-02-21 1:36 ` [patch 02/21] V4L: Fix quickcam communicator driver for big endian architectures Greg KH
2007-02-21 1:36 ` [patch 03/21] V4L: fix ks0127 status flags Greg KH
2007-02-21 1:36 ` [patch 04/21] V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37 Greg KH
2007-02-21 1:37 ` [patch 05/21] V4L: buf_qbuf: fix videobuf_queue->stream corruption and lockup Greg KH
2007-02-21 1:37 ` [patch 06/21] net/smc911x: match up spin lock/unlock Greg KH
2007-02-21 1:37 ` [patch 07/21] rtc-pcf8563: detect polarity of century bit automatically Greg KH
2007-02-21 1:37 ` Greg KH [this message]
2007-02-21 1:37 ` [patch 09/21] x86_64: fix 2.6.18 regression - PTRACE_OLDSETOPTIONS should be accepted Greg KH
2007-02-21 1:37 ` [patch 10/21] ide: fix drive side 80c cable check Greg KH
2007-02-21 1:37 ` [patch 11/21] pata_amd: fix an obvious bug in cable detection Greg KH
2007-02-21 1:37 ` [patch 12/21] bcm43xx: Fix for oops on resume Greg KH
2007-02-21 1:38 ` [patch 13/21] bcm43xx: Fix for oops on ampdu status Greg KH
2007-02-21 1:38 ` [patch 14/21] usb-audio: work around wrong frequency in CM6501 descriptors Greg KH
2007-02-21 1:38 ` [patch 15/21] usbaudio - Fix Oops with broken usb descriptors Greg KH
2007-02-21 1:38 ` [patch 16/21] usbaudio - Fix Oops with unconventional sample rates Greg KH
2007-02-21 1:38 ` [patch 17/21] Use different constraint for gcc < 4.1 in bitops Greg KH
2007-02-21 1:38 ` [patch 18/21] prism54: correct assignment of DOT1XENABLE in WE-19 codepaths Greg KH
2007-02-21 1:38 ` [patch 19/21] net, 8139too.c: fix netpoll deadlock Greg KH
2007-02-21 1:38 ` [patch 20/21] Keys: Fix key serial number collision handling Greg KH
2007-02-21 1:39 ` [patch 21/21] knfsd: Fix a race in closing NFSd connections Greg KH
2007-02-21 13:36 ` [patch 00/21] 2.6.19-stable review Stefan Richter
2007-02-21 13:37 ` Stefan Richter
2007-03-09 5:35 ` Adrian Bunk
2007-02-21 16:38 ` Chuck Ebbert
2007-02-21 16:50 ` Chuck Ebbert
2007-02-21 19:31 ` Chuck Ebbert
2007-02-21 19:47 ` Andrew Morton
2007-02-21 20:09 ` Linus Torvalds
2007-02-21 22:45 ` Eric W. Biederman
2007-02-28 6:37 ` Eric W. Biederman
2007-02-28 8:51 ` Zwane Mwaikambo
2007-02-28 12:28 ` Eric W. Biederman
2007-02-28 19:52 ` [stable] " Greg KH
2007-02-28 23:25 ` Eric W. Biederman
2007-02-21 20:13 ` Eric W. Biederman
2007-02-21 20:21 ` Chuck Ebbert
2007-02-21 22:19 ` Andi Kleen
2007-02-21 22:20 ` Andi Kleen
2007-02-21 22:39 ` Chuck Ebbert
2007-02-22 1:19 ` Andi Kleen
2007-02-21 20:39 ` Greg KH
2007-02-21 20:44 ` Chuck Ebbert
2007-02-21 22:33 ` Chuck Ebbert
2007-02-21 22:35 ` Chuck Ebbert
2007-02-21 22:43 ` Chuck Ebbert
2007-02-22 16:09 ` Chuck Ebbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070221013727.GI30227@kroah.com \
--to=greg@kroah.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bcrl@kvack.org \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=jmoyer@redhat.com \
--cc=kenchen@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=pbadari@us.ibm.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=suparna@in.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zach.brown@oracle.com \
--cc=zwane@arm.linux.org.uk \
--subject='Re: [patch 08/21] aio: fix buggy put_ioctx call in aio_complete - v2' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).