[PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

[PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

[FUJITA Tomonori]

This patch is against 2.6.28.x, fixes a regression from 2.6.27.

This is the modified version of the following patch that is planed to
merged into 2.6.30-rc1 in scsi-misc tree:

http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=b35fe25ae156830f85a305afaba837b084458e7a

scsi-misc tree has other patches to fix sg oops so the above patch
can't be cleanly applied to 2.6.28.x. These patches are too large for
2.6.28.x (needs more testings) so sg in 2.6.28.x still has the oops
bugs for now even with this patch. I expect that these patches will go
into stable trees too after 2.6.30-rc1 (that is, after more people
test them).

=
From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Subject: [PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

This fixes the following oops:

http://bugzilla.kernel.org/show_bug.cgi?id=12612

You can reproduce this bug by interrupting a program before a sg
response completes. This leads to the special sg state (the orphan
state), then sg calls blk_put_request in interrupt (rq->end_io).

The above bug report shows the recursive lock problem because sg calls
blk_put_request in interrupt. We could call __blk_put_request here
instead however we also need to handle blk_rq_unmap_user here, which
can't be called in interrupt too.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
---
 drivers/scsi/sg.c |   27 ++++++++++++++++++---------
 1 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 5103855..66be131 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -137,6 +137,7 @@ typedef struct sg_request {	/* SG_MAX_QUEUE requests outstanding per file */
 	volatile char done;	/* 0->before bh, 1->before read, 2->read */
 	struct request *rq;
 	struct bio *bio;
+	struct execute_work ew;
 } Sg_request;
 
 typedef struct sg_fd {		/* holds the state of a file descriptor */
@@ -1240,6 +1241,20 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
 	return 0;
 }
 
+static void sg_rq_end_io_usercontext(struct work_struct *work)
+{
+	struct sg_request *srp = container_of(work, struct sg_request, ew.work);
+	struct sg_fd *sfp = srp->parentfp;
+	struct sg_device *sdp = sfp->parentdp;
+
+	sg_finish_rem_req(srp);
+	if (sfp->closed && !sfp->headrp) {
+		SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, final cleanup\n"));
+		if (!sg_remove_sfp(sdp, sfp))
+			scsi_device_put(sdp->device);
+	}
+}
+
 /*
  * This function is a "bottom half" handler that is called by the mid
  * level when a command is completed (or has failed).
@@ -1305,20 +1320,14 @@ static void sg_rq_end_io(struct request *rq, int uptodate)
 
 	if (sfp->closed) {	/* whoops this fd already released, cleanup */
 		SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, freeing ...\n"));
-		sg_finish_rem_req(srp);
+		execute_in_process_context(sg_rq_end_io_usercontext, &srp->ew);
 		srp = NULL;
-		if (NULL == sfp->headrp) {
-			SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, final cleanup\n"));
-			if (0 == sg_remove_sfp(sdp, sfp)) {	/* device still present */
-				scsi_device_put(sdp->device);
-			}
-			sfp = NULL;
-		}
 	} else if (srp && srp->orphan) {
 		if (sfp->keep_orphan)
 			srp->sg_io_owned = 0;
 		else {
-			sg_finish_rem_req(srp);
+			execute_in_process_context(sg_rq_end_io_usercontext,
+						   &srp->ew);
 			srp = NULL;
 		}
 	}
-- 
1.6.0.6

Re: [stable] [PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

[Greg KH]

On Wed, Feb 11, 2009 at 02:50:18PM +0900, FUJITA Tomonori wrote:
> This patch is against 2.6.28.x, fixes a regression from 2.6.27.
> 
> This is the modified version of the following patch that is planed to
> merged into 2.6.30-rc1 in scsi-misc tree:
> 
> http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=b35fe25ae156830f85a305afaba837b084458e7a
> 
> scsi-misc tree has other patches to fix sg oops so the above patch
> can't be cleanly applied to 2.6.28.x. These patches are too large for
> 2.6.28.x (needs more testings) so sg in 2.6.28.x still has the oops
> bugs for now even with this patch. I expect that these patches will go
> into stable trees too after 2.6.30-rc1 (that is, after more people
> test them).

What about 2.6.29?  If it still has this problem as well, why not get
this patch into that tree now?  Then it can go into the -stable trees.
As it is, I can't take a patch in the .28.y or .27.y trees that is not
in Linus's tree.

confused,

greg k-h

Re: [PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

[Douglas Gilbert]

FUJITA Tomonori wrote:
> This patch is against 2.6.28.x, fixes a regression from 2.6.27.
> 
> This is the modified version of the following patch that is planed to
> merged into 2.6.30-rc1 in scsi-misc tree:
> 
> http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=b35fe25ae156830f85a305afaba837b084458e7a
> 
> scsi-misc tree has other patches to fix sg oops so the above patch
> can't be cleanly applied to 2.6.28.x. These patches are too large for
> 2.6.28.x (needs more testings) so sg in 2.6.28.x still has the oops
> bugs for now even with this patch. I expect that these patches will go
> into stable trees too after 2.6.30-rc1 (that is, after more people
> test them).
> 
> =
> From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
> Subject: [PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt
> 
> This fixes the following oops:
> 
> http://bugzilla.kernel.org/show_bug.cgi?id=12612
> 
> You can reproduce this bug by interrupting a program before a sg
> response completes. This leads to the special sg state (the orphan
> state), then sg calls blk_put_request in interrupt (rq->end_io).
> 
> The above bug report shows the recursive lock problem because sg calls
> blk_put_request in interrupt. We could call __blk_put_request here
> instead however we also need to handle blk_rq_unmap_user here, which
> can't be called in interrupt too.
> 
> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>

Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>

Re: [stable] [PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

[James Bottomley]

On Tue, 2009-02-10 at 22:05 -0800, Greg KH wrote:
> On Wed, Feb 11, 2009 at 02:50:18PM +0900, FUJITA Tomonori wrote:
> > This patch is against 2.6.28.x, fixes a regression from 2.6.27.
> > 
> > This is the modified version of the following patch that is planed to
> > merged into 2.6.30-rc1 in scsi-misc tree:
> > 
> > http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=b35fe25ae156830f85a305afaba837b084458e7a
> > 
> > scsi-misc tree has other patches to fix sg oops so the above patch
> > can't be cleanly applied to 2.6.28.x. These patches are too large for
> > 2.6.28.x (needs more testings) so sg in 2.6.28.x still has the oops
> > bugs for now even with this patch. I expect that these patches will go
> > into stable trees too after 2.6.30-rc1 (that is, after more people
> > test them).
> 
> What about 2.6.29?  If it still has this problem as well, why not get
> this patch into that tree now?  Then it can go into the -stable trees.
> As it is, I can't take a patch in the .28.y or .27.y trees that is not
> in Linus's tree.
> 
> confused,

Sorry my fault ... this is a risky change, so we're going to incubate in
misc first, then place in the merge window, then backport to stable.  If
nothing turns up in linux-next, I could move across to rc-fixes and send
upstream earlier ...  I was just wary of the depth of testing in
linux-next.

James

Re: [stable] [PATCH -stable 2.6.28.x] sg: avoid blk_put_request/blk_rq_unmap_user in interrupt

[Greg KH]

On Wed, Feb 11, 2009 at 10:24:56AM -0500, James Bottomley wrote:
> On Tue, 2009-02-10 at 22:05 -0800, Greg KH wrote:
> > On Wed, Feb 11, 2009 at 02:50:18PM +0900, FUJITA Tomonori wrote:
> > > This patch is against 2.6.28.x, fixes a regression from 2.6.27.
> > > 
> > > This is the modified version of the following patch that is planed to
> > > merged into 2.6.30-rc1 in scsi-misc tree:
> > > 
> > > http://git.kernel.org/?p=linux/kernel/git/jejb/scsi-misc-2.6.git;a=commit;h=b35fe25ae156830f85a305afaba837b084458e7a
> > > 
> > > scsi-misc tree has other patches to fix sg oops so the above patch
> > > can't be cleanly applied to 2.6.28.x. These patches are too large for
> > > 2.6.28.x (needs more testings) so sg in 2.6.28.x still has the oops
> > > bugs for now even with this patch. I expect that these patches will go
> > > into stable trees too after 2.6.30-rc1 (that is, after more people
> > > test them).
> > 
> > What about 2.6.29?  If it still has this problem as well, why not get
> > this patch into that tree now?  Then it can go into the -stable trees.
> > As it is, I can't take a patch in the .28.y or .27.y trees that is not
> > in Linus's tree.
> > 
> > confused,
> 
> Sorry my fault ... this is a risky change, so we're going to incubate in
> misc first, then place in the merge window, then backport to stable.  If
> nothing turns up in linux-next, I could move across to rc-fixes and send
> upstream earlier ...  I was just wary of the depth of testing in
> linux-next.

Ok, please let stable@kernel.org know when it goes into Linus's tree and
what needs to be added to the older kernel trees.

thanks,

greg k-h