From: Mike Christie <michael.christie@oracle.com>
To: Maurizio Lombardi <mlombard@redhat.com>, martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
bvanassche@acm.org
Subject: Re: [PATCH 2/2] target: iscsi: fix a race condition when aborting a task
Date: Thu, 22 Oct 2020 02:42:23 +0000 [thread overview]
Message-ID: <20daa17d-08e7-a412-4d33-bcf75587eca6@oracle.com> (raw)
In-Reply-To: <20201007145326.56850-3-mlombard@redhat.com>
On 10/7/20 9:53 AM, Maurizio Lombardi wrote:
> The iscsit_release_commands_from_conn() function does the following
> operations:
>
> 1) locks the cmd_lock spinlock
> 2) Scans the list of commands and sets the CMD_T_FABRIC_STOP flag
> 3) Releases the cmd_lock spinlock
> 4) Rescans the list again and clears the i_conn_node link of each command
>
> If an abort task timer is fired between 3) and 4), it will find
> the CMD_T_FABRIC_STOP flag set and won't call list_del_init();
> therefore it may end up calling __iscsit_free_cmd() with a
> non-empty i_conn_node list, thus triggering the warning.
>
> Considering that:
>
> - we expect list_del_init() to be executed by
> iscsit_release_commands_from_conn() when the CMD_T_FABRIC_STOP is set.
> - iscsit_aborted_task() is the only function that calls __iscsit_free_cmd()
> directly, while all the other functions call iscsit_free_cmd().
> - the warning in __iscsit_free_cmd() is a duplicate (the same warning
> can be found in iscsit_free_cmd().
>
For iscsi, what does the last put on the cmd for a successful abort. Ignore this conn stop case.
If we abort a command successfully, the abort path does:
target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd
When we create the cmd we do transport_init_se_cmd and that sets the refcount=1. We do target_get_sess_cmd with ack_kref=true so that sets refcount=2.
On the abort completion path, target_handle_abort does target_put_sess_cmd (refcount=1 after), check_stop_free ends up doing a put (refcount=0 after).
If we free the cmd from the abort path, then for your conn stop plus abort race case, could we do:
1. thread1 runs iscsit_release_commands_from_conn and sets CMD_T_FABRIC_STOP.
2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It then returns from the aborted_task callout and we finish target_handle_abort and do:
target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd
The cmd is now freed.
3. thread1 now finishes iscsit_release_commands_from_conn and runs iscsit_free_cmd while accessing a command we just released.
WARNING: multiple messages have this Message-ID (diff)
From: Mike Christie <michael.christie@oracle.com>
To: Maurizio Lombardi <mlombard@redhat.com>, martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
bvanassche@acm.org
Subject: Re: [PATCH 2/2] target: iscsi: fix a race condition when aborting a task
Date: Wed, 21 Oct 2020 21:42:23 -0500 [thread overview]
Message-ID: <20daa17d-08e7-a412-4d33-bcf75587eca6@oracle.com> (raw)
In-Reply-To: <20201007145326.56850-3-mlombard@redhat.com>
On 10/7/20 9:53 AM, Maurizio Lombardi wrote:
> The iscsit_release_commands_from_conn() function does the following
> operations:
>
> 1) locks the cmd_lock spinlock
> 2) Scans the list of commands and sets the CMD_T_FABRIC_STOP flag
> 3) Releases the cmd_lock spinlock
> 4) Rescans the list again and clears the i_conn_node link of each command
>
> If an abort task timer is fired between 3) and 4), it will find
> the CMD_T_FABRIC_STOP flag set and won't call list_del_init();
> therefore it may end up calling __iscsit_free_cmd() with a
> non-empty i_conn_node list, thus triggering the warning.
>
> Considering that:
>
> - we expect list_del_init() to be executed by
> iscsit_release_commands_from_conn() when the CMD_T_FABRIC_STOP is set.
> - iscsit_aborted_task() is the only function that calls __iscsit_free_cmd()
> directly, while all the other functions call iscsit_free_cmd().
> - the warning in __iscsit_free_cmd() is a duplicate (the same warning
> can be found in iscsit_free_cmd().
>
For iscsi, what does the last put on the cmd for a successful abort. Ignore this conn stop case.
If we abort a command successfully, the abort path does:
target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd
When we create the cmd we do transport_init_se_cmd and that sets the refcount=1. We do target_get_sess_cmd with ack_kref=true so that sets refcount=2.
On the abort completion path, target_handle_abort does target_put_sess_cmd (refcount=1 after), check_stop_free ends up doing a put (refcount=0 after).
If we free the cmd from the abort path, then for your conn stop plus abort race case, could we do:
1. thread1 runs iscsit_release_commands_from_conn and sets CMD_T_FABRIC_STOP.
2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It then returns from the aborted_task callout and we finish target_handle_abort and do:
target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd
The cmd is now freed.
3. thread1 now finishes iscsit_release_commands_from_conn and runs iscsit_free_cmd while accessing a command we just released.
next prev parent reply other threads:[~2020-10-22 2:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-07 14:53 [PATCH 0/2] fix race conditions with task aborts Maurizio Lombardi
2020-10-07 14:53 ` Maurizio Lombardi
2020-10-07 14:53 ` [PATCH 1/2] target: iscsi: prevent a race condition in iscsit_unmap_cmd() Maurizio Lombardi
2020-10-07 14:53 ` Maurizio Lombardi
2020-10-08 2:15 ` Bart Van Assche
2020-10-08 2:15 ` Bart Van Assche
2020-10-08 9:42 ` Maurizio Lombardi
2020-10-08 9:42 ` Maurizio Lombardi
2020-10-07 14:53 ` [PATCH 2/2] target: iscsi: fix a race condition when aborting a task Maurizio Lombardi
2020-10-07 14:53 ` Maurizio Lombardi
2020-10-22 2:42 ` Mike Christie [this message]
2020-10-22 2:42 ` Mike Christie
2020-10-27 13:49 ` Maurizio Lombardi
2020-10-27 13:49 ` Maurizio Lombardi
2020-10-27 17:54 ` Mike Christie
2020-10-27 17:54 ` Mike Christie
2020-10-27 20:03 ` Michael Christie
2020-10-27 20:03 ` Michael Christie
2020-10-28 17:09 ` Maurizio Lombardi
2020-10-28 17:09 ` Maurizio Lombardi
2020-10-28 20:37 ` Mike Christie
2020-10-28 20:37 ` Mike Christie
2020-11-10 21:29 ` Maurizio Lombardi
2020-11-10 21:29 ` Maurizio Lombardi
2020-11-10 23:08 ` Mike Christie
2020-11-10 23:08 ` Mike Christie
2020-11-11 2:16 ` Mike Christie
2020-11-11 2:16 ` Mike Christie
2020-11-11 14:58 ` Maurizio Lombardi
2020-11-11 14:58 ` Maurizio Lombardi
2020-11-11 15:37 ` Michael Christie
2020-11-11 15:37 ` Michael Christie
2020-11-11 15:48 ` Maurizio Lombardi
2020-11-11 15:48 ` Maurizio Lombardi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20daa17d-08e7-a412-4d33-bcf75587eca6@oracle.com \
--to=michael.christie@oracle.com \
--cc=bvanassche@acm.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mlombard@redhat.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.