From: Chao Leng <lengchao@huawei.com>
To: <linux-nvme@lists.infradead.org>
Subject: Re: [PATCH] nvme: fix (S)RCU protection of nvme_ns_head list (alternate)
Date: Fri, 2 Dec 2022 09:21:17 +0800 [thread overview]
Message-ID: <5e3e0a43-b318-5ca9-b22a-b62c7891bc96@huawei.com> (raw)
In-Reply-To: <CADUfDZqT5z3XiRBoueP+==JB3qizBKQJ+o82qw50nydTL9RzEQ@mail.gmail.com>
On 2022/12/2 5:17, Caleb Sander wrote:
> On Wed, Nov 30, 2022 at 12:40 AM Sagi Grimberg <sagi@grimberg.me> wrote:
>>
>>
>>>> I understand what you mean in general, but in this particular case
>>>> I don't understand what is not working.
>>>
>>> How does this work?
>>
>> Particularly, the sleeping contexts are guaranteed not to dereference
>> this NS after the two previous srcu synchronization steps so at this
>> point, the only protection of nvme_ns_remove is against this
>> non-sleepable traversal, which should be enough to protect with rcu.
>
> Can you help me understand the safety here?
> The namespace will be dereferenced when traversing the siblings list,
> which is protected by SRCU.
> But nvme_ns_remove() only synchronizes with RCU between removing the namespace
> from the siblings list and freeing the namespace.
> So it seems like there's a race here:
> Thread A: Thread B:
> nvme_ns_remove() executes
> past the last synchronize_srcu()
> nvme_ns_head_submit_bio()
> calls srcu_read_lock(),
> starts traversing siblings list,
> holds pointer to ns
> Removes ns from siblings list
> Calls synchronize_rcu()
> (does not block for the SRCU reader)
del_gendisk will wait all requests to be completed, "use after free" will do not happen.
> nvme_put_ns() reaches 0 references,
> frees ns
> Dereferences ns to continue traversal
> => USE AFTER FREE
>
> .
>
prev parent reply other threads:[~2022-12-02 1:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-18 23:27 [PATCH] nvme: fix SRCU protection of nvme_ns_head list Caleb Sander
2022-11-20 11:24 ` Sagi Grimberg
2022-11-21 7:40 ` Christoph Hellwig
2022-11-21 9:43 ` Sagi Grimberg
2022-11-21 14:57 ` Paul E. McKenney
2022-11-21 17:48 ` Caleb Sander
2022-11-21 17:59 ` Paul E. McKenney
2022-11-21 19:58 ` Caleb Sander
2022-11-22 0:25 ` Paul E. McKenney
2022-11-22 10:06 ` Sagi Grimberg
2022-11-22 12:14 ` Christoph Hellwig
2022-11-22 15:08 ` Sagi Grimberg
2022-11-24 0:12 ` Caleb Sander
2022-11-24 3:08 ` Chao Leng
2022-11-24 14:17 ` Sagi Grimberg
2022-12-01 21:27 ` Caleb Sander
2022-12-01 23:18 ` Paul E. McKenney
2022-11-24 0:24 ` [PATCH] nvme: fix (S)RCU protection of nvme_ns_head list (alternate) Caleb Sander
2022-11-24 14:19 ` Sagi Grimberg
2022-11-29 8:39 ` Christoph Hellwig
2022-11-30 8:25 ` Sagi Grimberg
2022-11-30 8:35 ` Christoph Hellwig
2022-11-30 8:40 ` Sagi Grimberg
2022-12-01 21:17 ` Caleb Sander
2022-12-02 1:21 ` Chao Leng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5e3e0a43-b318-5ca9-b22a-b62c7891bc96@huawei.com \
--to=lengchao@huawei.com \
--cc=linux-nvme@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.