dm-devel.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Benjamin Marzinski <bmarzins@redhat.com>
To: Martin Wilck <mwilck@suse.com>
Cc: lixiaokeng@huawei.com, dm-devel@redhat.com
Subject: Re: [dm-devel] [PATCH v2 29/29] libmultipath: fix race between log_safe and log_thread_stop()
Date: Wed, 4 Nov 2020 09:46:26 -0600	[thread overview]
Message-ID: <20201104154626.GC3384@octiron.msp.redhat.com> (raw)
In-Reply-To: <5e76585aaefdb34df7ff4ccad459212beb3b67fa.camel@suse.com>

On Wed, Nov 04, 2020 at 01:36:02PM +0100, Martin Wilck wrote:
> On Mon, 2020-11-02 at 18:11 -0600, Benjamin Marzinski wrote:
> > On Mon, Oct 26, 2020 at 06:24:57PM +0100, Martin Wilck wrote:
> > > On Mon, 2020-10-26 at 17:22 +0100, Martin Wilck wrote:
> > > > On Mon, 2020-10-19 at 21:20 -0500, Benjamin Marzinski wrote:
> > > > > On Fri, Oct 16, 2020 at 12:45:01PM +0200, mwilck@suse.com
> > > > > wrote:
> > > > > > From: Martin Wilck <mwilck@suse.com>
> > > > > > 
> > > > > > log_safe() could race with log_thread_stop(); simply
> > > > > > checking the value of log_thr has never been safe. By
> > > > > > converting
> > > > > > the
> > > > > > mutexes to static initializers, we avoid having to destroy
> > > > > > them,
> > > > > > and thus
> > > > > > possibly accessing a destroyed mutex in log_safe().
> > > > > > Furthermore,
> > > > > > taking
> > > > > > both the logev_lock and the logq_lock makes sure the logarea
> > > > > > isn't
> > > > > > freed
> > > > > > while we are writing to it.
> > > > > > 
> > > > > 
> > > > > I don't see any problems with this, but I also don't think it's
> > > > > necssary
> > > > > to hold the log thread lock (logev_lock), just to add a message
> > > > > to
> > > > > the
> > > > > queue. It seems like protecting the log queue is the job of
> > > > > logq_lock.
> > > > > As long as log_safe() enqueues the message before
> > > > > flush_logqueue()
> > > > > is
> > > > > called in log_thread_stop(), it should be fine. This could be
> > > > > solved
> > > > > by
> > > > > simply having a static variable in log_pthread.c named
> > > > > something
> > > > > like
> > > > > log_area_enabled, that always accessed while holding the
> > > > > logq_lock,
> > > > > and
> > > > > is set to true when the log_area is created, and set to false
> > > > > just
> > > > > before calling the flush_logqueue() in log_thread_stop().
> > > > 
> > > > If we do this, we might as well use the variable "la" itself for
> > > > that,
> > > > and make sure it's only accessed under the lock. It'd be fine,
> > > > because
> > > > la is used if and only if the log thread is active, and spare us
> > > > another variable. I had actually considered that, thought it was
> > > > too
> > > > invasive for the already big series. If you prefer this way, I
> > > > can do
> > > > it. 
> > > 
> > > OTOH, we take logev_lock in log_safe() anyway (to set
> > > log_messages_pending). I doubt that it makes a big difference if we
> > > take the two locks sequentially, or nested. The previous code
> > > actually
> > > took the logev_lock twice, before and after logq_lock. Assuming
> > > that
> > > contention is rather rare, I believe my code might actually perform
> > > better than before. 
> > > 
> > > In your previous review 
> > > https://www.redhat.com/archives/dm-devel/2020-September/msg00631.html
> > > you pointed out that you considered it important that log_safe()
> > > works
> > > even after the thread was stopped. Making this work implies that
> > > log_safe() needs to check if the thread is up. So we either have to
> > > take logev_lock twice, or take logq_lock while holding logev_lock.
> > > 
> > > Bottom line: I think my patch is correct. We could add another
> > > patch on
> > > top that moves logq_lock() into log.c, protecting the "la"
> > > variable,
> > > but the nesting would still need to be the same.
> > > 
> > > Does this make sense?
> > 
> > No. Maybe I'm just being dumb, but couldn't log safe:
> > 
> > - grab the logq_lock
> > - check if the log_area is usable. We can use la for this.
> > 	- If not, unlock, write to syslog and return
> > 	- If so, you know that flush_logqueue() hasn't been run by
> > 	  log_thread_stop() yet,
> 
> How do I know that?

oops. When I talked above about using a seperate variable,
log_area_enabled, I mentioned that you would need to set this to false
before calling flush_logqueue() in log_thread_stop(). This means that
you can't just use la for this, since you need la around for
flush_logqueue. Sorry. On the other hand, while I not a big fan of
nesting locks that don't need to be, it's not a big deal. So I'm o.k.
with your version.

Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>

> flush_logqueue() could be running, or could just
> have finished. Neither free_logarea() nor log_close() take the
> logq_lock (in the current code), so the following would be possible:
> 
>   thread A                       thread B               log thread
>   --------                       --------               ----------
>                                  
>      log_thread_stop()           log_safe()                                
>                                    under logev_lock:
>                                      observe logq_running==1
>          under logev_lock:
>            pthread_cancel
>            signal logev_cond
>                                                         <observe logev_cond/cancel>
>                                                         under logev_log:
>                                                           logq_running=0
>                                                         exit()
>          pthread_join()
>          flush_logqueue()
>             <return>
>          log_close()               under logq_lock:
>                                      test la -> ok           
>             free_logarea()
>                 FREE(la)             log_enqueue()   
>             closelog()                 access la
>                                        -> *bummer*
>  
> Even if it doesn't crash because thread B wins the race against FREE(),
> the messages written after flush_logqueue() returns will be lost.
> AFAICS, the latter would still hold if we did grab logq_lock in
> free_logarea(), but at least then we couldn't crash any more.
> (I doubt that loosing messages in this corner case really matters).
> 
> >  meaning anything you add to the log
> > 	  will get flushed by flush_logqueue, so enqueue the message
> > -unlock logq_lock and lock logev_lock
> > -signal that there are messages pending.
> > If nobody is listening on the
> >  the other side, who cares, because log_thread_stop() will still
> > flush
> >  the enqueued message
> > -unlock logev_lock
> > 
> > Am I missing something?
> 
> See above. Be invited to prove that I'm wrong :-)
> 
> What can we do about it? Of course you're right, if we keep logev_lock
> held in log_safe(), we hold this log for a longer time, and effectively
> prevent synchronous queueing and dequeuing of messages, so it's not
> ideal either.
> 
> By taking logq_log in all functions accessing "la" in log.c, we would
> avoid crashing. We might still loose some messages. Next, we could
> switch to direct logging if log_enqueue() failed because "la" has been
> freed (I'm not sure if we should also switch to direct logging if
> log_enqueue() fails for other reasons, e.g. because the ring buffer is
> full - I suppose we shouldn't).
> 
> What about that?
> 
> Regards,
> Martin
> 
> PS: One reason for the awkwardness here is the use of
> log_messages_pending under the logev_lock. I believe that
> log_messages_pending is redundant; it should be replaced
> by something like (la->empty) or (la->tail != la->head), to be tested under logq_lock. But this is subtle, I need to study the code more deeply to get it right. I see it rather as a long-term improvement.
> 

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel


      reply	other threads:[~2020-11-04 15:46 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-16 10:44 [dm-devel] [PATCH v2 00/29] libmultipath: improve cleanup on exit mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 01/29] multipathd: uxlsnr: avoid deadlock " mwilck
2020-10-20 19:04   ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 02/29] multipathd: Fix liburcu memory leak mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 03/29] multipathd: move handling of io_err_stat_attr into libmultipath mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 04/29] multipathd: move vecs desctruction into cleanup function mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 05/29] multipathd: make some globals static mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 06/29] multipathd: move threads destruction into separate function mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 07/29] multipathd: move conf " mwilck
2020-10-19 18:56   ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 08/29] multipathd: move pid " mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 09/29] multipathd: close pidfile on exit mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 10/29] multipathd: add helper for systemd notification at exit mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 11/29] multipathd: child(): call cleanups in failure case, too mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 12/29] multipathd: unwatch_all_dmevents: check if waiter is initialized mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 13/29] multipathd: print error message if config can't be loaded mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 14/29] libmultipath: add libmp_dm_exit() mwilck
2020-10-19 19:07   ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 15/29] multipathd: fixup libdm deinitialization mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 16/29] libmultipath: log_thread_stop(): check if logarea is initialized mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 17/29] multipathd: add cleanup_child() exit handler mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 18/29] libmultipath: fix log_thread startup and teardown mwilck
2020-10-19 20:00   ` Benjamin Marzinski
2020-10-26 13:58     ` Martin Wilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 19/29] multipathd: move cleanup_{prio, checkers, foreign} to libmultipath_exit mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 20/29] multipath: use atexit() for cleanup handlers mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 21/29] mpathpersist: " mwilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 22/29] multipath: fix leaks in check_path_valid() mwilck
2020-12-16 17:34   ` Martin Wilck
2020-12-16 22:41     ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 23/29] multipath-tools: mpath-tools.supp: file with valgrind suppressions mwilck
2020-10-19 20:01   ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 24/29] libmultipath: use libmp_verbosity to track verbosity mwilck
2020-10-19 20:38   ` Benjamin Marzinski
2020-10-26 14:47     ` Martin Wilck
2020-10-16 10:44 ` [dm-devel] [PATCH v2 25/29] libmultipath: introduce symbolic values for logsink mwilck
2020-10-16 20:13   ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 26/29] libmultipath: simplify dlog() mwilck
2020-10-19 21:07   ` Benjamin Marzinski
2020-10-16 10:44 ` [dm-devel] [PATCH v2 27/29] multipathd: common code for "-k" and command args mwilck
2020-10-19 21:51   ` Benjamin Marzinski
2020-10-16 10:45 ` [dm-devel] [PATCH v2 28/29] multipathd: sanitize uxsock_listen() mwilck
2020-10-19 23:33   ` Benjamin Marzinski
2020-10-26 13:54     ` Martin Wilck
2020-10-16 10:45 ` [dm-devel] [PATCH v2 29/29] libmultipath: fix race between log_safe and log_thread_stop() mwilck
2020-10-20  2:20   ` Benjamin Marzinski
2020-10-26 16:22     ` Martin Wilck
2020-10-26 17:24       ` Martin Wilck
2020-11-03  0:11         ` Benjamin Marzinski
2020-11-04 12:36           ` Martin Wilck
2020-11-04 15:46             ` Benjamin Marzinski [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201104154626.GC3384@octiron.msp.redhat.com \
    --to=bmarzins@redhat.com \
    --cc=dm-devel@redhat.com \
    --cc=lixiaokeng@huawei.com \
    --cc=mwilck@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).