Re: [PATCH] sg: protect access to to 'reserved' page array

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 1, 2017 at 2:21 PM, Hannes Reinecke <hare@xxxxxxx> wrote:
> On 02/01/2017 02:12 PM, Christoph Hellwig wrote:
>> On Wed, Feb 01, 2017 at 12:22:15PM +0100, Hannes Reinecke wrote:
>>> The 'reserved' page array is used as a short-cut for mapping
>>> data, saving us to allocate pages per request.
>>> However, the 'reserved' array is only capable of holding one
>>> request, so we need to protect it against concurrent accesses.
>>>
>>> Cc: stable@xxxxxxxxxxxxxxx
>>> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
>>> Link: http://www.spinics.net/lists/linux-scsi/msg104326.html
>>> Signed-off-by: Hannes Reinecke <hare@xxxxxxxx>
>>> Tested-by: Johannes Thumshirn <jth@xxxxxxxxxx>
>>> ---
>>>  drivers/scsi/sg.c | 30 ++++++++++++------------------
>>>  1 file changed, 12 insertions(+), 18 deletions(-)
>>>
>>> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
>>> index 652b934..6a8601c 100644
>>> --- a/drivers/scsi/sg.c
>>> +++ b/drivers/scsi/sg.c
>>> @@ -155,6 +155,8 @@
>>>      unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
>>>      char keep_orphan;       /* 0 -> drop orphan (def), 1 -> keep for read() */
>>>      char mmap_called;       /* 0 -> mmap() never called on this fd */
>>> +    unsigned long flags;
>>> +#define SG_RESERVED_IN_USE 1
>>>      struct kref f_ref;
>>>      struct execute_work ew;
>>>  } Sg_fd;
>>> @@ -198,7 +200,6 @@ static int sg_common_write(Sg_fd * sfp, Sg_request * srp,
>>>  static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
>>>  static Sg_request *sg_add_request(Sg_fd * sfp);
>>>  static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
>>> -static int sg_res_in_use(Sg_fd * sfp);
>>>  static Sg_device *sg_get_dev(int dev);
>>>  static void sg_device_destroy(struct kref *kref);
>>>
>>> @@ -721,7 +722,7 @@ static int sg_allow_access(struct file *filp, unsigned char *cmd)
>>>                      sg_remove_request(sfp, srp);
>>>                      return -EINVAL; /* either MMAP_IO or DIRECT_IO (not both) */
>>>              }
>>> -            if (sg_res_in_use(sfp)) {
>>> +            if (test_bit(SG_RESERVED_IN_USE, &sfp->flags)) {
>>>                      sg_remove_request(sfp, srp);
>>>                      return -EBUSY;  /* reserve buffer already being used */
>>>              }
>>> @@ -963,10 +964,14 @@ static int max_sectors_bytes(struct request_queue *q)
>>>              val = min_t(int, val,
>>>                          max_sectors_bytes(sdp->device->request_queue));
>>>              if (val != sfp->reserve.bufflen) {
>>> -                    if (sg_res_in_use(sfp) || sfp->mmap_called)
>>> +                    if (sfp->mmap_called)
>>> +                            return -EBUSY;
>>> +                    if (test_and_set_bit(SG_RESERVED_IN_USE, &sfp->flags))
>>>                              return -EBUSY;
>>> +
>>>                      sg_remove_scat(sfp, &sfp->reserve);
>>>                      sg_build_reserve(sfp, val);
>>> +                    clear_bit(SG_RESERVED_IN_USE, &sfp->flags);
>>
>>
>> This seems to be abusing an atomic bitflag as a lock.
>
> Hmm. I wouldn't call it 'abusing'; the driver can proceed quite happily
> without the 'reserved' buffer, so taking a lock would be overkill.
> I could modify it to use a mutex if you insist ...
>
>>  And I think
>> in general we have two different things here that this patch conflates:
>>
>>  a) a lock to protect building and using the reserve lists
>>  b) a flag is a reservations is in use
>>
> No. This is not about reservations, this is about the internal
> 'reserved' page buffer array.
> (Just in case to avoid any misunderstandings).
> We need to have an atomic / protected check in the 'sfp' structure if
> the 'reserved' page buffer array is in use; there's an additional check
> in the 'sg_request' structure (res_in_use) telling us which of the
> requests is using it.


So, how should we proceed here?
We could use a mutex with only trylock, but it would be effectively the same.

There is one missed user of sg_res_in_use in "case SG_SET_FORCE_LOW_DMA".



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux