On Thu, Sep 30, 2021 at 10:29:24AM +0200, Greg Kroah-Hartman wrote:
> On Thu, Sep 30, 2021 at 04:20:11PM +0800, Ming Lei wrote:
> > On Thu, Sep 30, 2021 at 10:07:44AM +0200, Greg Kroah-Hartman wrote:
> > > On Thu, Sep 30, 2021 at 03:40:26PM +0800, Ming Lei wrote:
> > > > SCSI host release is triggered when SCSI device is freed, and we have to
> > > > make sure that LLD module won't be unloaded before SCSI host instance is
> > > > released because shost->hostt is required in host release handler.
> > > >
> > > > So put LLD module refcnt after SCSI device is released.
> > > >
> > > > The real release handler can be run from wq context in case of
> > > > in_interrupt(), so add one atomic counter for serializing putting
> > > > module via current and wq context. This way is fine since we don't
> > > > call scsi_device_put() in fast IO path.
> > > >
> > > > Reported-by: Changhui Zhong <czhong@xxxxxxxxxx>
> > > > Reported-by: Yi Zhang <yi.zhang@xxxxxxxxxx>
> > > > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > > > Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
> > > > ---
> > > > drivers/scsi/scsi.c | 8 +++++++-
> > > > drivers/scsi/scsi_sysfs.c | 10 ++++++++++
> > > > include/scsi/scsi_device.h | 2 ++
> > > > 3 files changed, 19 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
> > > > index b241f9e3885c..b6612161587f 100644
> > > > --- a/drivers/scsi/scsi.c
> > > > +++ b/drivers/scsi/scsi.c
> > > > @@ -553,8 +553,14 @@ EXPORT_SYMBOL(scsi_device_get);
> > > > */
> > > > void scsi_device_put(struct scsi_device *sdev)
> > > > {
> > > > - module_put(sdev->host->hostt->module);
> > > > + struct module *mod = sdev->host->hostt->module;
> > > > +
> > > > + atomic_inc(&sdev->put_dev_cnt);
> > >
> > > Ick, no! Why are you making a new lock and reference count for no
> > > reason?
> >
> > The reason is to make sure that the LLD module is only put from either
> > scsi_device_put() and scsi_device_dev_release_usercontext().
> >
> > >
> > > > +
> > > > put_device(&sdev->sdev_gendev);
> > > > +
> > > > + if (atomic_dec_if_positive(&sdev->put_dev_cnt) >= 0)
> > > > + module_put(mod);
> > >
> > > How do you know if your module pointer is still valid here?
> >
> > module refcnt is grabbed in scsi_device_get(), so it is valid.
>
> Then you don't need the extra atomic variable.
>
> > >
> > > Why do you care?
> > >
> > > What problem are you trying to solve and why is it unique to scsi
> > > devices?
> >
> > See it from the commit log:
> >
> > SCSI host release is triggered when SCSI device is freed, and we have to
> > make sure that LLD module won't be unloaded before SCSI host instance is
> > released because shost->hostt is required in host release handler.
>
> What is "hostt"?
hostt is 'struct scsi_host_template' which is defined in LLD module, and
often allocated as static global variable, that is what try_get_module()
tries to protect.
>
> >
> > So put LLD module refcnt after SCSI device is released.
>
> Why not just drop it explicitly when you drop the reference count of the
> device object? Like you tried to do here, but no need for the extra
> atomic variable.
scsi_device_dev_release_usercontext() may be scheduled via schedule_work from
the device object's release handler for releasing the scsi_device, which may
trigger scsi host's release handler in which hostt is required.
If we simply call module_put() after put_device() simply, the module
refcnt may be dropped earlier than running
scsi_device_dev_release_usercontext(), then the kernel panic still can't
be addressed.
Thanks,
Ming
