Re: [PATCH RFC] sysfs: fix the race of "parent deleted before child added"

Fri, 01 Aug 2014 08:39:12 -0700 

Hi, all,

On Fri, Aug 1, 2014 at 11:18 PM, Tejun Heo <t...@kernel.org> wrote:
>
> Which old kernel?
>

  Quite old , 2.6.32.

>>    sysfs_create_dir()
>>        if (kobj->parent)
>>             parent = kobj->parent->sd;
>>
>> I found kobj->parent is valid, so parent == kobj->parent->sd,
>> then it is passed into create_dir() function, in which it is dereferenced,
>> however  the parent passed in is NULL, so a panic.
>
> Which node?
>

           /sys/block
               |
               |
             dm-111           <======      kobj->parent
               |
               |
             dm-111p1        <======     kobj



>> Apprently, there is a race, as my case is a test of fast removal and plugging
>> of a block device.
>>
>> The race is that the kerfs_node(was sysfs_dirent) is disassociated with
>> parent kobject, but parent kobject is still alive, so we saw it.
>
> What is the race condition?  You're just describing symptoms.

In this scenario, an user behavior that removes the block device dm-111 ,
and in the meanwhile, I don't know what trigger this, but a
rescan_partition() runs on dm-111,
in turn it caused an add_partition().

And after the crash dump analysis,  I found that the parent node is
removed (kobj->parent->sd == NULL),
but kobj-parent is still alive, as my previous mail described.

So this seems an invalid add_partition() of dm-111p1 on  non-existent dm-111.

And the race is that the parent is on its removal path, but the child
is on its creating path,
and it could observe parent's middle status -- sysfs_dirent is gone,
but kobject is alive.

>> And the commit 3a198886 ("sysfs: handle 'parent deleted before child added'")
>> add a parent NULLness check before calling into create_dir(),  but I think 
>> this
>> isn't the real fix, it just narrow down the racy window.
>
> Suspicions aren't good enough justifications.  If you think there's a
> race window, please track it down and then determine what the proper
> fix is.  You're now trying to change the basic objection lifetime
> rules of the driver model without root causing what's actually going
> on.  Please don't do things like this.

Yep, you are right.

Thanks,
Jianyu Zhan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to