diff options
| author | Dan Williams <dan.j.williams@intel.com> | 2017-04-30 09:57:01 -0400 |
|---|---|---|
| committer | Dan Williams <dan.j.williams@intel.com> | 2017-05-01 16:14:37 -0400 |
| commit | 565851c972b50612f3a4542e26879ffb3e906fc2 (patch) | |
| tree | 88c724ad5e0a8fc3fc4c6c4479cc2f4e31377f9c /drivers/dax | |
| parent | a3e9af95f794d000debc2a5ba3186ba85a6e115f (diff) | |
device-dax: fix sysfs attribute deadlock
Usage of device_lock() for dax_region attributes is unnecessary and
deadlock prone. It's unnecessary because the order of registration /
un-registration guarantees that drvdata is always valid. It's deadlock
prone because it sets up this situation:
ndctl D 0 2170 2082 0x00000000
Call Trace:
__schedule+0x31f/0x980
schedule+0x3d/0x90
schedule_preempt_disabled+0x15/0x20
__mutex_lock+0x402/0x980
? __mutex_lock+0x158/0x980
? align_show+0x2b/0x80 [dax]
? kernfs_seq_start+0x2f/0x90
mutex_lock_nested+0x1b/0x20
align_show+0x2b/0x80 [dax]
dev_attr_show+0x20/0x50
ndctl D 0 2186 2079 0x00000000
Call Trace:
__schedule+0x31f/0x980
schedule+0x3d/0x90
__kernfs_remove+0x1f6/0x340
? kernfs_remove_by_name_ns+0x45/0xa0
? remove_wait_queue+0x70/0x70
kernfs_remove_by_name_ns+0x45/0xa0
remove_files.isra.1+0x35/0x70
sysfs_remove_group+0x44/0x90
sysfs_remove_groups+0x2e/0x50
dax_region_unregister+0x25/0x40 [dax]
devm_action_release+0xf/0x20
release_nodes+0x16d/0x2b0
devres_release_all+0x3c/0x60
device_release_driver_internal+0x17d/0x220
device_release_driver+0x12/0x20
unbind_store+0x112/0x160
ndctl/2170 is trying to acquire the device_lock() to read an attribute,
and ndctl/2186 is holding the device_lock() while trying to drain all
active attribute readers.
Thanks to Yi Zhang for the reproduction script.
Fixes: d7fe1a67f658 ("dax: add region 'id', 'size', and 'align' attributes")
Cc: <stable@vger.kernel.org>
Reported-by: Yi Zhang <yizhan@redhat.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Diffstat (limited to 'drivers/dax')
| -rw-r--r-- | drivers/dax/dax.c | 40 |
1 files changed, 12 insertions, 28 deletions
diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c index ef93aa84622b..5e8302d3a89c 100644 --- a/drivers/dax/dax.c +++ b/drivers/dax/dax.c | |||
| @@ -36,36 +36,27 @@ static struct kmem_cache *dax_cache __read_mostly; | |||
| 36 | static struct super_block *dax_superblock __read_mostly; | 36 | static struct super_block *dax_superblock __read_mostly; |
| 37 | MODULE_PARM_DESC(nr_dax, "max number of device-dax instances"); | 37 | MODULE_PARM_DESC(nr_dax, "max number of device-dax instances"); |
| 38 | 38 | ||
| 39 | /* | ||
| 40 | * Rely on the fact that drvdata is set before the attributes are | ||
| 41 | * registered, and that the attributes are unregistered before drvdata | ||
| 42 | * is cleared to assume that drvdata is always valid. | ||
| 43 | */ | ||
| 39 | static ssize_t id_show(struct device *dev, | 44 | static ssize_t id_show(struct device *dev, |
| 40 | struct device_attribute *attr, char *buf) | 45 | struct device_attribute *attr, char *buf) |
| 41 | { | 46 | { |
| 42 | struct dax_region *dax_region; | 47 | struct dax_region *dax_region = dev_get_drvdata(dev); |
| 43 | ssize_t rc = -ENXIO; | ||
| 44 | 48 | ||
| 45 | device_lock(dev); | 49 | return sprintf(buf, "%d\n", dax_region->id); |
| 46 | dax_region = dev_get_drvdata(dev); | ||
| 47 | if (dax_region) | ||
| 48 | rc = sprintf(buf, "%d\n", dax_region->id); | ||
| 49 | device_unlock(dev); | ||
| 50 | |||
| 51 | return rc; | ||
| 52 | } | 50 | } |
| 53 | static DEVICE_ATTR_RO(id); | 51 | static DEVICE_ATTR_RO(id); |
| 54 | 52 | ||
| 55 | static ssize_t region_size_show(struct device *dev, | 53 | static ssize_t region_size_show(struct device *dev, |
| 56 | struct device_attribute *attr, char *buf) | 54 | struct device_attribute *attr, char *buf) |
| 57 | { | 55 | { |
| 58 | struct dax_region *dax_region; | 56 | struct dax_region *dax_region = dev_get_drvdata(dev); |
| 59 | ssize_t rc = -ENXIO; | ||
| 60 | 57 | ||
| 61 | device_lock(dev); | 58 | return sprintf(buf, "%llu\n", (unsigned long long) |
| 62 | dax_region = dev_get_drvdata(dev); | 59 | resource_size(&dax_region->res)); |
| 63 | if (dax_region) | ||
| 64 | rc = sprintf(buf, "%llu\n", (unsigned long long) | ||
| 65 | resource_size(&dax_region->res)); | ||
| 66 | device_unlock(dev); | ||
| 67 | |||
| 68 | return rc; | ||
| 69 | } | 60 | } |
| 70 | static struct device_attribute dev_attr_region_size = __ATTR(size, 0444, | 61 | static struct device_attribute dev_attr_region_size = __ATTR(size, 0444, |
| 71 | region_size_show, NULL); | 62 | region_size_show, NULL); |
| @@ -73,16 +64,9 @@ static struct device_attribute dev_attr_region_size = __ATTR(size, 0444, | |||
| 73 | static ssize_t align_show(struct device *dev, | 64 | static ssize_t align_show(struct device *dev, |
| 74 | struct device_attribute *attr, char *buf) | 65 | struct device_attribute *attr, char *buf) |
| 75 | { | 66 | { |
| 76 | struct dax_region *dax_region; | 67 | struct dax_region *dax_region = dev_get_drvdata(dev); |
| 77 | ssize_t rc = -ENXIO; | ||
| 78 | 68 | ||
| 79 | device_lock(dev); | 69 | return sprintf(buf, "%u\n", dax_region->align); |
| 80 | dax_region = dev_get_drvdata(dev); | ||
| 81 | if (dax_region) | ||
| 82 | rc = sprintf(buf, "%u\n", dax_region->align); | ||
| 83 | device_unlock(dev); | ||
| 84 | |||
| 85 | return rc; | ||
| 86 | } | 70 | } |
| 87 | static DEVICE_ATTR_RO(align); | 71 | static DEVICE_ATTR_RO(align); |
| 88 | 72 | ||