linux/drivers/target
Bart Van Assche d877d7275b target: Fix a deadlock between the XCOPY code and iSCSI session shutdown
Move the code for parsing an XCOPY command from the context of
the iSCSI receiver thread to the context of the XCOPY workqueue.
Keep the simple XCOPY checks in the context of the iSCSI receiver
thread. Move the code for allocating and freeing struct xcopy_op
from the code that parses an XCOPY command to its caller.

This patch fixes the following deadlock:

======================================================
[ INFO: possible circular locking dependency detected ]
4.10.0-rc7-dbg+ #1 Not tainted
-------------------------------------------------------
rmdir/13321 is trying to acquire lock:
 (&sess->cmdsn_mutex){+.+.+.}, at: [<ffffffffa02cb47d>] iscsit_free_all_ooo_cmdsns+0x2d/0xb0 [iscsi_target_mod]

but task is already holding lock:
 (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff811c6e20>] vfs_rmdir+0x50/0x140

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:
-> #1 (&sb->s_type->i_mutex_key#14){++++++}:
 lock_acquire+0x71/0x90
 down_write+0x3f/0x70
 configfs_depend_item+0x3a/0xb0 [configfs]
 target_depend_item+0x13/0x20 [target_core_mod]
 target_xcopy_locate_se_dev_e4+0xdd/0x1a0 [target_core_mod]
 target_do_xcopy+0x34b/0x970 [target_core_mod]
 __target_execute_cmd+0x22/0xa0 [target_core_mod]
 target_execute_cmd+0x233/0x2c0 [target_core_mod]
 iscsit_execute_cmd+0x208/0x270 [iscsi_target_mod]
 iscsit_sequence_cmd+0x10b/0x190 [iscsi_target_mod]
 iscsit_get_rx_pdu+0x37d/0xcd0 [iscsi_target_mod]
 iscsi_target_rx_thread+0x6e/0xa0 [iscsi_target_mod]
 kthread+0x102/0x140
 ret_from_fork+0x31/0x40

-> #0 (&sess->cmdsn_mutex){+.+.+.}:
 __lock_acquire+0x10e6/0x1260
 lock_acquire+0x71/0x90
 mutex_lock_nested+0x5f/0x670
 iscsit_free_all_ooo_cmdsns+0x2d/0xb0 [iscsi_target_mod]
 iscsit_close_session+0xac/0x200 [iscsi_target_mod]
 lio_tpg_close_session+0x9f/0xb0 [iscsi_target_mod]
 target_shutdown_sessions+0xc3/0xd0 [target_core_mod]
 core_tpg_del_initiator_node_acl+0x91/0x140 [target_core_mod]
 target_fabric_nacl_base_release+0x20/0x30 [target_core_mod]
 config_item_release+0x5a/0xc0 [configfs]
 config_item_put+0x1d/0x1f [configfs]
 configfs_rmdir+0x1a6/0x300 [configfs]
 vfs_rmdir+0xb7/0x140
 do_rmdir+0x1f4/0x200
 SyS_rmdir+0x11/0x20
 entry_SYSCALL_64_fastpath+0x23/0xc6

other info that might help us debug this:

 Possible unsafe locking scenario:
       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key#14);
                               lock(&sess->cmdsn_mutex);
                               lock(&sb->s_type->i_mutex_key#14);
  lock(&sess->cmdsn_mutex);

 *** DEADLOCK ***

3 locks held by rmdir/13321:
 #0:  (sb_writers#10){.+.+.+}, at: [<ffffffff811e1aff>] mnt_want_write+0x1f/0x50
 #1:  (&default_group_class[depth - 1]#2/1){+.+.+.}, at: [<ffffffff811cc8ce>] do_rmdir+0x15e/0x200
 #2:  (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff811c6e20>] vfs_rmdir+0x50/0x140

stack backtrace:
CPU: 2 PID: 13321 Comm: rmdir Not tainted 4.10.0-rc7-dbg+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0x86/0xc3
 print_circular_bug+0x1c7/0x220
 __lock_acquire+0x10e6/0x1260
 lock_acquire+0x71/0x90
 mutex_lock_nested+0x5f/0x670
 iscsit_free_all_ooo_cmdsns+0x2d/0xb0 [iscsi_target_mod]
 iscsit_close_session+0xac/0x200 [iscsi_target_mod]
 lio_tpg_close_session+0x9f/0xb0 [iscsi_target_mod]
 target_shutdown_sessions+0xc3/0xd0 [target_core_mod]
 core_tpg_del_initiator_node_acl+0x91/0x140 [target_core_mod]
 target_fabric_nacl_base_release+0x20/0x30 [target_core_mod]
 config_item_release+0x5a/0xc0 [configfs]
 config_item_put+0x1d/0x1f [configfs]
 configfs_rmdir+0x1a6/0x300 [configfs]
 vfs_rmdir+0xb7/0x140
 do_rmdir+0x1f4/0x200
 SyS_rmdir+0x11/0x20
 entry_SYSCALL_64_fastpath+0x23/0xc6

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Andy Grover <agrover@redhat.com>
Cc: David Disseldorp <ddiss@suse.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2017-07-06 22:58:00 -07:00
..
iscsi iscsi-target: Avoid holding ->tpg_state_lock during param update 2017-06-08 23:26:38 -07:00
loopback target: Minimize #include directives 2016-12-09 10:22:28 -08:00
sbp sbp-target: Add an #include directive 2016-12-09 10:20:10 -08:00
tcm_fc Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-03-02 14:52:05 -08:00
Kconfig block: make scsi_request and scsi ioctl support optional 2017-01-31 10:53:05 -07:00
Makefile target: Put TCMU under a new config option 2015-04-19 22:41:12 -07:00
target_core_alua.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_alua.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_configfs.c target/configfs: Kill se_device->dev_link_magic 2017-06-08 23:26:38 -07:00
target_core_device.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_fabric_configfs.c target/configfs: Kill se_lun->lun_link_magic 2017-06-08 23:26:38 -07:00
target_core_fabric_lib.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_file.c target/fileio: Fix zero-length READ and WRITE handling 2017-05-07 16:05:16 -07:00
target_core_file.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_hba.c target: Fix target_sense_desc_format NULL pointer dereference 2015-09-24 23:17:23 -07:00
target_core_iblock.c target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout 2017-06-08 23:26:37 -07:00
target_core_iblock.h target/iblock: convert iblock_req.pending from atomic_t to refcount_t 2017-05-01 22:20:43 -07:00
target_core_internal.h target: Fix kref->refcount underflow in transport_cmd_finish_abort 2017-06-08 22:24:18 -07:00
target_core_pr.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_pr.h target/pr: update PR out action code table 2017-05-01 22:20:44 -07:00
target_core_pscsi.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_pscsi.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_rd.c target: remove dead code 2017-06-08 23:26:37 -07:00
target_core_rd.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_sbc.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_spc.c target: Use {get,put}_unaligned_be*() instead of open coding these functions 2017-07-06 22:57:59 -07:00
target_core_stat.c target: Add counters for ABORT_TASK success + failure 2017-02-26 16:21:06 -08:00
target_core_tmr.c target: Fix kref->refcount underflow in transport_cmd_finish_abort 2017-06-08 22:24:18 -07:00
target_core_tpg.c target/configfs: Kill se_lun->lun_link_magic 2017-06-08 23:26:38 -07:00
target_core_transport.c target: Fix transport_init_se_cmd() 2017-07-06 22:57:59 -07:00
target_core_ua.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-07-04 14:13:43 -07:00
target_core_ua.h target: Minimize #include directives 2016-12-09 10:22:28 -08:00
target_core_user.c tcmu: fix crash during device removal 2017-05-23 19:50:49 -07:00
target_core_xcopy.c target: Fix a deadlock between the XCOPY code and iSCSI session shutdown 2017-07-06 22:58:00 -07:00
target_core_xcopy.h target: check for XCOPY parameter truncation 2017-01-10 08:41:27 -08:00