diff for duplicates of <1487957968.2575.6.camel@sandisk.com> diff --git a/a/1.txt b/N1/1.txt index 01b9458..26a2a1e 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -2,107 +2,75 @@ On Mon, 2017-02-20 at 09:32 -0700, Jens Axboe wrote: > On 02/20/2017 09:16 AM, Bart Van Assche wrote: > > On 02/19/2017 11:35 PM, Christoph Hellwig wrote: > > > On Sun, Feb 19, 2017 at 06:15:41PM -0700, Jens Axboe wrote: -> > > > That said, we will look into this again, of course. Christoph, any = -idea? -> > >=20 -> > > No idea really - this seems so far away from the code touched, and th= -ere +> > > > That said, we will look into this again, of course. Christoph, any idea? +> > > +> > > No idea really - this seems so far away from the code touched, and there > > > are no obvious signs for a memory scamble from another object touched -> > > that I think if it really bisects down to that issue it must be a tim= -ing +> > > that I think if it really bisects down to that issue it must be a timing > > > issue. -> > >=20 +> > > > > > But reading Bart's message again: Did you actually bisect it down > > > to the is commit? Or just test the whole tree? Between the 4.10-rc5 > > > merge and all the block tree there might a few more likely suspects > > > like the scsi bdi lifetime fixes that James mentioned. -> >=20 +> > > > Hello Christoph, -> >=20 -> > As far as I know Jens does not rebase his trees so we can use the commi= -t -> > date to check which patch went in when. From the first of Jan's bdi pat= -ches: -> >=20 +> > +> > As far as I know Jens does not rebase his trees so we can use the commit +> > date to check which patch went in when. From the first of Jan's bdi patches: +> > > > CommitDate: Thu Feb 2 08:18:41 2017 -0700 -> >=20 -> > So the bdi patches went in several days after I reported the general pr= -otection +> > +> > So the bdi patches went in several days after I reported the general protection > > fault issue. -> >=20 -> > In an e-mail of January 30th I wrote the following: "Running the srp-te= -st +> > +> > In an e-mail of January 30th I wrote the following: "Running the srp-test > > software against kernel 4.9.6 and kernel 4.10-rc5 went fine. With your > > for-4.11/block branch (commit 400f73b23f457a) however I just ran into -> > the following warning: [ ... ]" That means that I did not hit the crash= - with -> > Jens' for-4.11/block branch but only with the for-next branch. The patc= -hes -> > on Jens' for-next branch after that commit that were applied before I r= -an +> > the following warning: [ ... ]" That means that I did not hit the crash with +> > Jens' for-4.11/block branch but only with the for-next branch. The patches +> > on Jens' for-next branch after that commit that were applied before I ran > > my test are: -> >=20 -> > $ PAGER=3D git log --format=3Doneline 400f73b23f457a..fb045ca25cc7 bloc= -k drivers/md/dm{,-mpath,-table}.[ch] -> > fb045ca25cc7b6d46368ab8221774489c2a81648 block: don't assign cmd_flags = -in __blk_rq_prep_clone -> > 82ed4db499b8598f16f8871261bff088d6b0597f block: split scsi_request out = -of struct request -> > 8ae94eb65be9425af4d57a4f4cfebfdf03081e93 block/bsg: move queue creation= - into bsg_setup_queue -> > eb8db831be80692bf4bda3dfc55001daf64ec299 dm: always defer request alloc= -ation to the owner of the request_queue -> > 6d247d7f71d1fa4b66a5f4da7b1daa21510d529b block: allow specifying size f= -or extra command data -> > 5ea708d15a928f7a479987704203616d3274c03b block: simplify blk_init_alloc= -ated_queue +> > +> > $ PAGER= git log --format=oneline 400f73b23f457a..fb045ca25cc7 block drivers/md/dm{,-mpath,-table}.[ch] +> > fb045ca25cc7b6d46368ab8221774489c2a81648 block: don't assign cmd_flags in __blk_rq_prep_clone +> > 82ed4db499b8598f16f8871261bff088d6b0597f block: split scsi_request out of struct request +> > 8ae94eb65be9425af4d57a4f4cfebfdf03081e93 block/bsg: move queue creation into bsg_setup_queue +> > eb8db831be80692bf4bda3dfc55001daf64ec299 dm: always defer request allocation to the owner of the request_queue +> > 6d247d7f71d1fa4b66a5f4da7b1daa21510d529b block: allow specifying size for extra command data +> > 5ea708d15a928f7a479987704203616d3274c03b block: simplify blk_init_allocated_queue > > e6f7f93d58de74700f83dd0547dd4306248a093d block: fix elevator init check -> > f924ba70c1b12706c6679d793202e8f4c125f7ae Merge branch 'for-4.11/block' = -into for-4.11/rq-refactor +> > f924ba70c1b12706c6679d793202e8f4c125f7ae Merge branch 'for-4.11/block' into for-4.11/rq-refactor > > 88a7503376f4f3bf303c809d1a389739e1205614 blk-mq: Remove unused variable -> > bef13315e990fd3d3fb4c39013aefd53f06c3657 block: don't try to discard fr= -om __blkdev_issue_zeroout -> > f99e86485cc32cd16e5cc97f9bb0474f28608d84 block: Rename blk_queue_zone_s= -ize and bdev_zone_size -> >=20 -> > Do you see any patch in the above list that does not belong to the "spl= -it -> > scsi passthrough fields out of struct request" series and that could ha= -ve +> > bef13315e990fd3d3fb4c39013aefd53f06c3657 block: don't try to discard from __blkdev_issue_zeroout +> > f99e86485cc32cd16e5cc97f9bb0474f28608d84 block: Rename blk_queue_zone_size and bdev_zone_size +> > +> > Do you see any patch in the above list that does not belong to the "split +> > scsi passthrough fields out of struct request" series and that could have > > caused the reported behavior change? ->=20 -> Bart, since you are the only one that can reproduce this, can you just bi= -sect +> +> Bart, since you are the only one that can reproduce this, can you just bisect > your way through that series? Hello Jens, Since Christoph also has access to IB hardware I will leave it to Christoph to do the bisect. Anyway, I just reproduced this crash with Linus' current -tree (commit f1ef09fde17f) by running=A0srp-test/run_tests -r 10 -t 02-sq-o= -n-mq -(see also=A0https://github.com/bvanassche/srp-test): +tree (commit f1ef09fde17f) by running srp-test/run_tests -r 10 -t 02-sq-on-mq +(see also https://github.com/bvanassche/srp-test): [ 1629.920553] general protection fault: 0000 [#1] SMP -[ 1629.921193] CPU: 6 PID: 46 Comm: ksoftirqd/6 Tainted: G I 4= -.10.0-dbg+ #1 +[ 1629.921193] CPU: 6 PID: 46 Comm: ksoftirqd/6 Tainted: G I 4.10.0-dbg+ #1 [ 1629.921289] RIP: 0010:rq_completed+0x12/0x90 [dm_mod] [ 1629.921316] RSP: 0018:ffffc90001bdbda8 EFLAGS: 00010246 -[ 1629.921344] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: 00000000000= -00000 -[ 1629.921372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6= -b6b6b -[ 1629.921401] RBP: ffffc90001bdbdc0 R08: ffff8803a3858d48 R09: 00000000000= -00000 -[ 1629.921429] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000= -00000 -[ 1629.921458] R13: 0000000000000000 R14: ffffffff81c05120 R15: 00000000000= -00004 -[ 1629.921489] FS: 0000000000000000(0000) GS:ffff88046ef80000(0000) knlGS:= -0000000000000000 +[ 1629.921344] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: 0000000000000000 +[ 1629.921372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6b6b +[ 1629.921401] RBP: ffffc90001bdbdc0 R08: ffff8803a3858d48 R09: 0000000000000000 +[ 1629.921429] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +[ 1629.921458] R13: 0000000000000000 R14: ffffffff81c05120 R15: 0000000000000004 +[ 1629.921489] FS: 0000000000000000(0000) GS:ffff88046ef80000(0000) knlGS:0000000000000000 [ 1629.921520] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 1629.921547] CR2: 00007fb6324486b8 CR3: 0000000001c0f000 CR4: 00000000001= -406e0 +[ 1629.921547] CR2: 00007fb6324486b8 CR3: 0000000001c0f000 CR4: 00000000001406e0 [ 1629.921576] Call Trace: [ 1629.921605] dm_softirq_done+0xe6/0x1e0 [dm_mod] [ 1629.921637] blk_done_softirq+0x88/0xa0 @@ -111,44 +79,36 @@ b6b6b [ 1629.921769] smpboot_thread_fn+0x123/0x1e0 [ 1629.921797] kthread+0x107/0x140 [ 1629.921944] ret_from_fork+0x2e/0x40 -[ 1629.921972] Code: ff ff 31 f6 48 89 c7 e8 ed 96 2f e1 5d c3 90 66 2e 0f = -1f 84 00 00 00 00 00 55 48 63 f6 48 89 e5 41 55 41 89 d5 41 54 53 48 89 fb = -<4c> 8b a7 70 02 00 00 f0 ff 8c b7 38 03 00 00 e8 3a 43 ff ff 85=20 +[ 1629.921972] Code: ff ff 31 f6 48 89 c7 e8 ed 96 2f e1 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 63 f6 48 89 e5 41 55 41 89 d5 41 54 53 48 89 fb <4c> 8b a7 70 02 00 00 f0 ff 8c b7 38 03 00 00 e8 3a 43 ff ff 85 [ 1629.922093] RIP: rq_completed+0x12/0x90 [dm_mod] RSP: ffffc90001bdbda8 $ gdb drivers/md/dm-mod.ko -(gdb) list *(rq_completed+0x12) =A0=A0=A0 +(gdb) list *(rq_completed+0x12) 0xdf62 is in rq_completed (drivers/md/dm-rq.c:187). -182 =A0=A0=A0=A0=A0* the md may be freed in dm_put() at the end of this fun= -ction. -183 =A0=A0=A0=A0=A0* Or do dm_get() before calling this function and dm_put= -() later. -184 =A0=A0=A0=A0=A0*/ -185 =A0=A0=A0=A0static void rq_completed(struct mapped_device *md, int rw, = -bool run_queue) -186 =A0=A0=A0=A0{ -187 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0struct request_queue *q =3D md->que= -ue; -188 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0unsigned long flags; +182 * the md may be freed in dm_put() at the end of this function. +183 * Or do dm_get() before calling this function and dm_put() later. +184 */ +185 static void rq_completed(struct mapped_device *md, int rw, bool run_queue) +186 { +187 struct request_queue *q = md->queue; +188 unsigned long flags; 189 -190 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0atomic_dec(&md->pending[rw]); +190 atomic_dec(&md->pending[rw]); 191 -(gdb) disas rq_completed =A0 +(gdb) disas rq_completed Dump of assembler code for function rq_completed: - =A0=A00x000000000000df50 <+0>: =A0=A0=A0=A0push =A0=A0%rbp - =A0=A00x000000000000df51 <+1>: =A0=A0=A0=A0movslq %esi,%rsi - =A0=A00x000000000000df54 <+4>: =A0=A0=A0=A0mov =A0=A0=A0%rsp,%rbp - =A0=A00x000000000000df57 <+7>: =A0=A0=A0=A0push =A0=A0%r13 - =A0=A00x000000000000df59 <+9>: =A0=A0=A0=A0mov =A0=A0=A0%edx,%r13d - =A0=A00x000000000000df5c <+12>: =A0=A0=A0push =A0=A0%r12 - =A0=A00x000000000000df5e <+14>: =A0=A0=A0push =A0=A0%rbx - =A0=A00x000000000000df5f <+15>: =A0=A0=A0mov =A0=A0=A0%rdi,%rbx - =A0=A00x000000000000df62 <+18>: =A0=A0=A0mov =A0=A0=A00x270(%rdi),%r12 + 0x000000000000df50 <+0>: push %rbp + 0x000000000000df51 <+1>: movslq %esi,%rsi + 0x000000000000df54 <+4>: mov %rsp,%rbp + 0x000000000000df57 <+7>: push %r13 + 0x000000000000df59 <+9>: mov %edx,%r13d + 0x000000000000df5c <+12>: push %r12 + 0x000000000000df5e <+14>: push %rbx + 0x000000000000df5f <+15>: mov %rdi,%rbx + 0x000000000000df62 <+18>: mov 0x270(%rdi),%r12 [ ... ] -So the crash is caused by an attempt to dereference address 0x6b6b6b6b6b6b6= -b6b -at offset 0x270. I think this means the crash is caused by a use-after-free= -. +So the crash is caused by an attempt to dereference address 0x6b6b6b6b6b6b6b6b +at offset 0x270. I think this means the crash is caused by a use-after-free. -Bart.= +Bart. diff --git a/a/content_digest b/N1/content_digest index acb73f5..63ea86e 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -19,107 +19,75 @@ "> On 02/20/2017 09:16 AM, Bart Van Assche wrote:\n" "> > On 02/19/2017 11:35 PM, Christoph Hellwig wrote:\n" "> > > On Sun, Feb 19, 2017 at 06:15:41PM -0700, Jens Axboe wrote:\n" - "> > > > That said, we will look into this again, of course. Christoph, any =\n" - "idea?\n" - "> > >=20\n" - "> > > No idea really - this seems so far away from the code touched, and th=\n" - "ere\n" + "> > > > That said, we will look into this again, of course. Christoph, any idea?\n" + "> > > \n" + "> > > No idea really - this seems so far away from the code touched, and there\n" "> > > are no obvious signs for a memory scamble from another object touched\n" - "> > > that I think if it really bisects down to that issue it must be a tim=\n" - "ing\n" + "> > > that I think if it really bisects down to that issue it must be a timing\n" "> > > issue.\n" - "> > >=20\n" + "> > > \n" "> > > But reading Bart's message again: Did you actually bisect it down\n" "> > > to the is commit? Or just test the whole tree? Between the 4.10-rc5\n" "> > > merge and all the block tree there might a few more likely suspects\n" "> > > like the scsi bdi lifetime fixes that James mentioned.\n" - "> >=20\n" + "> > \n" "> > Hello Christoph,\n" - "> >=20\n" - "> > As far as I know Jens does not rebase his trees so we can use the commi=\n" - "t\n" - "> > date to check which patch went in when. From the first of Jan's bdi pat=\n" - "ches:\n" - "> >=20\n" + "> > \n" + "> > As far as I know Jens does not rebase his trees so we can use the commit\n" + "> > date to check which patch went in when. From the first of Jan's bdi patches:\n" + "> > \n" "> > CommitDate: Thu Feb 2 08:18:41 2017 -0700\n" - "> >=20\n" - "> > So the bdi patches went in several days after I reported the general pr=\n" - "otection\n" + "> > \n" + "> > So the bdi patches went in several days after I reported the general protection\n" "> > fault issue.\n" - "> >=20\n" - "> > In an e-mail of January 30th I wrote the following: \"Running the srp-te=\n" - "st\n" + "> > \n" + "> > In an e-mail of January 30th I wrote the following: \"Running the srp-test\n" "> > software against kernel 4.9.6 and kernel 4.10-rc5 went fine. With your\n" "> > for-4.11/block branch (commit 400f73b23f457a) however I just ran into\n" - "> > the following warning: [ ... ]\" That means that I did not hit the crash=\n" - " with\n" - "> > Jens' for-4.11/block branch but only with the for-next branch. The patc=\n" - "hes\n" - "> > on Jens' for-next branch after that commit that were applied before I r=\n" - "an\n" + "> > the following warning: [ ... ]\" That means that I did not hit the crash with\n" + "> > Jens' for-4.11/block branch but only with the for-next branch. The patches\n" + "> > on Jens' for-next branch after that commit that were applied before I ran\n" "> > my test are:\n" - "> >=20\n" - "> > $ PAGER=3D git log --format=3Doneline 400f73b23f457a..fb045ca25cc7 bloc=\n" - "k drivers/md/dm{,-mpath,-table}.[ch]\n" - "> > fb045ca25cc7b6d46368ab8221774489c2a81648 block: don't assign cmd_flags =\n" - "in __blk_rq_prep_clone\n" - "> > 82ed4db499b8598f16f8871261bff088d6b0597f block: split scsi_request out =\n" - "of struct request\n" - "> > 8ae94eb65be9425af4d57a4f4cfebfdf03081e93 block/bsg: move queue creation=\n" - " into bsg_setup_queue\n" - "> > eb8db831be80692bf4bda3dfc55001daf64ec299 dm: always defer request alloc=\n" - "ation to the owner of the request_queue\n" - "> > 6d247d7f71d1fa4b66a5f4da7b1daa21510d529b block: allow specifying size f=\n" - "or extra command data\n" - "> > 5ea708d15a928f7a479987704203616d3274c03b block: simplify blk_init_alloc=\n" - "ated_queue\n" + "> > \n" + "> > $ PAGER= git log --format=oneline 400f73b23f457a..fb045ca25cc7 block drivers/md/dm{,-mpath,-table}.[ch]\n" + "> > fb045ca25cc7b6d46368ab8221774489c2a81648 block: don't assign cmd_flags in __blk_rq_prep_clone\n" + "> > 82ed4db499b8598f16f8871261bff088d6b0597f block: split scsi_request out of struct request\n" + "> > 8ae94eb65be9425af4d57a4f4cfebfdf03081e93 block/bsg: move queue creation into bsg_setup_queue\n" + "> > eb8db831be80692bf4bda3dfc55001daf64ec299 dm: always defer request allocation to the owner of the request_queue\n" + "> > 6d247d7f71d1fa4b66a5f4da7b1daa21510d529b block: allow specifying size for extra command data\n" + "> > 5ea708d15a928f7a479987704203616d3274c03b block: simplify blk_init_allocated_queue\n" "> > e6f7f93d58de74700f83dd0547dd4306248a093d block: fix elevator init check\n" - "> > f924ba70c1b12706c6679d793202e8f4c125f7ae Merge branch 'for-4.11/block' =\n" - "into for-4.11/rq-refactor\n" + "> > f924ba70c1b12706c6679d793202e8f4c125f7ae Merge branch 'for-4.11/block' into for-4.11/rq-refactor\n" "> > 88a7503376f4f3bf303c809d1a389739e1205614 blk-mq: Remove unused variable\n" - "> > bef13315e990fd3d3fb4c39013aefd53f06c3657 block: don't try to discard fr=\n" - "om __blkdev_issue_zeroout\n" - "> > f99e86485cc32cd16e5cc97f9bb0474f28608d84 block: Rename blk_queue_zone_s=\n" - "ize and bdev_zone_size\n" - "> >=20\n" - "> > Do you see any patch in the above list that does not belong to the \"spl=\n" - "it\n" - "> > scsi passthrough fields out of struct request\" series and that could ha=\n" - "ve\n" + "> > bef13315e990fd3d3fb4c39013aefd53f06c3657 block: don't try to discard from __blkdev_issue_zeroout\n" + "> > f99e86485cc32cd16e5cc97f9bb0474f28608d84 block: Rename blk_queue_zone_size and bdev_zone_size\n" + "> > \n" + "> > Do you see any patch in the above list that does not belong to the \"split\n" + "> > scsi passthrough fields out of struct request\" series and that could have\n" "> > caused the reported behavior change?\n" - ">=20\n" - "> Bart, since you are the only one that can reproduce this, can you just bi=\n" - "sect\n" + "> \n" + "> Bart, since you are the only one that can reproduce this, can you just bisect\n" "> your way through that series?\n" "\n" "Hello Jens,\n" "\n" "Since Christoph also has access to IB hardware I will leave it to Christoph\n" "to do the bisect. Anyway, I just reproduced this crash with Linus' current\n" - "tree (commit f1ef09fde17f) by running=A0srp-test/run_tests -r 10 -t 02-sq-o=\n" - "n-mq\n" - "(see also=A0https://github.com/bvanassche/srp-test):\n" + "tree (commit f1ef09fde17f) by running\302\240srp-test/run_tests -r 10 -t 02-sq-on-mq\n" + "(see also\302\240https://github.com/bvanassche/srp-test):\n" "\n" "[ 1629.920553] general protection fault: 0000 [#1] SMP\n" - "[ 1629.921193] CPU: 6 PID: 46 Comm: ksoftirqd/6 Tainted: G I 4=\n" - ".10.0-dbg+ #1\n" + "[ 1629.921193] CPU: 6 PID: 46 Comm: ksoftirqd/6 Tainted: G I 4.10.0-dbg+ #1\n" "[ 1629.921289] RIP: 0010:rq_completed+0x12/0x90 [dm_mod]\n" "[ 1629.921316] RSP: 0018:ffffc90001bdbda8 EFLAGS: 00010246\n" - "[ 1629.921344] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: 00000000000=\n" - "00000\n" - "[ 1629.921372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6=\n" - "b6b6b\n" - "[ 1629.921401] RBP: ffffc90001bdbdc0 R08: ffff8803a3858d48 R09: 00000000000=\n" - "00000\n" - "[ 1629.921429] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000=\n" - "00000\n" - "[ 1629.921458] R13: 0000000000000000 R14: ffffffff81c05120 R15: 00000000000=\n" - "00004\n" - "[ 1629.921489] FS: 0000000000000000(0000) GS:ffff88046ef80000(0000) knlGS:=\n" - "0000000000000000\n" + "[ 1629.921344] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: 0000000000000000\n" + "[ 1629.921372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6b6b\n" + "[ 1629.921401] RBP: ffffc90001bdbdc0 R08: ffff8803a3858d48 R09: 0000000000000000\n" + "[ 1629.921429] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n" + "[ 1629.921458] R13: 0000000000000000 R14: ffffffff81c05120 R15: 0000000000000004\n" + "[ 1629.921489] FS: 0000000000000000(0000) GS:ffff88046ef80000(0000) knlGS:0000000000000000\n" "[ 1629.921520] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n" - "[ 1629.921547] CR2: 00007fb6324486b8 CR3: 0000000001c0f000 CR4: 00000000001=\n" - "406e0\n" + "[ 1629.921547] CR2: 00007fb6324486b8 CR3: 0000000001c0f000 CR4: 00000000001406e0\n" "[ 1629.921576] Call Trace:\n" "[ 1629.921605] dm_softirq_done+0xe6/0x1e0 [dm_mod]\n" "[ 1629.921637] blk_done_softirq+0x88/0xa0\n" @@ -128,46 +96,38 @@ "[ 1629.921769] smpboot_thread_fn+0x123/0x1e0\n" "[ 1629.921797] kthread+0x107/0x140\n" "[ 1629.921944] ret_from_fork+0x2e/0x40\n" - "[ 1629.921972] Code: ff ff 31 f6 48 89 c7 e8 ed 96 2f e1 5d c3 90 66 2e 0f =\n" - "1f 84 00 00 00 00 00 55 48 63 f6 48 89 e5 41 55 41 89 d5 41 54 53 48 89 fb =\n" - "<4c> 8b a7 70 02 00 00 f0 ff 8c b7 38 03 00 00 e8 3a 43 ff ff 85=20\n" + "[ 1629.921972] Code: ff ff 31 f6 48 89 c7 e8 ed 96 2f e1 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 63 f6 48 89 e5 41 55 41 89 d5 41 54 53 48 89 fb <4c> 8b a7 70 02 00 00 f0 ff 8c b7 38 03 00 00 e8 3a 43 ff ff 85 \n" "[ 1629.922093] RIP: rq_completed+0x12/0x90 [dm_mod] RSP: ffffc90001bdbda8\n" "\n" "$ gdb drivers/md/dm-mod.ko\n" - "(gdb) list *(rq_completed+0x12) =A0=A0=A0\n" + "(gdb) list *(rq_completed+0x12) \302\240\302\240\302\240\n" "0xdf62 is in rq_completed (drivers/md/dm-rq.c:187).\n" - "182 =A0=A0=A0=A0=A0* the md may be freed in dm_put() at the end of this fun=\n" - "ction.\n" - "183 =A0=A0=A0=A0=A0* Or do dm_get() before calling this function and dm_put=\n" - "() later.\n" - "184 =A0=A0=A0=A0=A0*/\n" - "185 =A0=A0=A0=A0static void rq_completed(struct mapped_device *md, int rw, =\n" - "bool run_queue)\n" - "186 =A0=A0=A0=A0{\n" - "187 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0struct request_queue *q =3D md->que=\n" - "ue;\n" - "188 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0unsigned long flags;\n" + "182 \302\240\302\240\302\240\302\240\302\240* the md may be freed in dm_put() at the end of this function.\n" + "183 \302\240\302\240\302\240\302\240\302\240* Or do dm_get() before calling this function and dm_put() later.\n" + "184 \302\240\302\240\302\240\302\240\302\240*/\n" + "185 \302\240\302\240\302\240\302\240static void rq_completed(struct mapped_device *md, int rw, bool run_queue)\n" + "186 \302\240\302\240\302\240\302\240{\n" + "187 \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240struct request_queue *q = md->queue;\n" + "188 \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240unsigned long flags;\n" "189\n" - "190 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0atomic_dec(&md->pending[rw]);\n" + "190 \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240atomic_dec(&md->pending[rw]);\n" "191\n" - "(gdb) disas rq_completed =A0\n" + "(gdb) disas rq_completed \302\240\n" "Dump of assembler code for function rq_completed:\n" - " =A0=A00x000000000000df50 <+0>: =A0=A0=A0=A0push =A0=A0%rbp\n" - " =A0=A00x000000000000df51 <+1>: =A0=A0=A0=A0movslq %esi,%rsi\n" - " =A0=A00x000000000000df54 <+4>: =A0=A0=A0=A0mov =A0=A0=A0%rsp,%rbp\n" - " =A0=A00x000000000000df57 <+7>: =A0=A0=A0=A0push =A0=A0%r13\n" - " =A0=A00x000000000000df59 <+9>: =A0=A0=A0=A0mov =A0=A0=A0%edx,%r13d\n" - " =A0=A00x000000000000df5c <+12>: =A0=A0=A0push =A0=A0%r12\n" - " =A0=A00x000000000000df5e <+14>: =A0=A0=A0push =A0=A0%rbx\n" - " =A0=A00x000000000000df5f <+15>: =A0=A0=A0mov =A0=A0=A0%rdi,%rbx\n" - " =A0=A00x000000000000df62 <+18>: =A0=A0=A0mov =A0=A0=A00x270(%rdi),%r12\n" + " \302\240\302\2400x000000000000df50 <+0>: \302\240\302\240\302\240\302\240push \302\240\302\240%rbp\n" + " \302\240\302\2400x000000000000df51 <+1>: \302\240\302\240\302\240\302\240movslq %esi,%rsi\n" + " \302\240\302\2400x000000000000df54 <+4>: \302\240\302\240\302\240\302\240mov \302\240\302\240\302\240%rsp,%rbp\n" + " \302\240\302\2400x000000000000df57 <+7>: \302\240\302\240\302\240\302\240push \302\240\302\240%r13\n" + " \302\240\302\2400x000000000000df59 <+9>: \302\240\302\240\302\240\302\240mov \302\240\302\240\302\240%edx,%r13d\n" + " \302\240\302\2400x000000000000df5c <+12>: \302\240\302\240\302\240push \302\240\302\240%r12\n" + " \302\240\302\2400x000000000000df5e <+14>: \302\240\302\240\302\240push \302\240\302\240%rbx\n" + " \302\240\302\2400x000000000000df5f <+15>: \302\240\302\240\302\240mov \302\240\302\240\302\240%rdi,%rbx\n" + " \302\240\302\2400x000000000000df62 <+18>: \302\240\302\240\302\240mov \302\240\302\240\302\2400x270(%rdi),%r12\n" "[ ... ]\n" "\n" - "So the crash is caused by an attempt to dereference address 0x6b6b6b6b6b6b6=\n" - "b6b\n" - "at offset 0x270. I think this means the crash is caused by a use-after-free=\n" - ".\n" + "So the crash is caused by an attempt to dereference address 0x6b6b6b6b6b6b6b6b\n" + "at offset 0x270. I think this means the crash is caused by a use-after-free.\n" "\n" - Bart.= + Bart. -8d4ca1006b8cab7dd6f173be9fec0802f7073c1ca905b8fa8a756e7179192038 +d6c8b5776328b4b9627927c28d3b912994aab6dcc2ea252db682148742089b55
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.