From: Wu Fengguang <fengguang.wu@intel.com>
To: Namjae Jeon <linkinjeon@gmail.com>
Cc: Rabin Vincent <rabin@rab.in>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue
Date: Mon, 6 Feb 2012 11:18:50 +0800 [thread overview]
Message-ID: <20120206031849.GB23450@localhost> (raw)
In-Reply-To: <CAKYAXd_t4+ea=qVHETiuSZn4PExYTCboV0_upnoOTUrvsjuSTA@mail.gmail.com>
> >> However, I've found one more race condition leading to a crash when
> >> tracing is enabled, this time from the writeback:queue trace point from
> >> bdi_queue_work(). The cause is the same, i.e. bdi->dev is NULL. This
> >> was produced with the help of the following delay patch. trace+log is
> >> attached.
> >
> > Rabin, this should fix the bug. Note that I take no efforts to remove
> > the to-be-queued and already-queued works. I'm also a bit afraid if
> > the traces in the balance_dirty_pages() path (trace_balance_dirty_pages,
> > trace_bdi_dirty_ratelimit and writeback_wake_background) will have
> > similar NULL dereference bug. Do you test it by physically hot
> > removing a SD card, or with some detach command or emulation?
> >
> > Thanks,
> > Fengguang
>
> Hi. Wu.
> I can reproduce this problem too. And I know this problem is fixed
> with your patch.
> Thanks.
> Tested-by: Namjae Jeon <linkinjeon@gmail.com>
Namjae, thank you for the testing! FYI I've pushed it to linux-next.
Thanks,
Fengguang
> >
> > ---
> > Subject: writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue
> > Date: Sat Feb 04 20:54:03 CST 2012
> >
> > When the SD card is hot removed without umount, del_gendisk() will call
> > bdi_unregister() but not destroy/free it. This leaves the bdi in the
> > bdi->dev = NULL, bdi->wb.task = NULL, bdi->bdi_list removed state.
> >
> > If someone gets the bdi before bdi_unregister() and calls
> > bdi_queue_work() after the unregister, trace_writeback_queue will be
> > dereferencing the NULL bdi->dev. Fix it with a simple test for NULL.
> >
> > LKML-reference: http://lkml.org/lkml/2012/1/18/346
> > Reported-by: Rabin Vincent <rabin@rab.in>
> > Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
> > ---
> > include/trace/events/writeback.h | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > --- linux-next.orig/include/trace/events/writeback.h 2012-02-04 20:51:01.000000000 +0800
> > +++ linux-next/include/trace/events/writeback.h 2012-02-04 20:54:00.000000000 +0800
> > @@ -47,7 +47,10 @@ DECLARE_EVENT_CLASS(writeback_work_class
> > __field(int, reason)
> > ),
> > TP_fast_assign(
> > - strncpy(__entry->name, dev_name(bdi->dev), 32);
> > + struct device *dev = bdi->dev;
> > + if (!dev)
> > + dev = default_backing_dev_info.dev;
> > + strncpy(__entry->name, dev_name(dev), 32);
> > __entry->nr_pages = work->nr_pages;
> > __entry->sb_dev = work->sb ? work->sb->s_dev : 0;
> > __entry->sync_mode = work->sync_mode;
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Wu Fengguang <fengguang.wu@intel.com>
To: Namjae Jeon <linkinjeon@gmail.com>
Cc: Rabin Vincent <rabin@rab.in>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue
Date: Mon, 6 Feb 2012 11:18:50 +0800 [thread overview]
Message-ID: <20120206031849.GB23450@localhost> (raw)
In-Reply-To: <CAKYAXd_t4+ea=qVHETiuSZn4PExYTCboV0_upnoOTUrvsjuSTA@mail.gmail.com>
> >> However, I've found one more race condition leading to a crash when
> >> tracing is enabled, this time from the writeback:queue trace point from
> >> bdi_queue_work(). The cause is the same, i.e. bdi->dev is NULL. This
> >> was produced with the help of the following delay patch. trace+log is
> >> attached.
> >
> > Rabin, this should fix the bug. Note that I take no efforts to remove
> > the to-be-queued and already-queued works. I'm also a bit afraid if
> > the traces in the balance_dirty_pages() path (trace_balance_dirty_pages,
> > trace_bdi_dirty_ratelimit and writeback_wake_background) will have
> > similar NULL dereference bug. Do you test it by physically hot
> > removing a SD card, or with some detach command or emulation?
> >
> > Thanks,
> > Fengguang
>
> Hi. Wu.
> I can reproduce this problem too. And I know this problem is fixed
> with your patch.
> Thanks.
> Tested-by: Namjae Jeon <linkinjeon@gmail.com>
Namjae, thank you for the testing! FYI I've pushed it to linux-next.
Thanks,
Fengguang
> >
> > ---
> > Subject: writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue
> > Date: Sat Feb 04 20:54:03 CST 2012
> >
> > When the SD card is hot removed without umount, del_gendisk() will call
> > bdi_unregister() but not destroy/free it. This leaves the bdi in the
> > bdi->dev = NULL, bdi->wb.task = NULL, bdi->bdi_list removed state.
> >
> > If someone gets the bdi before bdi_unregister() and calls
> > bdi_queue_work() after the unregister, trace_writeback_queue will be
> > dereferencing the NULL bdi->dev. Fix it with a simple test for NULL.
> >
> > LKML-reference: http://lkml.org/lkml/2012/1/18/346
> > Reported-by: Rabin Vincent <rabin@rab.in>
> > Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
> > ---
> > include/trace/events/writeback.h | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > --- linux-next.orig/include/trace/events/writeback.h 2012-02-04 20:51:01.000000000 +0800
> > +++ linux-next/include/trace/events/writeback.h 2012-02-04 20:54:00.000000000 +0800
> > @@ -47,7 +47,10 @@ DECLARE_EVENT_CLASS(writeback_work_class
> > __field(int, reason)
> > ),
> > TP_fast_assign(
> > - strncpy(__entry->name, dev_name(bdi->dev), 32);
> > + struct device *dev = bdi->dev;
> > + if (!dev)
> > + dev = default_backing_dev_info.dev;
> > + strncpy(__entry->name, dev_name(dev), 32);
> > __entry->nr_pages = work->nr_pages;
> > __entry->sb_dev = work->sb ? work->sb->s_dev : 0;
> > __entry->sync_mode = work->sync_mode;
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-02-06 3:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-15 15:28 Crash in writeback:single_inode tracepoint after card removal Rabin Vincent
2012-01-17 3:32 ` Wu Fengguang
2012-01-18 20:09 ` Rabin Vincent
2012-02-05 23:31 ` [PATCH] writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue Wu Fengguang
2012-02-06 2:13 ` Namjae Jeon
2012-02-06 2:13 ` Namjae Jeon
2012-02-06 3:18 ` Wu Fengguang [this message]
2012-02-06 3:18 ` Wu Fengguang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120206031849.GB23450@localhost \
--to=fengguang.wu@intel.com \
--cc=linkinjeon@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rabin@rab.in \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.