From: Tejun Heo <tj@kernel.org>
To: Jan Kara <jack@suse.cz>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
Dan Williams <dan.j.williams@intel.com>,
Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
NeilBrown <neilb@suse.de>
Subject: Re: [PATCH 10/10] block: Fix oops scsi_disk_get()
Date: Sun, 12 Feb 2017 13:43:56 +0900 [thread overview]
Message-ID: <20170212044356.GH29323@mtj.duckdns.org> (raw)
In-Reply-To: <20170209124433.2626-11-jack@suse.cz>
On Thu, Feb 09, 2017 at 01:44:33PM +0100, Jan Kara wrote:
> When device open races with device shutdown, we can get the following
> oops in scsi_disk_get():
>
> [11863.044351] general protection fault: 0000 [#1] SMP
> [11863.045561] Modules linked in: scsi_debug xfs libcrc32c netconsole btrfs raid6_pq zlib_deflate lzo_compress xor [last unloaded: loop]
> [11863.047853] CPU: 3 PID: 13042 Comm: hald-probe-stor Tainted: G W 4.10.0-rc2-xen+ #35
> [11863.048030] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [11863.048030] task: ffff88007f438200 task.stack: ffffc90000fd0000
> [11863.048030] RIP: 0010:scsi_disk_get+0x43/0x70
> [11863.048030] RSP: 0018:ffffc90000fd3a08 EFLAGS: 00010202
> [11863.048030] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88007f56d000 RCX: 0000000000000000
> [11863.048030] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff81a8d880
> [11863.048030] RBP: ffffc90000fd3a18 R08: 0000000000000000 R09: 0000000000000001
> [11863.059217] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffa
> [11863.059217] R13: ffff880078872800 R14: ffff880070915540 R15: 000000000000001d
> [11863.059217] FS: 00007f2611f71800(0000) GS:ffff88007f0c0000(0000) knlGS:0000000000000000
> [11863.059217] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [11863.059217] CR2: 000000000060e048 CR3: 00000000778d4000 CR4: 00000000000006e0
> [11863.059217] Call Trace:
> [11863.059217] ? disk_get_part+0x22/0x1f0
> [11863.059217] sd_open+0x39/0x130
> [11863.059217] __blkdev_get+0x69/0x430
> [11863.059217] ? bd_acquire+0x7f/0xc0
> [11863.059217] ? bd_acquire+0x96/0xc0
> [11863.059217] ? blkdev_get+0x350/0x350
> [11863.059217] blkdev_get+0x126/0x350
> [11863.059217] ? _raw_spin_unlock+0x2b/0x40
> [11863.059217] ? bd_acquire+0x7f/0xc0
> [11863.059217] ? blkdev_get+0x350/0x350
> [11863.059217] blkdev_open+0x65/0x80
> ...
>
> As you can see RAX value is already poisoned showing that gendisk we got
> is already freed. The problem is that get_gendisk() looks up device
> number in ext_devt_idr and then does get_disk() which does kobject_get()
> on the disks kobject. However the disk gets removed from ext_devt_idr
> only in disk_release() (through blk_free_devt()) at which moment it has
> already 0 refcount and is already on its way to be freed. Indeed we've
> got a warning from kobject_get() about 0 refcount shortly before the
> oops.
>
> We fix the problem by using kobject_get_unless_zero() in get_disk() so
> that get_disk() cannot get reference on a disk that is already being
> freed.
>
> Signed-off-by: Jan Kara <jack@suse.cz>
Acked-by: Tejun Heo <tj@kernel.org>
Thanks.
--
tejun
next prev parent reply other threads:[~2017-02-12 4:43 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 12:44 [PATCH 0/10] block: Fix block device shutdown related races Jan Kara
2017-02-09 12:44 ` [PATCH 01/10] block: Move bdev_unhash_inode() after invalidate_partition() Jan Kara
2017-02-12 3:58 ` Tejun Heo
2017-02-20 14:53 ` Jan Kara
2017-02-09 12:44 ` [PATCH 02/10] block: Unhash also block device inode for the whole device Jan Kara
2017-02-12 4:16 ` Tejun Heo
2017-02-09 12:44 ` [PATCH 03/10] block: Revalidate i_bdev reference in bd_aquire() Jan Kara
2017-02-09 15:54 ` Jan Kara
2017-02-12 4:22 ` Tejun Heo
2017-02-09 12:44 ` [PATCH 04/10] block: Move bdi_unregister() to del_gendisk() Jan Kara
2017-02-10 2:21 ` NeilBrown
2017-02-12 4:31 ` Tejun Heo
2017-02-09 12:44 ` [PATCH 05/10] writeback: Generalize and standardize I_SYNC waiting function Jan Kara
2017-02-12 4:32 ` Tejun Heo
2017-02-09 12:44 ` [PATCH 06/10] writeback: Move __inode_wait_for_state_bit Jan Kara
2017-02-09 12:44 ` [PATCH 07/10] writeback: Implement reliable switching to default writeback structure Jan Kara
2017-02-10 2:19 ` NeilBrown
2017-02-10 13:20 ` Jan Kara
2017-02-09 12:44 ` [PATCH 08/10] block: Fix oops in locked_inode_to_wb_and_lock_list() Jan Kara
2017-02-12 4:40 ` Tejun Heo
2017-02-20 16:58 ` Jan Kara
2017-02-09 12:44 ` [PATCH 09/10] kobject: Export kobject_get_unless_zero() Jan Kara
2017-02-12 4:41 ` Tejun Heo
2017-02-09 12:44 ` [PATCH 10/10] block: Fix oops scsi_disk_get() Jan Kara
2017-02-12 4:43 ` Tejun Heo [this message]
2017-02-09 14:52 ` [PATCH 0/10] block: Fix block device shutdown related races Thiago Jung Bauermann
2017-02-09 15:48 ` Jan Kara
2017-02-13 14:27 ` Thiago Jung Bauermann
-- strict thread matches above, loose matches on Subject: below --
2017-03-23 0:36 [PATCH 0/10 v5] " Jan Kara
2017-03-23 0:37 ` [PATCH 10/10] block: Fix oops scsi_disk_get() Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170212044356.GH29323@mtj.duckdns.org \
--to=tj@kernel.org \
--cc=axboe@kernel.dk \
--cc=bauerman@linux.vnet.ibm.com \
--cc=dan.j.williams@intel.com \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.