From mboxrd@z Thu Jan 1 00:00:00 1970 From: "monty_pavel@sina.com" Subject: [PATCH] dm thin: fix NULL pointer exception caused by two concurrent "vgchange -ay -K " processes. Date: Fri, 24 Nov 2017 16:59:13 +0800 Message-ID: <201711241659129513254@sina.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8760186108281885390==" Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com To: dm-devel List-Id: dm-devel.ids This is a multi-part message in MIME format. --===============8760186108281885390== Content-Type: multipart/alternative; boundary="----=_001_NextPart652568046867_=----" This is a multi-part message in MIME format. ------=_001_NextPart652568046867_=---- Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: base64 V2UgZ290IGEgTlVMTCBwb2ludGVyIGV4Y2VwdGlvbiB3aGVuIHRlc3RpbmcgdGhlIHR3byBjb25j dXJyZW50DQogInZnY2hhbmdlIC1heSAtSyA8dmcgbmFtZT4iLg0KcGFuaWMgY2FsbCB0cmFjZToN CiBQSUQ6IDI1OTkyIFRBU0s6IGZmZmY4ODNjZDdkMjM1MDAgQ1BVOiA0IENPTU1BTkQ6ICJ2Z2No YW5nZSINCiAgIzAgW2ZmZmY4ODNjZDc0M2Q2MDBdIG1hY2hpbmVfa2V4ZWMgYXQgZmZmZmZmZmY4 MTAzOGZhOQ0KICAwMDAwMDAxIFtmZmZmODgzY2Q3NDNkNjYwXSBjcmFzaF9rZXhlYyBhdCBmZmZm ZmZmZjgxMGM1OTkyDQogIDAwMDAwMDIgW2ZmZmY4ODNjZDc0M2Q3MzBdIG9vcHNfZW5kIGF0IGZm ZmZmZmZmODE1MTVjOTANCiAgMDAwMDAwMyBbZmZmZjg4M2NkNzQzZDc2MF0gbm9fY29udGV4dCBh dCBmZmZmZmZmZjgxMDQ5ZjFiDQogIDAwMDAwMDQgW2ZmZmY4ODNjZDc0M2Q3YjBdIF9fYmFkX2Fy ZWFfbm9zZW1hcGhvcmUgYXQgZmZmZmZmZmY4MTA0YTFhNQ0KICAwMDAwMDA1IFtmZmZmODgzY2Q3 NDNkODAwXSBiYWRfYXJlYSBhdCBmZmZmZmZmZjgxMDRhMmNlDQogIDAwMDAwMDYgW2ZmZmY4ODNj ZDc0M2Q4MzBdIF9fZG9fcGFnZV9mYXVsdCBhdCBmZmZmZmZmZjgxMDRhYTZmDQogIDAwMDAwMDcg W2ZmZmY4ODNjZDc0M2Q5NTBdIGRvX3BhZ2VfZmF1bHQgYXQgZmZmZmZmZmY4MTUxN2JhZQ0KICAw MDAwMDA4IFtmZmZmODgzY2Q3NDNkOTgwXSBwYWdlX2ZhdWx0IGF0IGZmZmZmZmZmODE1MTRmOTUN CiAgICAgW2V4Y2VwdGlvbiBSSVA6IGttZW1fY2FjaGVfYWxsb2MrMTA4XQ0KICAgICBSSVA6IGZm ZmZmZmZmODExNmVmM2MgUlNQOiBmZmZmODgzY2Q3NDNkYTM4IFJGTEFHUzogMDAwMTAwNDYNCiAg ICAgUkFYOiAwMDAwMDAwMDAwMDAwMDA0IFJCWDogZmZmZmZmZmY4MTEyMWI5MCBSQ1g6IGZmZmY4 ODFiZjFlNzhjYzANCiAgICAgUkRYOiAwMDAwMDAwMDAwMDAwMDAwIFJTSTogMDAwMDAwMDAwMDAw MDBkMCBSREk6IDAwMDAwMDAwMDAwMDAwMDANCiAgICAgUkJQOiBmZmZmODgzY2Q3NDNkYTY4IFI4 OiBmZmZmODgxYmYxYTRlYjAwIFI5OiAwMDAwMDAwMDgwMDQyMDAwDQogICAgIFIxMDogMDAwMDAw MDAwMDAwMjAwMCBSMTE6IDAwMDAwMDAwMDAwMDAwMDAgUjEyOiAwMDAwMDAwMDAwMDAwMGQwDQog ICAgIFIxMzogMDAwMDAwMDAwMDAwMDAwMCBSMTQ6IDAwMDAwMDAwMDAwMDAwZDAgUjE1OiAwMDAw MDAwMDAwMDAwMjQ2DQogICAgIE9SSUdfUkFYOiBmZmZmZmZmZmZmZmZmZmZmIENTOiAwMDEwIFNT OiAwMDE4DQogIDAwMDAwMDkgW2ZmZmY4ODNjZDc0M2RhNzBdIG1lbXBvb2xfYWxsb2Nfc2xhYiBh dCBmZmZmZmZmZjgxMTIxYmE1DQogMDAwMDAxMCBbZmZmZjg4M2NkNzQzZGE4MF0gbWVtcG9vbF9j cmVhdGVfbm9kZSBhdCBmZmZmZmZmZjgxMTIyMDgzDQogMDAwMDAxMSBbZmZmZjg4M2NkNzQzZGFk MF0gbWVtcG9vbF9jcmVhdGUgYXQgZmZmZmZmZmY4MTEyMjBmNA0KIDAwMDAwMTIgW2ZmZmY4ODNj ZDc0M2RhZTBdIHBvb2xfY3RyIGF0IGZmZmZmZmZmYTA4ZGUwNDkgW2RtX3RoaW5fcG9vbF0NCiAw MDAwMDEzIFtmZmZmODgzY2Q3NDNkYmQwXSBkbV90YWJsZV9hZGRfdGFyZ2V0IGF0IGZmZmZmZmZm YTAwMDVmMmYgW2RtX21vZF0NCiAwMDAwMDE0IFtmZmZmODgzY2Q3NDNkYzMwXSB0YWJsZV9sb2Fk IGF0IGZmZmZmZmZmYTAwMDhiYTkgW2RtX21vZF0NCiAwMDAwMDE1IFtmZmZmODgzY2Q3NDNkYzkw XSBjdGxfaW9jdGwgYXQgZmZmZmZmZmZhMDAwOWRjNCBbZG1fbW9kXQ0KIHRoaXMgYnVnJ3Mgc2Nl bmNlIGlzIGFzIGZvbGxvd3M6DQogcHJvY2VzcyBBKHZnY2hhbmdlIC1heSAtSyk6DQogIGEuIHNl bmQgRE1fTElTVF9WRVJTSU9OU19DTUQgaW9jdGw7DQogIGIuIHBvb2xfdGFyZ2V0IG5vdCByZWdp c3RlcmVkOw0KICBjLiBtb2Rwcm9iZSBkbV90aGluX3Bvb2wgYW5kIHdhaXQgdW50aWwgZW5kLg0K IHByb2Nlc3MgQih2Z2NoYW5nZSAtYXkgLUspOg0KICBhLiBzZW5kIERNX0xJU1RfVkVSU0lPTlNf Q01EIGlvY3RsOw0KICBiLiBwb29sX3RhcmdldCByZWdpc3RlcmVkOw0KICBjLiB0YWJsZV9sb2Fk LT5kbV90YWJsZV9hZGRfdGFyZ2V0LT5wb29sX2N0cjsNCiAgZC4gX25ld19tYXBwaW5nX2NhY2hl IGlzIE5VTEwgYW5kIHBhbmljLg0KIG5vdGU6DQogIDEuIHByb2Nlc3MgQSBhbmQgcHJvY2VzcyBC IGFyZSB0d28gY29uY3VycmVudCBwcm9jZXNzZXMuDQogIDIuIHBvb2xfdGFyZ2V0IGNhbiBiZSBk ZXRlY3RlZCBieSBwcm9jZXNzIEIgYnV0DQogIF9uZXdfbWFwcGluZ19jYWNoZSBpbml0aWFsaXph dGlvbiBoYXMgbm90IGVuZGVkLg0KIEFsbCB0aGF0IHdlIG5lZWQgZG8gaXMgdG8gZW5zdXJlIHBv b2xfdGFyZ2V0IHJlZ2lzdGVyaW5nIG9wcw0KIGlzIHRoZSBsYXN0IG9wcyBpbiBkbV90aGluX2lu aXQuDQoNClNpZ25lZC1vZmYtYnk6IG1vbnR5IDxtb250eV9wYXZlbEBzaW5hLmNvbT4NCi0tLQ0K IGRyaXZlcnMvbWQvZG0tdGhpbi5jIHwgICAyMiArKysrKysrKysrLS0tLS0tLS0tLS0tDQogMSBm aWxlcyBjaGFuZ2VkLCAxMCBpbnNlcnRpb25zKCspLCAxMiBkZWxldGlvbnMoLSkNCg0KZGlmZiAt LWdpdCBhL2RyaXZlcnMvbWQvZG0tdGhpbi5jIGIvZHJpdmVycy9tZC9kbS10aGluLmMNCmluZGV4 IDg5ZTVkZmYuLmY5MWQ3NzEgMTAwNjQ0DQotLS0gYS9kcml2ZXJzL21kL2RtLXRoaW4uYw0KKysr IGIvZHJpdmVycy9tZC9kbS10aGluLmMNCkBAIC00MzU1LDMwICs0MzU1LDI4IEBAIHN0YXRpYyB2 b2lkIHRoaW5faW9faGludHMoc3RydWN0IGRtX3RhcmdldCAqdGksIHN0cnVjdCBxdWV1ZV9saW1p dHMgKmxpbWl0cykNCiANCiBzdGF0aWMgaW50IF9faW5pdCBkbV90aGluX2luaXQodm9pZCkNCiB7 DQotIGludCByOw0KKyBpbnQgciA9IC1FTk9NRU07DQogDQogIHBvb2xfdGFibGVfaW5pdCgpOw0K IA0KKyBfbmV3X21hcHBpbmdfY2FjaGUgPSBLTUVNX0NBQ0hFKGRtX3RoaW5fbmV3X21hcHBpbmcs IDApOw0KKyBpZiAoIV9uZXdfbWFwcGluZ19jYWNoZSkNCisgcmV0dXJuIHI7DQorDQogIHIgPSBk bV9yZWdpc3Rlcl90YXJnZXQoJnRoaW5fdGFyZ2V0KTsNCiAgaWYgKHIpDQotIHJldHVybiByOw0K KyBnb3RvIGJhZF9uZXdfbWFwcGluZ19jYWNoZTsNCiANCiAgciA9IGRtX3JlZ2lzdGVyX3Rhcmdl dCgmcG9vbF90YXJnZXQpOw0KICBpZiAocikNCi0gZ290byBiYWRfcG9vbF90YXJnZXQ7DQotDQot IHIgPSAtRU5PTUVNOw0KLQ0KLSBfbmV3X21hcHBpbmdfY2FjaGUgPSBLTUVNX0NBQ0hFKGRtX3Ro aW5fbmV3X21hcHBpbmcsIDApOw0KLSBpZiAoIV9uZXdfbWFwcGluZ19jYWNoZSkNCi0gZ290byBi YWRfbmV3X21hcHBpbmdfY2FjaGU7DQorIGdvdG8gYmFkX3RoaW5fdGFyZ2V0Ow0KIA0KICByZXR1 cm4gMDsNCiANCi1iYWRfbmV3X21hcHBpbmdfY2FjaGU6DQotIGRtX3VucmVnaXN0ZXJfdGFyZ2V0 KCZwb29sX3RhcmdldCk7DQotYmFkX3Bvb2xfdGFyZ2V0Og0KK2JhZF90aGluX3RhcmdldDoNCiAg ZG1fdW5yZWdpc3Rlcl90YXJnZXQoJnRoaW5fdGFyZ2V0KTsNCitiYWRfbmV3X21hcHBpbmdfY2Fj aGU6DQorIGttZW1fY2FjaGVfZGVzdHJveShfbmV3X21hcHBpbmdfY2FjaGUpOw0KIA0KICByZXR1 cm4gcjsNCiB9DQotLSANCjEuNy4xDQo= ------=_001_NextPart652568046867_=---- Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =0A
We go= t a NULL pointer exception when testing = ;the two concurrent
 "vgchange -ay -K <= ;vg name>".
panic&nb= sp;call trace:
 PID: 25992 TASK: ffff883cd7d23= 500 CPU: 4 COMMAND: "vgchange"
  #0 = [ffff883cd743d600] machine_kexec at ffffffff81038fa9
&nb= sp; 0000001 [ffff883cd743d660] crash_kexec at fff= fffff810c5992
  0000002 [ffff883cd743d730] oops_end=  at ffffffff81515c90
  0000003 [ffff883cd743d7= 60] no_context at ffffffff81049f1b
  0000004&n= bsp;[ffff883cd743d7b0] __bad_area_nosemaphore at ffffffff81= 04a1a5
  0000005 [ffff883cd743d800] bad_area a= t ffffffff8104a2ce
  0000006 [ffff883cd743d830]&nbs= p;__do_page_fault at ffffffff8104aa6f
  0000007&nbs= p;[ffff883cd743d950] do_page_fault at ffffffff81517bae
&= nbsp; 0000008 [ffff883cd743d980] page_fault at ff= ffffff81514f95
     [exception RIP: = kmem_cache_alloc+108]
     RIP: ffffffff8= 116ef3c RSP: ffff883cd743da38 RFLAGS: 00010046
&nbs= p;    RAX: 0000000000000004 RBX: ffffff= ff81121b90 RCX: ffff881bf1e78cc0
    &nbs= p;RDX: 0000000000000000 RSI: 00000000000000d0 RDI:&nbs= p;0000000000000000
     RBP: ffff883cd743= da68 R8: ffff881bf1a4eb00 R9: 0000000080042000
&nbs= p;    R10: 0000000000002000 R11: 000000= 0000000000 R12: 00000000000000d0
    &nbs= p;R13: 0000000000000000 R14: 00000000000000d0 R15:&nbs= p;0000000000000246
     ORIG_RAX: fffffff= fffffffff CS: 0010 SS: 0018
  0000009&nbs= p;[ffff883cd743da70] mempool_alloc_slab at ffffffff81121ba5=
 0000010 [ffff883cd743da80] mempool_create_node at=  ffffffff81122083
 0000011 [ffff883cd743dad0] mempo= ol_create at ffffffff811220f4
 0000012 [ffff883cd74= 3dae0] pool_ctr at ffffffffa08de049 [dm_thin_pool]
=  0000013 [ffff883cd743dbd0] dm_table_add_target at&nbs= p;ffffffffa0005f2f [dm_mod]
 0000014 [ffff883cd743dc30]&= nbsp;table_load at ffffffffa0008ba9 [dm_mod]
 00000= 15 [ffff883cd743dc90] ctl_ioctl at ffffffffa0009dc4&nb= sp;[dm_mod]
 this bug's scence is as foll= ows:
 process A(vgchange -ay -K):
  a. send DM_LIST_VERSIONS_CMD&n= bsp;ioctl;
  b. pool= _target not registered;
  c. modprobe dm_thin_pool and wait unti= l end.
 process B(vgchange -ay -K):
 <= span style=3D"white-space: pre;"> a. send DM_LIST_VERSION= S_CMD ioctl;
  b.&nb= sp;pool_target registered;
  c. table_load->dm_table_add_target->pool_ctr;
 = ; d. _new_mapping_cache = ;is NULL and panic.
 note:
  1. process A and process&nb= sp;B are two concurrent processes.
  2. pool_target can be = detected by process B but
  _new_mapping_cache initialization has&nbs= p;not ended.
 All that we need do is=  to ensure pool_target registering ops
 i= s the last ops in dm_thin_init.

Signed-off= -by: monty <monty_pavel@sina.com>
---
 drivers/= md/dm-thin.c |   22 ++++++++++------------
&nb= sp;1 files changed, 10 insertions(+), 12 del= etions(-)

diff --git a/drivers/md/dm-thin.c b/driver= s/md/dm-thin.c
index 89e5dff..f91d771 100644
--- a/dr= ivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -4355,30&= nbsp;+4355,28 @@ static void thin_io_hints(struct = ;dm_target *ti, struct queue_limits *limits)
 =
 static int __init dm_thin_init(void)
 {- int r;
+ int r =3D -ENOMEM;
 =
  pool_table_init();
=  
+ _new_mapping_cache&nb= sp;=3D KMEM_CACHE(dm_thin_new_mapping, 0);
+ if (!_new_mapping_cache)
+ retur= n r;
+
  r = =3D dm_register_target(&thin_target);
  if (r)
-= return r;
+ goto bad_new_mapping_cache;
 
  r =3D dm_register_target(&pool_targ= et);
  if (r)
- = goto bad_pool_target;
-
- r =3D -ENOMEM;
-
- _new_mapping_cache =3D KMEM_CACHE(dm_thin_new_mapp= ing, 0);
- if (!_new= _mapping_cache)
- goto bad_new_mapping_cache;
+ goto bad_thin_target;
 
  return 0;
 
-bad_new_mapping_cache:
-= dm_unregister_target(&pool_t= arget);
-bad_pool_target:
+bad_thin_target:
  dm_unregister_target(&thin_target);
+bad= _new_mapping_cache:
+ kmem_cac= he_destroy(_new_mapping_cache);
 
  return r;
 }
-- 
1.7.1=0A ------=_001_NextPart652568046867_=------ --===============8760186108281885390== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8760186108281885390==--