[PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ye Bin <yebin10@huawei.com>
To: <jejb@linux.ibm.com>, <martin.petersen@oracle.com>,
	<linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Cc: Ye Bin <yebin10@huawei.com>
Subject: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach
Date: Wed, 13 Jan 2021 14:31:03 +0800	[thread overview]
Message-ID: <20210113063103.2698953-1-yebin10@huawei.com> (raw)

We get follow BUG_ON when rdac scan:
[595952.944297] kernel BUG at drivers/scsi/device_handler/scsi_dh_rdac.c:427!
[595952.951143] Internal error: Oops - BUG: 0 [#1] SMP
......
[595953.251065] Call trace:
[595953.259054]  check_ownership+0xb0/0x118
[595953.269794]  rdac_bus_attach+0x1f0/0x4b0
[595953.273787]  scsi_dh_handler_attach+0x3c/0xe8
[595953.278211]  scsi_dh_add_device+0xc4/0xe8
[595953.282291]  scsi_sysfs_add_sdev+0x8c/0x2a8
[595953.286544]  scsi_probe_and_add_lun+0x9fc/0xd00
[595953.291142]  __scsi_scan_target+0x598/0x630
[595953.295395]  scsi_scan_target+0x120/0x130
[595953.299481]  fc_user_scan+0x1a0/0x1c0 [scsi_transport_fc]
[595953.304944]  store_scan+0xb0/0x108
[595953.308420]  dev_attr_store+0x44/0x60
[595953.312160]  sysfs_kf_write+0x58/0x80
[595953.315893]  kernfs_fop_write+0xe8/0x1f0
[595953.319888]  __vfs_write+0x60/0x190
[595953.323448]  vfs_write+0xac/0x1c0
[595953.326836]  ksys_write+0x74/0xf0
[595953.330221]  __arm64_sys_write+0x24/0x30

BUG_ON code is in check_ownership:
                list_for_each_entry_rcu(tmp, &h->ctlr->dh_list, node) {
                        /* h->sdev should always be valid */
                        BUG_ON(!tmp->sdev);
                        tmp->sdev->access_state = access_state;
                }
rdac_bus_attach
	initialize_controller
		list_add_rcu(&h->node, &h->ctlr->dh_list);
		h->sdev = sdev;
rdac_bus_detach
	list_del_rcu(&h->node);
	h->sdev = NULL;

Test as follow steps:
(1) Find IO error, remove disk;
(2) Insert disk back;
(3) trigger scan disk;

There is race between rdac_bus_attach and rdac_bus_detach, maybe access
rdac_dh_data which h->sdev has been set NULL when process rdac attach. And also
find that "h->sdev" set value after add list, this may lead to reference NULL ptr.

Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 drivers/scsi/device_handler/scsi_dh_rdac.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
index 5efc959493ec..85a71bafaea7 100644
--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
@@ -453,8 +453,8 @@ static int initialize_controller(struct scsi_device *sdev,
 		if (!h->ctlr)
 			err = SCSI_DH_RES_TEMP_UNAVAIL;
 		else {
-			list_add_rcu(&h->node, &h->ctlr->dh_list);
 			h->sdev = sdev;
+			list_add_rcu(&h->node, &h->ctlr->dh_list);
 		}
 		spin_unlock(&list_lock);
 		err = SCSI_DH_OK;
@@ -778,11 +778,11 @@ static void rdac_bus_detach( struct scsi_device *sdev )
 	spin_lock(&list_lock);
 	if (h->ctlr) {
 		list_del_rcu(&h->node);
-		h->sdev = NULL;
 		kref_put(&h->ctlr->kref, release_controller);
 	}
 	spin_unlock(&list_lock);
 	sdev->handler_data = NULL;
+	synchronize_rcu();
 	kfree(h);
 }
 
-- 
2.25.4

next             reply	other threads:[~2021-01-13  6:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-13  6:31 Ye Bin [this message]
2021-07-22 13:09 ` [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach yebin
2021-07-23  4:04 ` Bart Van Assche
2021-07-28 14:24   ` yebin
2021-07-28 21:55     ` Bart Van Assche
2021-07-29  3:37 ` Martin K. Petersen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5efc959493e dfblob:85a71bafaea )
 OR (
bs:"[PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210113063103.2698953-1-yebin10@huawei.com \
    --to=yebin10@huawei.com \
    --cc=jejb@linux.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.