From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wu Fengguang Subject: Re: [PATCH] writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue Date: Mon, 6 Feb 2012 11:18:50 +0800 Message-ID: <20120206031849.GB23450@localhost> References: <20120115152806.GA32106@debian> <20120117033253.GA399@localhost> <20120205233121.GA30168@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Rabin Vincent , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org To: Namjae Jeon Return-path: Received: from mga03.intel.com ([143.182.124.21]:9907 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752891Ab2BFD3R (ORCPT ); Sun, 5 Feb 2012 22:29:17 -0500 Content-Disposition: inline In-Reply-To: Sender: linux-fsdevel-owner@vger.kernel.org List-ID: > >> However, I've found one more race condition leading to a crash whe= n > >> tracing is enabled, this time from the writeback:queue trace point= from > >> bdi_queue_work(). =C2=A0The cause is the same, i.e. =C2=A0bdi->dev= is NULL. =C2=A0This > >> was produced with the help of the following delay patch. =C2=A0tra= ce+log is > >> attached. > > > > Rabin, this should fix the bug. Note that I take no efforts to remo= ve > > the to-be-queued and already-queued works. I'm also a bit afraid if > > the traces in the balance_dirty_pages() path (trace_balance_dirty_p= ages, > > trace_bdi_dirty_ratelimit and writeback_wake_background) will have > > similar NULL dereference bug. Do you test it by physically hot > > removing a SD card, or with some detach command or emulation? > > > > Thanks, > > Fengguang >=20 > Hi. Wu. > I can reproduce this problem too. And I know this problem is fixed > with your patch. > Thanks. > Tested-by: Namjae Jeon Namjae, thank you for the testing! FYI I've pushed it to linux-next. Thanks, =46engguang > > > > --- > > Subject: writeback: fix dereferencing NULL bdi->dev on trace_writeb= ack_queue > > Date: Sat Feb 04 20:54:03 CST 2012 > > > > When the SD card is hot removed without umount, del_gendisk() will = call > > bdi_unregister() but not destroy/free it. This leaves the bdi in th= e > > bdi->dev =3D NULL, bdi->wb.task =3D NULL, bdi->bdi_list removed sta= te. > > > > If someone gets the bdi before bdi_unregister() and calls > > bdi_queue_work() after the unregister, trace_writeback_queue will b= e > > dereferencing the NULL bdi->dev. Fix it with a simple test for NULL= =2E > > > > LKML-reference: http://lkml.org/lkml/2012/1/18/346 > > Reported-by: Rabin Vincent > > Signed-off-by: Wu Fengguang > > --- > > =C2=A0include/trace/events/writeback.h | =C2=A0 =C2=A05 ++++- > > =C2=A01 file changed, 4 insertions(+), 1 deletion(-) > > > > --- linux-next.orig/include/trace/events/writeback.h =C2=A0 =C2=A02= 012-02-04 20:51:01.000000000 +0800 > > +++ linux-next/include/trace/events/writeback.h 2012-02-04 20:54:00= =2E000000000 +0800 > > @@ -47,7 +47,10 @@ DECLARE_EVENT_CLASS(writeback_work_class > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0__field(int,= reason) > > =C2=A0 =C2=A0 =C2=A0 =C2=A0), > > =C2=A0 =C2=A0 =C2=A0 =C2=A0TP_fast_assign( > > - =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 strncpy(__entry-= >name, dev_name(bdi->dev), 32); > > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 struct device *d= ev =3D bdi->dev; > > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (!dev) > > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 dev =3D default_backing_dev_info.dev; > > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 strncpy(__entry-= >name, dev_name(dev), 32); > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0__entry->nr_= pages =3D work->nr_pages; > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0__entry->sb_= dev =3D work->sb ? work->sb->s_dev : 0; > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0__entry->syn= c_mode =3D work->sync_mode; > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-fsd= evel" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at =C2=A0http://vger.kernel.org/majordomo-info.= html -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel= " in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html