From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58974 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752461AbeF0XmO (ORCPT <rfc822;stable@vger.kernel.org>);
        Wed, 27 Jun 2018 19:42:14 -0400
Date: Thu, 28 Jun 2018 07:41:55 +0800
From: Ming Lei <ming.lei@redhat.com>
To: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org,
        Christoph Hellwig <hch@lst.de>,
        Mike Snitzer <snitzer@redhat.com>,
        Hannes Reinecke <hare@suse.com>,
        Johannes Thumshirn <jthumshirn@suse.de>, stable@vger.kernel.org
Subject: Re: [PATCH] block: Fix cloning of requests with a special payload
Message-ID: <20180627234154.GD7583@ming.t460p>
References: <20180627195518.13958-1-bart.vanassche@wdc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180627195518.13958-1-bart.vanassche@wdc.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, Jun 27, 2018 at 12:55:18PM -0700, Bart Van Assche wrote:
> This patch avoids that removing a path controlled by the dm-mpath driver
> while mkfs is running triggers the following kernel bug:
> 
>     kernel BUG at block/blk-core.c:3347!
>     invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>     CPU: 20 PID: 24369 Comm: mkfs.ext4 Not tainted 4.18.0-rc1-dbg+ #2
>     RIP: 0010:blk_end_request_all+0x68/0x70
>     Call Trace:
>      <IRQ>
>      dm_softirq_done+0x326/0x3d0 [dm_mod]
>      blk_done_softirq+0x19b/0x1e0
>      __do_softirq+0x128/0x60d
>      irq_exit+0x100/0x110
>      smp_call_function_single_interrupt+0x90/0x330
>      call_function_single_interrupt+0xf/0x20
>      </IRQ>
> 
> Fixes: f9d03f96b988 ("block: improve handling of the magic discard payload")
> Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Mike Snitzer <snitzer@redhat.com>
> Cc: Ming Lei <ming.lei@redhat.com>
> Cc: Hannes Reinecke <hare@suse.com>
> Cc: Johannes Thumshirn <jthumshirn@suse.de>
> Cc: <stable@vger.kernel.org>
> ---
>  block/blk-core.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/block/blk-core.c b/block/blk-core.c
> index 118dd17eb71f..f1e07ed1513c 100644
> --- a/block/blk-core.c
> +++ b/block/blk-core.c
> @@ -3529,6 +3529,10 @@ static void __blk_rq_prep_clone(struct request *dst, struct request *src)
>  	dst->cpu = src->cpu;
>  	dst->__sector = blk_rq_pos(src);
>  	dst->__data_len = blk_rq_bytes(src);
> +	if (src->rq_flags & RQF_SPECIAL_PAYLOAD) {
> +		dst->rq_flags |= RQF_SPECIAL_PAYLOAD;
> +		dst->special_vec = src->special_vec;
> +	}
>  	dst->nr_phys_segments = src->nr_phys_segments;
>  	dst->ioprio = src->ioprio;
>  	dst->extra_len = src->extra_len;
> -- 
> 2.17.1

Reviewed-by: Ming Lei <ming.lei@redhat.com>

BTW, if possible, could you please make a block test to catch this issue?

thanks,
Ming