On 09/26/15 00:37, Bart Van Assche wrote: > On 09/24/2015 05:42 PM, Junichi Nomura wrote: >> Since __dm_destroy() depends on monotonic decrease of md->holders, >> assertion check of !DMF_FREEING in dm_get() is a valid protection >> from use-after-free. If we are to remove the check, __dm_destroy() >> should be changed to cope with the situation. >> >> I'm curious why there were pending I/Os after DMF_FEEING set. >> Can this problem be reproducible with non dm-mq setup or older kernels? >> How did you remove the dm device in your testing? > > Hello Junichi, > > Thanks for stepping in. > > Sorry but I do not know whether or not this problem is reproducible without dm-mq or with older kernels. > > The dm device was removed via the command "dmsetup remove_all". I tried simply repeating 'dmsetup remove_all' and multipath scan but couldn't reproduce the problem. However, when I added scsi device removal and rescan to the mix the system crashed within a few seconds. It looks like the change in v4.3-rc which integrates scsi_dh to scsi core introduced use-after-free. I reported the problem to linux-scsi: [REGRESSION v4.3] scsi_dh: use-after-free when removing scsi device http://marc.info/?l=linux-scsi&m=144357350800712&w=2 Though I'm not sure if it's related to your issue, just FYI. -- Jun'ichi Nomura, NEC Corporation -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
