Re: [PATCH V2 0/2] block: fix queue freeze and cleanup

Bart Van Assche <Bart.VanAssche@xxxxxxx> · Wed, 13 Dec 2017 21:49:03 +0000

On Fri, 2017-12-01 at 16:49 -0200, Mauricio Faria de Oliveira wrote:
> LR [c00000000057c7fc] __blk_run_queue+0x6c/0xb0
> Call Trace:
> [c0000001fb083970] [c0000001fb0839e0] 0xc0000001fb0839e0 (unreliable)
> [c0000001fb0839a0] [c00000000057ce0c] blk_run_queue+0x4c/0x80
> [c0000001fb0839d0] [c000000000591f54] blk_freeze_queue_start+0xa4/0xb0
> [c0000001fb083a00] [c00000000057d5cc] blk_set_queue_dying+0x6c/0x190
> [c0000001fb083a30] [c0000000008a3fbc] __dm_destroy+0xac/0x300
> [c0000001fb083ad0] [c0000000008af6a4] dev_remove+0x154/0x1d0
> [c0000001fb083b20] [c0000000008affd0] ctl_ioctl+0x360/0x4f0
> [c0000001fb083d10] [c0000000008b0198] dm_ctl_ioctl+0x38/0x50
> [c0000001fb083d50] [c0000000003863b8] do_vfs_ioctl+0xd8/0x8c0
> [c0000001fb083df0] [c000000000386c08] SyS_ioctl+0x68/0x100
> [c0000001fb083e30] [c00000000000b760] system_call+0x58/0x6c
> Instruction dump:
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> ---[ end trace e1710ec836e5526f ]---
> 
> Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

Hello Mauricio,

Would it be possible to repeat your test with the patch below applied on your
kernel tree? This patch has just been posted on the dm-devel mailing list.

Thanks,

Bart.


From: Bart Van Assche <bart.vanassche@xxxxxxx>
Date: Wed, 13 Dec 2017 13:07:14 -0800
Subject: [PATCH] dm: Fix a recently introduced reference counting bug

This patch avoids that the following message occurs sporadically
in the system log (revealing that pgpath->path.dev->name became
a dangling pointer):

device-mapper: table: 254:2: device kkkkkkkkkkkkkkkkkkk?????????x0?a?????E??????????????E??????F?????2?????pF??????PF?????9[F??????]F???????#???????#??????'f????? not in table devices list

This patch also fixes the following kernel crash:

general protection fault: 0000 [#1] PREEMPT SMP
RIP: 0010:multipath_busy+0x77/0xd0 [dm_multipath]
Call Trace:
 dm_mq_queue_rq+0x44/0x110 [dm_mod]
 blk_mq_dispatch_rq_list+0x73/0x440
 blk_mq_do_dispatch_sched+0x60/0xe0
 blk_mq_sched_dispatch_requests+0x11a/0x1a0
 __blk_mq_run_hw_queue+0x11f/0x1c0
 __blk_mq_delay_run_hw_queue+0x95/0xe0
 blk_mq_run_hw_queue+0x25/0x80
 blk_mq_flush_plug_list+0x197/0x420
 blk_flush_plug_list+0xe4/0x270
 blk_finish_plug+0x27/0x40
 __do_page_cache_readahead+0x2b4/0x370
 force_page_cache_readahead+0xb4/0x110
 generic_file_read_iter+0x755/0x970
 __vfs_read+0xd2/0x140
 vfs_read+0x9b/0x140
 SyS_read+0x45/0xa0
 do_syscall_64+0x56/0x1a0
 entry_SYSCALL64_slow_path+0x25/0x25

>From the disassembly of multipath_busy (0x77 = 119):

./include/linux/blkdev.h:
992             return bdev->bd_disk->queue;    /* this is never NULL */
   0x00000000000006b4 <+116>:   mov    (%rax),%rax
   0x00000000000006b7 <+119>:   mov    0xe0(%rax),%rax

Fixes: commit 2a0b4682e09d ("dm: convert dm_dev_internal.count from atomic_t to refcount_t")
Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxx>
Cc: Elena Reshetova <elena.reshetova@xxxxxxxxx>
Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: David Windsor <dwindsor@xxxxxxxxx>
Cc: Hans Liljestrand <ishkamiel@xxxxxxxxx>
Cc: Hannes Reinecke <hare@xxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # v4.15
---
 drivers/md/dm-table.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 88130b5d95f9..ee5c389e7256 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -459,6 +459,8 @@ int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode,
 		if (r)
 			return r;
 		refcount_inc(&dd->count);
+	} else {
+		refcount_inc(&dd->count);
 	}
 
 	*result = dd->dm_dev;
-- 
2.15.1








