On Wed, Oct 7, 2015 at 3:56 PM, Logan Gunthorpe <logang@xxxxxxxxxxxx> wrote:
> Hi Dan,
>
> We've uncovered another issue during testing with these patches. We get a
> kernel panic sometimes just while using a DAX filesystem. I've traced the
> issue back to this patch. (There's a stack trace at the end of this email.)
>
> On 22/09/15 10:42 PM, Dan Williams wrote:
>>
>> +static void dax_unmap_bh(const struct buffer_head *bh, void __pmem *addr)
>> +{
>> + struct block_device *bdev = bh->b_bdev;
>> + struct request_queue *q = bdev->bd_queue;
>> +
>> + if (IS_ERR(addr))
>> + return;
>> + blk_dax_put(q);
>> }
>>
>> @@ -127,9 +159,8 @@ static ssize_t dax_io(struct inode *inode, struct
>> iov_iter *iter,
>> if (pos == bh_max) {
>> bh->b_size = PAGE_ALIGN(end - pos);
>> bh->b_state = 0;
>> - retval = get_block(inode, block, bh,
>> - iov_iter_rw(iter) ==
>> WRITE);
>> - if (retval)
>> + rc = get_block(inode, block, bh, rw ==
>> WRITE);
>> + if (rc)
>> break;
>> if (!buffer_size_valid(bh))
>> bh->b_size = 1 << blkbits;
>> @@ -178,8 +213,9 @@ static ssize_t dax_io(struct inode *inode, struct
>> iov_iter *iter,
>>
>> if (need_wmb)
>> wmb_pmem();
>> + dax_unmap_bh(bh, kmap);
>>
>> - return (pos == start) ? retval : pos - start;
>> + return (pos == start) ? rc : pos - start;
>> }
>
>
> The problem is if get_block fails and returns an error code, it will still
> call dax_unmap_bh which tries to dereference bh->b_bdev. However, seeing
> get_block failed, that pointer is NULL. Maybe a null check in dax_unmap_bh
> would be sufficient?
Thanks for the report, I have this fixed up in v2. Will post shortly.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>