On Wed, 2018-06-20 at 18:58 +0200, Anthoine Bourgeois wrote: > On Wed, Jun 20, 2018 at 01:50:38PM +0000, Bart Van Assche wrote: > > On Wed, 2018-06-20 at 11:57 +0200, anthoine.bourgeois@xxxxxxxxx wrote: > > > The function scsi_device_dev_release_usercontext calls blk_put_queue > > > with request_queue then set request_queue to NULL. If the function > > > scsi_device_dev_release_usercontext is racy then the next call to > > > blk_put_queue will trigger the NULL pointer dereference below. > > > > How did you trigger this bug? Which SCSI LLD drivers were involved, and > > which scenario or workload triggered this kernel oops? > > > > I think iscsi_tcp is my LLD driver. Here a list of my modules with > 'scsi' name: > # lsmod|grep scsi > iscsi_tcp 20480 4 > libiscsi_tcp 24576 1 iscsi_tcp > libiscsi 57344 3 ib_iser,libiscsi_tcp,iscsi_tcp > scsi_transport_iscsi 106496 4 ib_iser,libiscsi,iscsi_tcp > > The bug is trigger by a 'iscsiadm -m node -T targetname --logout' but it > occurs maybe 1-2% of the times. Hello Anthoine, As far as I know the same scsi_device_dev_release_usercontext() function works reliably for other SCSI LLDs. So you may want to report this to the iSCSI initiator driver maintainers. Thanks, Bart.
