Hello Nick! On Fri, 9 March 2012 08:34:41 +0000, Nicholas A. Bellinger wrote: > > This patch converts core_tpg_del_initiator_node_acl() shutdown from configfs > context to use se_node_acl->acl_kref and ->acl_free_comp in order to wait for > outstanding fabric callbacks to complete via transport_deregister_session() > callbacks before waking ->acl_free_comp from the last ->acl_kref put. While the description looks like this should fix a bug we occasionally experience, I failed to notice it in the patch itself. Could be me. As you can see in the gpf output below, _raw_spin_lock_irqsave() is operating on 0x6b6b6b6b6b6b6b6b, so it seems to be using freed memory. The free seems to be happening through target_fabric_nacl_base_release() -> tf->tf_ops.fabric_drop_nodeacl(). All fabric implementations of fabric_drop_nodeacl() simply call kfree() on the acl, without checking for reference counts or anything else. Is there some configfs magic I am missing, or do we still need more work to prevent the bug below? Jörn general protection fault: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:04.0/0000:06:00.1/host10/fc_host/host10/port_name CPU 11 Modules linked in: ps_bdrv bufoops target_core_iblock vfat msdos fat ipmi_devintf ipmi_si ipmi_msghandler tcm_qla2xxx target_core_mod serio_raw ioatdma i7core_edac edac_core dca rdma_ucm rdma_cm mlx4_ib iw_cm ib_uverbs usb_storage ib_umad mpt2sas qla2xxx scsi_transport_sas uas usbhid ahci hid libahci mlx4_core raid_class scsi_transport_fc scsi_tgt ib_ipoib ib_cm ib_sa ib_mad ib_core ib_addr [last unloaded: ps_bdrv] Pid: 124, comm: kworker/11:1 Not tainted 2.6.39.4+ #18237 Xyratex Storage Server /HS-1235T-ATX RIP: 0010:[<ffffffff814f1a04>] [<ffffffff814f1a04>] _raw_spin_lock_irqsave+0x34/0x60 RSP: 0018:ffff880c250c5da0 EFLAGS: 00010046 RAX: 0000000000000100 RBX: 6b6b6b6b6b6b6c93 RCX: ffff8809ec0a0ab8 RDX: ffff880c3fcae3c8 RSI: ffff8809ec0a0830 RDI: 6b6b6b6b6b6b6c93 RBP: ffff880c250c5db0 R08: 0000000000000000 R09: ffff8809ec0a3c30 R10: 000000000000001f R11: 0000000000000000 R12: 0000000000000286 R13: ffff8809ec0a0830 R14: ffffffffa0106b40 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff880c3fca0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f0477a31900 CR3: 0000000001a03000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kworker/11:1 (pid: 124, threadinfo ffff880c250c4000, task ffff880c2541ad80) Stack: 6b6b6b6b6b6b6c93 6b6b6b6b6b6b6b6b ffff880c250c5de0 ffffffffa0289d2e ffff880c3fcae3c0 ffff8809ec0a0830 ffff880c3fcae3c0 ffffe8ffffcaee00 ffff880c250c5e00 ffffffffa029e397 ffff880c3fcae3c0 ffff880c2558a3e8 Call Trace: [<ffffffffa0289d2e>] core_dec_lacl_count+0x2e/0x70 [target_core_mod] [<ffffffffa029e397>] transport_generic_free_cmd+0x47/0x90 [target_core_mod] [<ffffffffa0106b57>] tcm_qla2xxx_complete_free+0x17/0x20 [tcm_qla2xxx] [<ffffffff81066c97>] process_one_work+0x127/0x430 [<ffffffff81067743>] worker_thread+0x163/0x350 [<ffffffff810675e0>] ? manage_workers.clone.21+0x240/0x240 [<ffffffff8106c616>] kthread+0x96/0xa0 [<ffffffff814fabe4>] kernel_thread_helper+0x4/0x10 [<ffffffff814f1d81>] ? retint_restore_args+0x13/0x13 [<ffffffff8106c580>] ? flush_kthread_worker+0xb0/0xb0 [<ffffffff814fabe0>] ? gs_change+0x13/0x13 -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
