Adding target-devel CC' On Thu, 2017-06-01 at 15:35 +0000, bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=195963 > > Bug ID: 195963 > Summary: Aborting a SCSI command can trigger a reference count > underflow > Product: IO/Storage > Version: 2.5 > Kernel Version: v4.12-rc3 > Hardware: x86-64 > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > Assignee: io_other@xxxxxxxxxxxxxxxxxxxx > Reporter: bvanassche@xxxxxxx > CC: nab@xxxxxxxxxxxxxxx > Regression: No > > With kernel v4.12-rc3-51-ga37484638ca5 (commit a37484638ca5) I ran into the > following by running the libiscsi test suite against the LIO iscsi target > driver: Oh, a warning from the new lib/refcount.c code. > > ABORT_TASK: Found referenced iSCSI task_tag: 1520249344 > INFO: trying to register non-static key. > the code is fine but needs lockdep annotation. > turning off the locking correctness validator. > CPU: 3 PID: 164 Comm: kworker/u8:3 Not tainted 4.12.0-rc3-dbg+ #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > 1.0.0-prebuilt.qemu-project.org 04/01/2014 > Workqueue: tmr-fileio target_tmr_work [target_core_mod] > Call Trace: > dump_stack+0x86/0xcf > register_lock_class+0xe8/0x570 > iscsi_target_mod:tx_data: tx_loop: 48, total_tx: 48, data: 48 > __lock_acquire+0xa1/0x11d0 > lock_acquire+0x59/0x80 > flush_work+0x42/0x2b0 > __cancel_work_timer+0x10c/0x180 > cancel_work_sync+0xb/0x10 > core_tmr_abort_task+0x123/0x1b0 [target_core_mod] > target_tmr_work+0x116/0x130 [target_core_mod] > process_one_work+0x1ca/0x3f0 > worker_thread+0x49/0x3b0 > kthread+0x109/0x140 > ret_from_fork+0x2a/0x40 > iscsi_target_mod:lio_release_cmd: Entering lio_release_cmd for se_cmd: > ffff8800643f4890 > refcount_t: underflow; use-after-free. > ------------[ cut here ]------------ > WARNING: CPU: 3 PID: 164 at lib/refcount.c:184 refcount_sub_and_test+0x45/0x50 > Modules linked in: target_core_user uio target_core_iblock target_core_file > iscsi_target_mod target_core_mod brd netconsole configfs crct10dif_pclmul > crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd cryptd > glue_helper serio_raw virtio_balloon virtio_console virtio_rng i2c_piix4 > acpi_cpufreq button iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ext4 > jbd2 mbcache virtio_blk virtio_net psmouse virtio_pci floppy > CPU: 3 PID: 164 Comm: kworker/u8:3 Not tainted 4.12.0-rc3-dbg+ #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > 1.0.0-prebuilt.qemu-project.org 04/01/2014 > Workqueue: tmr-fileio target_tmr_work [target_core_mod] > task: ffff8801338d27c0 task.stack: ffffc90000c50000 > RIP: 0010:refcount_sub_and_test+0x45/0x50 > RSP: 0018:ffffc90000c53d68 EFLAGS: 00010296 > RAX: 0000000000000026 RBX: ffff8800643f4a08 RCX: 0000000000000000 > RDX: ffff8801338d27c0 RSI: 0000000000000001 RDI: 0000000000000282 > RBP: ffffc90000c53d68 R08: 0000000000000000 R09: 0000000000000000 > R10: ffffc90000c53c10 R11: ffffffff810ac83f R12: ffff8800643f4890 > R13: ffff880135700008 R14: ffff88006787ee18 R15: ffff880135700008 > FS: 0000000000000000(0000) GS:ffff88013fd80000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f2fa91f5000 CR3: 0000000067986000 CR4: 00000000001406e0 > Call Trace: > refcount_dec_and_test+0x11/0x20 > target_put_sess_cmd+0x14/0x30 [target_core_mod] > core_tmr_abort_task+0x140/0x1b0 [target_core_mod] > target_tmr_work+0x116/0x130 [target_core_mod] > process_one_work+0x1ca/0x3f0 > worker_thread+0x49/0x3b0 > kthread+0x109/0x140 > ret_from_fork+0x2a/0x40 > Code: 75 e6 85 d2 0f 94 c0 c3 31 c0 c3 80 3d 82 a5 99 00 00 75 f4 55 48 c7 c7 > b0 b2 9d 81 48 89 e5 c6 05 6e a5 99 00 01 e8 3b 1d e5 ff <0f> ff 31 c0 5d c3 0f > 1f 44 00 00 55 48 89 fe bf 01 00 00 00 48 > ---[ end trace 3a421a9a642a5a6a ]--- > ABORT_TASK: Sending TMR_FUNCTION_COMPLETE for ref_tag: 1520249344 > Well, I'm not able to reproduce on target-pending/master with iscsi-test-cu --test=ALL --dataloss, or with the debug code to force ABORT_TASK + session shutdown to occur. I assume that MNC wasn't able to reproduce either on target-pending/master either, as he's been testing the same code-path to verify: commit 25cdda95fda78d22d44157da15aa7ea34be3c804 Author: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> Date: Wed May 24 21:47:09 2017 -0700 iscsi-target: Fix initial login PDU asynchronous socket close OOPs So are you sure you're not running with more of your out-of-tree code..? If not, what are the steps to reproduce..? -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
