Re: [GIT PULL] Queue free fix (was Re: [PATCH] block: Free queueresources at blk_release_queue())

From: Hannes Reinecke
Date: Wed Nov 02 2011 - 08:44:28 EST

Next message: Avi Kivity: "Re: [PATCH v2 0/9] perf support for x86 guest/host-only bits"
Previous message: Ricardo Ribalda Delgado: "Re: [PATCHv4 1/6] input/cma3000_d0x: Support devices without pdata"
In reply to: Jun'ichi Nomura: "Re: [GIT PULL] Queue free fix (was Re: [PATCH] block: Free queueresources at blk_release_queue())"
Next in thread: Heiko Carstens: "Re: [GIT PULL] Queue free fix (was Re: [PATCH] block: Free queueresources at blk_release_queue())"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/02/2011 01:37 PM, Jun'ichi Nomura wrote:

On 10/31/11 22:00, Heiko Carstens wrote:
On Mon, Oct 31, 2011 at 08:46:06PM +0900, Jun'ichi Nomura wrote:
Hm, dm_softirq_done is generic completion code of original
request in dm-multipath.
So oops here might be another manifestation of use-after-free.

Do you always hit the oops at the same address?

I think we saw this bug the first time. But before that the scsi
logging level was higher. Gonzalo is trying to recreate it with
the same (old) scsi logging level.
Afterwards we will try with barrier=0.

Both on v3.0.7 btw.

Could you find corresponding source code line for
the crashed address, dm_softirq_done+0x72/0x140,
and which pointer was invalid?

It crashes in the inlined function dm_done() when trying to
dereference tio (aka clone->end_io_data):

static void dm_done(struct request *clone, int error, bool mapped)
{
int r = error;
struct dm_rq_target_io *tio = clone->end_io_data;
dm_request_endio_fn rq_end_io = tio->ti->type->rq_end_io;

Thank you. But, hmm. I have no idea about scenario.

struct dm_rq_target_io is a container of clone request
and clone->end_io_data points to its container.

struct dm_rq_target_io {
struct mapped_device *md;
struct dm_target *ti;
struct request *orig, clone;
int error;
union map_info info;
};

If clone can be dereferenced, clone->end_io_data should be, too.

Well, actually it _always_ can be dereferenced.

At the very least we'd need to do an integrity check, ie
if the pointer 'clone->end_io_data' is indeed of the
required type.
More to the point, the end_io_data pointer could've been
assigned to something else; so even though the pointer is set
(which we don't check, either), it might not be pointing
to a 'struct dm_rq_target_io'.

Cheers,

Hannes
--
Dr. Hannes Reinecke zSeries & Storage
hare@xxxxxxx +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Avi Kivity: "Re: [PATCH v2 0/9] perf support for x86 guest/host-only bits"
Previous message: Ricardo Ribalda Delgado: "Re: [PATCHv4 1/6] input/cma3000_d0x: Support devices without pdata"
In reply to: Jun'ichi Nomura: "Re: [GIT PULL] Queue free fix (was Re: [PATCH] block: Free queueresources at blk_release_queue())"
Next in thread: Heiko Carstens: "Re: [GIT PULL] Queue free fix (was Re: [PATCH] block: Free queueresources at blk_release_queue())"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]