From patchwork Fri Jun 27 04:01:30 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Minfei Huang X-Patchwork-Id: 4433701 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Original-To: patchwork-dm-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id AE13DBEEAA for ; Fri, 27 Jun 2014 07:30:32 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C368520384 for ; Fri, 27 Jun 2014 07:30:31 +0000 (UTC) Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) by mail.kernel.org (Postfix) with ESMTP id C70C3201EF for ; Fri, 27 Jun 2014 07:30:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s5R7PcrH031882; Fri, 27 Jun 2014 03:25:40 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s5R41fJG031178 for ; Fri, 27 Jun 2014 00:01:42 -0400 Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s5R41e2D013199; Fri, 27 Jun 2014 00:01:41 -0400 Received: from m97134.qiye.163.com (m97134.qiye.163.com [220.181.97.134]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s5R41WxG023508; Fri, 27 Jun 2014 00:01:33 -0400 Received: from localhost (unknown [61.153.100.135]) by smtp5 (Coremail) with SMTP id huCowED52U2b7KxTgu33AA--.6485S3; Fri, 27 Jun 2014 12:01:31 +0800 (CST) From: Minfei Huang To: agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, neilb@suse.de Date: Fri, 27 Jun 2014 12:01:30 +0800 Message-Id: <1403841690-4401-1-git-send-email-huangminfei@ucloud.cn> X-CM-TRANSID: huCowED52U2b7KxTgu33AA--.6485S3 X-Coremail-Antispam: 1Uf129KBjvJXoW3WF4kWw15Cr1UZrWxJFWfGrg_yoW7XF4rpF W3Wr4jkr48tr4UXr4Utr4rAr15tr47Aa47GrZ3tw1rXF15Ww1DAF18JrWUWryDXr1rJFy7 Jw4qqr4vqryUGaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRxMa8UUUUU= X-CM-SenderInfo: xkxd0wxplqwvnl6xuzxrxghubq/1tbiGxy3QVIUzQG+MAAAs1 X-RedHat-Spam-Score: -2.301 (BAYES_00,DCC_REPUT_00_12,SPF_PASS) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Scanned-By: MIMEDefang 2.68 on 10.5.110.19 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Fri, 27 Jun 2014 03:25:38 -0400 Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, Minfei Huang Subject: [dm-devel] [PATCH] dm-io: Prevent the danging point of the sync io callback function X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: device-mapper development List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP BUG: unable to handle kernel NULL pointer dereference at 0000000000000046 IP: [] dec_count+0x5f/0x80 [dm_mod] PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:02.2/0000:02:00.0/host0/scsi_host/host0/proc_name Pid: 2708, comm: kcopyd Tainted: G W --------------- H 2.6.32-279.19.5.el6.ucloud.x86_64 #1 Dell Inc. PowerEdge R720xd/0DCWD1 RIP: 0010:[] [] dec_count+0x5f/0x80 [dm_mod] RSP: 0018:ffff880100603c30 EFLAGS: 00010246 RAX: 0000000000000046 RBX: ffff8817968a5c30 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8817968a5c00 RBP: ffff880100603c50 R08: 0000000000000000 R09: 0000000000000000 R10: ffff880caa594cc0 R11: 0000000000000000 R12: ffff8817968a5c80 R13: ffffffff81013963 R14: 0000000000001000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff880100600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 0000000000000046 CR3: 000000020c309000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kcopyd (pid: 2708, threadinfo ffff88180cd26000, task ffff881841c9aa80) Stack: ffff880100603c40 ffff880aa8b32300 0000000000000000 ffff8817968a5c00 ffff880100603c80 ffffffffa000a12a 0000000000000000 ffff880aa8b32300 0000000000000000 ffff880caa594cc0 ffff880100603c90 ffffffff811bcf6d Call Trace: [] endio+0x4a/0x70 [dm_mod] [] bio_endio+0x1d/0x40 [] req_bio_endio+0x9b/0xe0 [] blk_update_request+0x104/0x500 [] ? blk_update_request+0x321/0x500 [] blk_update_bidi_request+0x27/0xa0 [] blk_end_bidi_request+0x2f/0x80 [] blk_end_request+0x10/0x20 [] scsi_io_completion+0xaf/0x6c0 [] scsi_finish_command+0xc2/0x130 [] scsi_softirq_done+0x145/0x170 [] blk_done_softirq+0x8d/0xa0 [] __do_softirq+0xdf/0x210 [] call_softirq+0x1c/0x30 [] do_softirq+0xad/0xe0 [] irq_exit+0x95/0xa0 [] do_IRQ+0x75/0xf0 [] ret_from_intr+0x0/0x16 The value of rdi register(0xffff8817968a5c00) is the io pointer, If the sync io, the address of io point must be alloc from stack. SO crash> struct thread_info ffff8817968a4000 struct thread_info { task = 0xffff88180cd9a580, exec_domain = 0xffffffff81a98ac0, ... } crash> struct task_struct 0xffff88180cd9a580 struct task_struct { state = 2, stack = 0xffff8817968a4000, ... } It shows value exactly when use the value of io address. The io address in callback function will become the danging point, cause by the thread of sync io wakes up by other threads and return to relieve the io address, Signed-off-by: Minfei Huang Signed-off-by: Minfei Huang --- drivers/md/dm-io.c | 19 +++++++++++++++---- 1 files changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c index 3842ac7..f992913 100644 --- a/drivers/md/dm-io.c +++ b/drivers/md/dm-io.c @@ -38,6 +38,7 @@ struct io { void *context; void *vma_invalidate_address; unsigned long vma_invalidate_size; + atomic_t wakeup; } __attribute__((aligned(DM_IO_MAX_REGIONS))); static struct kmem_cache *_dm_io_cache; @@ -121,10 +122,16 @@ static void dec_count(struct io *io, unsigned int region, int error) invalidate_kernel_vmap_range(io->vma_invalidate_address, io->vma_invalidate_size); - if (io->sleeper) - wake_up_process(io->sleeper); + if (io->sleeper) { + struct task_struct *sleeper = io->sleeper; - else { + atomic_set(&io->wakeup, 1); +/* + * The thread may be waked up by other threads, + * if then the sync io point will become the dangling pointer + */ + wake_up_process(sleeper); + } else { unsigned long r = io->error_bits; io_notify_fn fn = io->callback; void *context = io->context; @@ -401,12 +408,14 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions, io->vma_invalidate_address = dp->vma_invalidate_address; io->vma_invalidate_size = dp->vma_invalidate_size; + atomic_set(&io->wakeup, 0); + dispatch_io(rw, num_regions, where, dp, io, 1); while (1) { set_current_state(TASK_UNINTERRUPTIBLE); - if (!atomic_read(&io->count)) + if (atomic_read(&io->wakeup)) break; io_schedule(); @@ -442,6 +451,8 @@ static int async_io(struct dm_io_client *client, unsigned int num_regions, io->vma_invalidate_address = dp->vma_invalidate_address; io->vma_invalidate_size = dp->vma_invalidate_size; + atomic_set(&io->wakeup, 0); + dispatch_io(rw, num_regions, where, dp, io, 0); return 0; }