lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 4 Nov 2011 10:12:41 +0100
From:	Heiko Carstens <heiko.carstens@...ibm.com>
To:	"Jun'ichi Nomura" <j-nomura@...jp.nec.com>
Cc:	James Bottomley <James.Bottomley@...senPartnership.com>,
	Steffen Maier <maier@...ux.vnet.ibm.com>,
	"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
	Jens Axboe <axboe@...nel.dk>, Hannes Reinecke <hare@...e.de>,
	Linux Kernel <linux-kernel@...r.kernel.org>,
	Alan Stern <stern@...land.harvard.edu>,
	Thadeu Lima de Souza Cascardo <cascardo@...ux.vnet.ibm.com>,
	"Taraka R. Bodireddy" <tarak.reddy@...ibm.com>,
	"Seshagiri N. Ippili" <seshagiri.ippili@...ibm.com>,
	"Manvanthara B. Puttashankar" <mputtash@...ibm.com>,
	Jeff Moyer <jmoyer@...hat.com>,
	Shaohua Li <shaohua.li@...el.com>,
	Mike Snitzer <snitzer@...hat.com>, gmuelas@...ibm.com
Subject: Re: [GIT PULL] Queue free fix (was Re: [PATCH] block: Free queue
 resources at blk_release_queue())

On Fri, Nov 04, 2011 at 01:07:53PM +0900, Jun'ichi Nomura wrote:
> Thanks, ok it was ti which was invalid. Not tio.
> ti is a pointer to dm table entry, which is vmalloc-ed.
> So it means the dm table was replaced while I/O was in-flight.
> 
> dm has a machanism to prevent it: in dm_suspend(),
> stop_queue() is called to stop block queue processing
> and no new I/O becomes in-flight after that.
> Then all in-flight I/Os are waited to be completed or requeued
> (dm_wait_for_completion()).
> If the wait was successful, the table can become "suspended",
> i.e. ready to be replaced.
> 
> So ti should be always valid.
> Hmm..

Here is another one (crash at same place in code). Might be of interest
since userspace triggered a call to dm_suspend(). While executing an irq
arrives and the same crash as observed before happened:

[96875.876768] Unable to handle kernel pointer dereference at virtual kernel address 000003e004bcf000
[96875.876773] Oops: 0011 [#2] PREEMPT SMP DEBUG_PAGEALLOC
[96875.876780] Modules linked in: dm_round_robin sunrpc ipv6 qeth_l2 binfmt_misc dm_multipath scsi_dh dm_mod qeth ccwgroup [last unloaded: scsi_wait_scan]
[96875.876800] CPU: 0 Tainted: G      D W   3.0.7-50.x.20111024-s390xdefault #1
[96875.876804] Process kpartx (pid: 36986, task: 0000000058754750, ksp: 000000005874b318)
[96875.876808] Krnl PSW : 0704000180000000 000003e0012e363a (dm_softirq_done+0x72/0x140 [dm_mod])
[96875.876819]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0 EA:3
[96875.876825] Krnl GPRS: 000000007b9156b0 000003e004bcf100 00000000586f2f40 0000000000000065
[96875.876829]            00000000586f3610 00000000717a9f58 0000000000000002 0000000000000005
[96875.876834]            0000000000000000 0400000000000102 00000000717a9f70 0000000000000000
[96875.876838]            000003e0012e1000 000003e0012f0098 000000007a9c7c40 000000007a9c7bf0
[96875.876852] Krnl Code: 000003e0012e362a: f0a0000407f1        srp     4(11,%r0),2033,0
[96875.876858]            000003e0012e3630: e31050080004        lg      %r1,8(%r5)
[96875.876864]            000003e0012e3636: 58b05180            l       %r11,384(%r5)
[96875.876869]           >000003e0012e363a: e31010080004        lg      %r1,8(%r1)
[96875.876875]            000003e0012e3640: e31010500004        lg      %r1,80(%r1)
[96875.876880]            000003e0012e3646: b9020011            ltgr    %r1,%r1
[96875.876885]            000003e0012e364a: a784ffdf            brc     8,3e0012e3608
[96875.876891]            000003e0012e364e: e32050080004        lg      %r2,8(%r5)
[96875.876895] Call Trace:
[96875.876898] ([<070000000040716c>] 0x70000000040716c)
[96875.876902]  [<000000000040d29c>] blk_done_softirq+0xd4/0xf0
[96875.876909]  [<00000000001587c2>] __do_softirq+0xda/0x398
[96875.876914]  [<000000000010f47e>] do_softirq+0xe2/0xe8
[96875.876919]  [<0000000000158e2c>] irq_exit+0xc8/0xcc
[96875.876924]  [<00000000004ceb48>] do_IRQ+0x910/0x1bfc
[96875.876930]  [<000000000061a164>] io_return+0x0/0x16
[96875.876935]  [<000000000061c2a0>] sub_preempt_count+0x34/0xd4
[96875.876941] ([<000000005874ba38>] 0x5874ba38)
[96875.876945]  [<000000000061918c>] _raw_spin_unlock_irq+0x50/0x7c
[96875.876951]  [<00000000001729ea>] flush_workqueue_prep_cwqs+0x222/0x4dc
[96875.876959]  [<0000000000174718>] flush_workqueue+0x1e8/0x4c0
[96875.876964]  [<000003e0012e63e8>] dm_suspend+0x174/0x384 [dm_mod]
[96875.876973]  [<000003e0012ebe1e>] dev_suspend+0x21e/0x250 [dm_mod]
[96875.876983]  [<000003e0012eccb6>] ctl_ioctl+0x1e2/0x2f4 [dm_mod]
[96875.876992]  [<000003e0012ecdf2>] dm_ctl_ioctl+0x2a/0x38 [dm_mod]
[96875.877000]  [<0000000000291c98>] do_vfs_ioctl+0x94/0x588
[96875.877005]  [<0000000000292220>] SyS_ioctl+0x94/0xac
[96875.877010]  [<0000000000619af2>] sysc_noemu+0x16/0x1c
[96875.877015]  [<000003fffd32f7ca>] 0x3fffd32f7ca
[96875.877019] INFO: lockdep is turned off.
[96875.877022] Last Breaking-Event-Address:
[96875.877025]  [<000003e0012e3600>] dm_softirq_done+0x38/0x140 [dm_mod]
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ