[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e4187af0-e278-9ba0-780b-eb1206c441f6@cogentembedded.com>
Date: Wed, 15 Jun 2016 14:11:45 +0300
From: Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To: DingXiang <dingxiang@...wei.com>, tj@...nel.org,
linux-ide@...r.kernel.org, fangwei1@...wei.com, miaoxie@...wei.com,
wangyijing@...wei.com, zhangaihua1@...wei.com,
zhaohongjiang@...wei.com, houtao1@...wei.com
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH resend] libata:fix kernel panic when hotplug
On 6/15/2016 12:15 PM, DingXiang wrote:
> From: Miao Xie <miaoxie@...wei.com>
>
> In normal condition,if we use sas protocol and hotplug a sata disk on a port,
> the sas driver will send event "PORTE_BYTES_DMAED" and call function "sas_porte_bytes_dmaed".
> But if a sata disk is run io and unplug it,then plug a new sata disk,this operation may cause
> a kernel panic like this:
> [ 2366.923208] Unable to handle kernel NULL pointer dereference at virtual address 000007b8
> [ 2366.949253] pgd = ffffffc00121d000
> [ 2366.971164] [000007b8] *pgd=00000027df893003, *pud=00000027df893003, *pmd=00000027df894003, *pte=006000006d000707
> [ 2367.022822] Internal error: Oops: 96000005 [#1] SMP
> [ 2367.048490] Modules linked in: dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) crc32_arm64(E) aes_ce_blk(E) ablk_helper(E) cryptd(E) aes_ce_cipher(E) ghash_ce(E) sha2_ce(E) sha1_ce(E) ses(E) enclosure(E) shpchp(E) marvell(E)
> [ 2367.144808] CPU: 16 PID: 710 Comm: kworker/16:1 Tainted: G E 4.1.23-next.aarch64 #1
> [ 2367.180161] Hardware name: Huawei Taishan 2280 /BC11SPCC, BIOS 1.28 05/14/2016
> [ 2367.213305] Workqueue: events ata_scsi_hotplug
> [ 2367.244296] task: ffffffe7db9b5e00 ti: ffffffe7db1a0000 task.ti: ffffffe7db1a0000
> [ 2367.279949] PC is at sas_find_dev_by_rphy+0x48/0x118
> [ 2367.312045] LR is at sas_find_dev_by_rphy+0x40/0x118
> [ 2367.341970] pc : [<ffffffc00065c3b0>] lr : [<ffffffc00065c3a8>] pstate: 00000145
> ...
> [ 2368.766334] Call trace:
> [ 2368.781712] [<ffffffc00065c3b0>] sas_find_dev_by_rphy+0x48/0x118
> [ 2368.800394] [<ffffffc00065c4a8>] sas_target_alloc+0x28/0x98
> [ 2368.817975] [<ffffffc00063e920>] scsi_alloc_target+0x248/0x308
> [ 2368.835570] [<ffffffc000640080>] __scsi_add_device+0xb8/0x160
> [ 2368.853034] [<ffffffc0006e52d8>] ata_scsi_scan_host+0x190/0x230
> [ 2368.871614] [<ffffffc0006e54b0>] ata_scsi_hotplug+0xc8/0xe8
> [ 2368.889152] [<ffffffc0000da75c>] process_one_work+0x164/0x438
> [ 2368.908003] [<ffffffc0000dab74>] worker_thread+0x144/0x4b0
> [ 2368.924613] [<ffffffc0000e0ffc>] kthread+0xfc/0x110
> [ 2368.940923] Code: aa1303e0 97ff5deb 34ffff80 d1082273 (f943de76)
>
> This because "dev_to_shost" in "sas_find_dev_by_rphy" return a NULL point,and SHOST_TO_SAS_HA used it,so kernel panic happed.
>
> why dev_to_shost return a NULL point?
> Because in "__scsi_add_device" ,struct device *parent = &shost->shost_gendev,and in "scsi_alloc_target", "*parent" is
> assigned to "starget->dev.parent",then "sas_target_alloc" will get "struct sas_rphy" according "starget->dev.parent",
> and in "sas_find_dev_by_rphy" , we will get "struct Scsi_Host *shost" acording "rphy->dev.parent",we will find that
> rphy->dev.parent = shost->shost_gendev.parent, and shost_gendev.parent is "ap->tdev",there is no parent any more,so "dev_to_shost"
> return a NULL point.
>
> when the panic will happen?
> When libata is handling error,and add hotplug_task to workqueue,
> if a new sata disk pluged at the same time,the libata hotplug task will run and panic will happen.
>
> In fact,we don't need libata to deal with hotplug in sas enviroment.So we can't run ata hotplug task when ata port is sas host.
>
> Signed-off-by:Dingxiang <dingxiang@...wei.com>
> Signed-off-by:Chenqilin <chenqilin2@...wei.com>
Space is needed after colon in the above 2 lines as well.
[...]
MBR, Sergei
Powered by blists - more mailing lists