From patchwork Fri Feb 22 10:47:31 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bart Van Assche X-Patchwork-Id: 2175621 Return-Path: X-Original-To: patchwork-dm-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) by patchwork2.kernel.org (Postfix) with ESMTP id E0217DFABD for ; Fri, 22 Feb 2013 10:50:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r1MAlYxR005016; Fri, 22 Feb 2013 05:47:35 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r1MAlXK8009264 for ; Fri, 22 Feb 2013 05:47:33 -0500 Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r1MAlX7e006290 for ; Fri, 22 Feb 2013 05:47:33 -0500 Received: from jacques.telenet-ops.be (jacques.telenet-ops.be [195.130.132.50]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r1MAlVuX020154 for ; Fri, 22 Feb 2013 05:47:32 -0500 Received: from [192.168.1.102] ([178.119.235.68]) by jacques.telenet-ops.be with bizsmtp id 3NnX1l0061VD9XW0JNnXsj; Fri, 22 Feb 2013 11:47:31 +0100 Message-ID: <51274CC3.9070204@acm.org> Date: Fri, 22 Feb 2013 11:47:31 +0100 From: Bart Van Assche User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130105 Thunderbird/17.0.2 MIME-Version: 1.0 To: device-mapper development References: <51274C2F.6070500@acm.org> In-Reply-To: <51274C2F.6070500@acm.org> X-RedHat-Spam-Score: -1.911 (BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Scanned-By: MIMEDefang 2.68 on 10.5.110.18 X-loop: dm-devel@redhat.com Cc: Jens Axboe , linux-scsi , Mike Snitzer , James Bottomley , Tejun Heo , Alasdair G Kergon Subject: [dm-devel] [PATCH 2/2] dm: Avoid use-after-free of a mapped device X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: device-mapper development List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com As the comment above rq_completed() explains, md members must not be touched after the dm_put() at the end of that function has been invoked. Avoid that the md->queue can be run asynchronously after the last md reference has been dropped by running that queue synchronously. This patch fixes the following kernel oops: general protection fault: 0000 [#1] SMP RIP: 0010:[] [] mempool_free+0x24/0xb0 Call Trace: [] bio_put+0x97/0xc0 [] end_clone_bio+0x35/0x90 [dm_mod] [] bio_endio+0x1d/0x30 [] req_bio_endio.isra.51+0xa3/0xe0 [] blk_update_request+0x118/0x520 [] blk_update_bidi_request+0x27/0xa0 [] blk_end_bidi_request+0x2c/0x80 [] blk_end_request+0x10/0x20 [] scsi_io_completion+0xfb/0x6c0 [scsi_mod] [] scsi_finish_command+0xbd/0x120 [scsi_mod] [] scsi_softirq_done+0x13f/0x160 [scsi_mod] [] blk_done_softirq+0x80/0xa0 [] __do_softirq+0xf1/0x250 [] call_softirq+0x1c/0x30 [] do_softirq+0x8d/0xc0 [] irq_exit+0xd5/0xe0 [] do_IRQ+0x63/0xe0 [] common_interrupt+0x6f/0x6f [] srp_queuecommand+0x8c/0xcb0 [ib_srp] [] scsi_dispatch_cmd+0x148/0x310 [scsi_mod] [] scsi_request_fn+0x31e/0x520 [scsi_mod] [] __blk_run_queue+0x37/0x50 [] blk_delay_work+0x29/0x40 [] process_one_work+0x1c3/0x5c0 [] worker_thread+0x15e/0x440 [] kthread+0xdb/0xe0 [] ret_from_fork+0x7c/0xb0 Signed-off-by: Bart Van Assche Cc: Alasdair G Kergon Cc: Jens Axboe Cc: Mike Snitzer Cc: Tejun Heo Cc: James Bottomley Cc: Acked-by: Mike Snitzer --- drivers/md/dm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 314a0e2..0218fc3 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -729,13 +729,13 @@ static void rq_completed(struct mapped_device *md, int rw, int run_queue) wake_up(&md->wait); /* - * Run this off this callpath, as drivers could invoke end_io while - * inside their request_fn (and holding the queue lock). Calling - * back into ->request_fn() could deadlock attempting to grab the - * queue lock again. + * Although this function may be invoked indirectly from inside + * blk_run_queue(), invoking blk_run_queue() here is safe because that + * function returns immediately when it detects that it has been + * called recursively. */ if (run_queue) - blk_run_queue_async(md->queue); + blk_run_queue(md->queue); /* * dm_put() must be at the end of this function. See the comment above