From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Williams Subject: Re: [BUG] kernel NULL pointer dereference observed during pmem btt switch test Date: Sat, 30 Jul 2016 08:52:23 -0700 Message-ID: References: <622794958.9574724.1469674652262.JavaMail.zimbra@redhat.com> <1762637089.9575520.1469676013321.JavaMail.zimbra@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-nvdimm-bounces-hn68Rpc1hR1g9hUCZPvPmw@public.gmane.org Sender: "Linux-nvdimm" To: Yi Zhang Cc: linux-block-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-nvdimm List-Id: linux-nvdimm@lists.01.org On Thu, Jul 28, 2016 at 8:50 AM, Dan Williams wrote: > [ adding linux-block ] > > On Wed, Jul 27, 2016 at 8:20 PM, Yi Zhang wrote: >> Hello everyone >> >> Could you help check this issue, thanks. >> >> Steps I used: >> 1. Reserve 4*8G of memory for pmem by add kernel parameter "memmap=8G!4G memmap=8G!12G memmap=8G!20G memmap=8G!28G" >> 2. Execute below script >> #!/bin/bash >> pmem_btt_switch() { >> sector_size_list="512 520 528 4096 4104 4160 4224" >> for sector_size in $sector_size_list; do >> ndctl create-namespace -f -e namespace${1}.0 --mode=sector -l $sector_size >> ndctl create-namespace -f -e namespace${1}.0 --mode=raw >> done >> } >> >> for i in 0 1 2 3; do >> pmem_btt_switch $i & >> done > > Thanks for the report. This looks like del_gendisk() frees the > previous usage of the devt before the bdi is unregistered. This > appears to be a general problem with all block drivers, not just > libnvdimm, since blk_cleanup_queue() is typically called after > del_gendisk(). I.e. it will always be the case that the bdi > registered with the devt allocated at add_disk() will still be alive > when del_gendisk()->disk_release() frees the previous devt number. > > I *think* the path forward is to allow the bdi to hold a reference > against the blk_alloc_devt() allocation until it is done with it. Any > other ideas on fixing this object lifetime problem? Does the attached patch solve this for you? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f47.google.com ([209.85.218.47]:35105 "EHLO mail-oi0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751014AbcG3Pw1 (ORCPT ); Sat, 30 Jul 2016 11:52:27 -0400 Received: by mail-oi0-f47.google.com with SMTP id l72so143477566oig.2 for ; Sat, 30 Jul 2016 08:52:26 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <622794958.9574724.1469674652262.JavaMail.zimbra@redhat.com> <1762637089.9575520.1469676013321.JavaMail.zimbra@redhat.com> From: Dan Williams Date: Sat, 30 Jul 2016 08:52:23 -0700 Message-ID: Subject: Re: [BUG] kernel NULL pointer dereference observed during pmem btt switch test To: Yi Zhang Cc: linux-nvdimm , linux-block@vger.kernel.org Content-Type: multipart/mixed; boundary=001a11352e78831a750538dc5a69 Sender: linux-block-owner@vger.kernel.org List-Id: linux-block@vger.kernel.org --001a11352e78831a750538dc5a69 Content-Type: text/plain; charset=UTF-8 On Thu, Jul 28, 2016 at 8:50 AM, Dan Williams wrote: > [ adding linux-block ] > > On Wed, Jul 27, 2016 at 8:20 PM, Yi Zhang wrote: >> Hello everyone >> >> Could you help check this issue, thanks. >> >> Steps I used: >> 1. Reserve 4*8G of memory for pmem by add kernel parameter "memmap=8G!4G memmap=8G!12G memmap=8G!20G memmap=8G!28G" >> 2. Execute below script >> #!/bin/bash >> pmem_btt_switch() { >> sector_size_list="512 520 528 4096 4104 4160 4224" >> for sector_size in $sector_size_list; do >> ndctl create-namespace -f -e namespace${1}.0 --mode=sector -l $sector_size >> ndctl create-namespace -f -e namespace${1}.0 --mode=raw >> done >> } >> >> for i in 0 1 2 3; do >> pmem_btt_switch $i & >> done > > Thanks for the report. This looks like del_gendisk() frees the > previous usage of the devt before the bdi is unregistered. This > appears to be a general problem with all block drivers, not just > libnvdimm, since blk_cleanup_queue() is typically called after > del_gendisk(). I.e. it will always be the case that the bdi > registered with the devt allocated at add_disk() will still be alive > when del_gendisk()->disk_release() frees the previous devt number. > > I *think* the path forward is to allow the bdi to hold a reference > against the blk_alloc_devt() allocation until it is done with it. Any > other ideas on fixing this object lifetime problem? Does the attached patch solve this for you? --001a11352e78831a750538dc5a69 Content-Type: text/x-patch; charset=US-ASCII; name="0001-block-fix-bdi-vs-gendisk-lifetime-mismatch.patch" Content-Disposition: attachment; filename="0001-block-fix-bdi-vs-gendisk-lifetime-mismatch.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ir9cw9c30 RnJvbSA0NGJjYmY4YzUzMWU5MjQ5ZDA5ZTZiZjUwMmQzNjk2NjY4ZjNkMjJjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBEYW4gV2lsbGlhbXMgPGRhbi5qLndpbGxpYW1zQGludGVsLmNv bT4KRGF0ZTogU2F0LCAzMCBKdWwgMjAxNiAwODoyMzowNiAtMDcwMApTdWJqZWN0OiBbUEFUQ0hd IGJsb2NrOiBmaXggYmRpIHZzIGdlbmRpc2sgbGlmZXRpbWUgbWlzbWF0Y2gKClRoZSBiZGkgZm9y IGdlbmRpc2sgaXMgbmFtZWQgYWZ0ZXIgdGhlIGdlbmRpc2suICBIb3dldmVyLCBzaW5jZSB0aGUK Z2VuZGlzayBpcyBkZXN0cm95ZWQgYmVmb3JlIHRoZSBiZGkgaXQgbGVhdmVzIGEgd2luZG93IHdo ZXJlIGEgbmV3CmdlbmRpc2sgY291bGQgZHluYW1pY2FsbHkgcmV1c2UgdGhlIHNhbWUgZGV2dCB3 aGlsZSBhIGJkaSB3aGlsZSBhIGJkaQp3aXRoIHRoZSBzYW1lIG5hbWUgaXMgc3RpbGwgbGl2ZS4g IEFycmFuZ2UgZm9yIHRoZSBiZGkgdG8gaG9sZCBhCnJlZmVyZW5jZSBhZ2FpbnN0IGl0cyAib3du ZXIiIGRpc2sgZGV2aWNlIHdoaWxlIGl0IGlzIHJlZ2lzdGVyZWQuCk90aGVyd2lzZSB3ZSBjYW4g aGl0IHN5c2ZzIGR1cGxpY2F0ZSBuYW1lIGNvbGxpc2lvbnMgbGlrZSB0aGUgZm9sbG93aW5nOgoK IFdBUk5JTkc6IENQVTogMTAgUElEOiAyMDc4IGF0IGZzL3N5c2ZzL2Rpci5jOjMxIHN5c2ZzX3dh cm5fZHVwKzB4NjQvMHg4MAogc3lzZnM6IGNhbm5vdCBjcmVhdGUgZHVwbGljYXRlIGZpbGVuYW1l ICcvZGV2aWNlcy92aXJ0dWFsL2JkaS8yNTk6MScKCiBIYXJkd2FyZSBuYW1lOiBIUCBQcm9MaWFu dCBETDU4MCBHZW44LCBCSU9TIFA3OSAwNS8wNi8yMDE1CiAgMDAwMDAwMDAwMDAwMDI4NiAwMDAw MDAwMDAyYzA0YWQ1IGZmZmY4ODAwNmYyNGY5NzAgZmZmZmZmZmY4MTM0Y2FlYwogIGZmZmY4ODAw NmYyNGY5YzAgMDAwMDAwMDAwMDAwMDAwMCBmZmZmODgwMDZmMjRmOWIwIGZmZmZmZmZmODEwOGMz NTEKICAwMDAwMDAxZjAwMDAwMDBjIGZmZmY4ODEwNWQyMzYwMDAgZmZmZjg4MTA1ZDEwMzFlMCBm ZmZmODgwMDM1NzQyN2Y4CiBDYWxsIFRyYWNlOgogIFs8ZmZmZmZmZmY4MTM0Y2FlYz5dIGR1bXBf c3RhY2srMHg2My8weDg3CiAgWzxmZmZmZmZmZjgxMDhjMzUxPl0gX193YXJuKzB4ZDEvMHhmMAog IFs8ZmZmZmZmZmY4MTA4YzNjZj5dIHdhcm5fc2xvd3BhdGhfZm10KzB4NWYvMHg4MAogIFs8ZmZm ZmZmZmY4MTJhMGQzND5dIHN5c2ZzX3dhcm5fZHVwKzB4NjQvMHg4MAogIFs8ZmZmZmZmZmY4MTJh MGUxZT5dIHN5c2ZzX2NyZWF0ZV9kaXJfbnMrMHg3ZS8weDkwCiAgWzxmZmZmZmZmZjgxMzRmYWFh Pl0ga29iamVjdF9hZGRfaW50ZXJuYWwrMHhhYS8weDMyMAogIFs8ZmZmZmZmZmY4MTM1OGQ0ZT5d ID8gdnNucHJpbnRmKzB4MzRlLzB4NGQwCiAgWzxmZmZmZmZmZjgxMzRmZjU1Pl0ga29iamVjdF9h ZGQrMHg3NS8weGQwCiAgWzxmZmZmZmZmZjgxNmU2NmIyPl0gPyBtdXRleF9sb2NrKzB4MTIvMHgy ZgogIFs8ZmZmZmZmZmY4MTQ4YjBhNT5dIGRldmljZV9hZGQrMHgxMjUvMHg2MTAKICBbPGZmZmZm ZmZmODE0OGI3ODg+XSBkZXZpY2VfY3JlYXRlX2dyb3Vwc192YXJncysweGQ4LzB4MTAwCiAgWzxm ZmZmZmZmZjgxNDhiN2NjPl0gZGV2aWNlX2NyZWF0ZV92YXJncysweDFjLzB4MjAKICBbPGZmZmZm ZmZmODExYjc3NWM+XSBiZGlfcmVnaXN0ZXIrMHg4Yy8weDE4MAogIFs8ZmZmZmZmZmY4MTFiNzg3 Nz5dIGJkaV9yZWdpc3Rlcl9kZXYrMHgyNy8weDMwCiAgWzxmZmZmZmZmZjgxMzMxN2Y1Pl0gYWRk X2Rpc2srMHgxNzUvMHg0YTAKClJlcG9ydGVkLWJ5OiBZaSBaaGFuZyA8eWl6aGFuQHJlZGhhdC5j b20+ClNpZ25lZC1vZmYtYnk6IERhbiBXaWxsaWFtcyA8ZGFuLmoud2lsbGlhbXNAaW50ZWwuY29t PgotLS0KIGJsb2NrL2dlbmhkLmMgICAgICAgICAgICAgICAgICAgIHwgIDIgKy0KIGluY2x1ZGUv bGludXgvYmFja2luZy1kZXYtZGVmcy5oIHwgIDEgKwogaW5jbHVkZS9saW51eC9iYWNraW5nLWRl di5oICAgICAgfCAgMSArCiBtbS9iYWNraW5nLWRldi5jICAgICAgICAgICAgICAgICB8IDE4ICsr KysrKysrKysrKysrKysrKwogNCBmaWxlcyBjaGFuZ2VkLCAyMSBpbnNlcnRpb25zKCspLCAxIGRl bGV0aW9uKC0pCgpkaWZmIC0tZ2l0IGEvYmxvY2svZ2VuaGQuYyBiL2Jsb2NrL2dlbmhkLmMKaW5k ZXggM2M5ZGVkZTRlMDRmLi5mNmY3ZmZjZDRlYWIgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2dlbmhkLmMK KysrIGIvYmxvY2svZ2VuaGQuYwpAQCAtNjE0LDcgKzYxNCw3IEBAIHZvaWQgZGV2aWNlX2FkZF9k aXNrKHN0cnVjdCBkZXZpY2UgKnBhcmVudCwgc3RydWN0IGdlbmRpc2sgKmRpc2spCiAKIAkvKiBS ZWdpc3RlciBCREkgYmVmb3JlIHJlZmVyZW5jaW5nIGl0IGZyb20gYmRldiAqLwogCWJkaSA9ICZk aXNrLT5xdWV1ZS0+YmFja2luZ19kZXZfaW5mbzsKLQliZGlfcmVnaXN0ZXJfZGV2KGJkaSwgZGlz a19kZXZ0KGRpc2spKTsKKwliZGlfcmVnaXN0ZXJfb3duZXIoYmRpLCBkaXNrX3RvX2RldihkaXNr KSk7CiAKIAlibGtfcmVnaXN0ZXJfcmVnaW9uKGRpc2tfZGV2dChkaXNrKSwgZGlzay0+bWlub3Jz LCBOVUxMLAogCQkJICAgIGV4YWN0X21hdGNoLCBleGFjdF9sb2NrLCBkaXNrKTsKZGlmZiAtLWdp dCBhL2luY2x1ZGUvbGludXgvYmFja2luZy1kZXYtZGVmcy5oIGIvaW5jbHVkZS9saW51eC9iYWNr aW5nLWRldi1kZWZzLmgKaW5kZXggM2YxMDMwNzZkMGJmLi5jMzU3ZjI3ZDU0ODMgMTAwNjQ0Ci0t LSBhL2luY2x1ZGUvbGludXgvYmFja2luZy1kZXYtZGVmcy5oCisrKyBiL2luY2x1ZGUvbGludXgv YmFja2luZy1kZXYtZGVmcy5oCkBAIC0xNjMsNiArMTYzLDcgQEAgc3RydWN0IGJhY2tpbmdfZGV2 X2luZm8gewogCXdhaXRfcXVldWVfaGVhZF90IHdiX3dhaXRxOwogCiAJc3RydWN0IGRldmljZSAq ZGV2OworCXN0cnVjdCBkZXZpY2UgKm93bmVyOwogCiAJc3RydWN0IHRpbWVyX2xpc3QgbGFwdG9w X21vZGVfd2JfdGltZXI7CiAKZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvYmFja2luZy1kZXYu aCBiL2luY2x1ZGUvbGludXgvYmFja2luZy1kZXYuaAppbmRleCA0OTFhOTE3MTc3ODguLjQzYjkz YTk0N2U2MSAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9iYWNraW5nLWRldi5oCisrKyBiL2lu Y2x1ZGUvbGludXgvYmFja2luZy1kZXYuaApAQCAtMjQsNiArMjQsNyBAQCBfX3ByaW50ZigzLCA0 KQogaW50IGJkaV9yZWdpc3RlcihzdHJ1Y3QgYmFja2luZ19kZXZfaW5mbyAqYmRpLCBzdHJ1Y3Qg ZGV2aWNlICpwYXJlbnQsCiAJCWNvbnN0IGNoYXIgKmZtdCwgLi4uKTsKIGludCBiZGlfcmVnaXN0 ZXJfZGV2KHN0cnVjdCBiYWNraW5nX2Rldl9pbmZvICpiZGksIGRldl90IGRldik7CitpbnQgYmRp X3JlZ2lzdGVyX293bmVyKHN0cnVjdCBiYWNraW5nX2Rldl9pbmZvICpiZGksIHN0cnVjdCBkZXZp Y2UgKm93bmVyKTsKIHZvaWQgYmRpX3VucmVnaXN0ZXIoc3RydWN0IGJhY2tpbmdfZGV2X2luZm8g KmJkaSk7CiAKIGludCBfX211c3RfY2hlY2sgYmRpX3NldHVwX2FuZF9yZWdpc3RlcihzdHJ1Y3Qg YmFja2luZ19kZXZfaW5mbyAqLCBjaGFyICopOwpkaWZmIC0tZ2l0IGEvbW0vYmFja2luZy1kZXYu YyBiL21tL2JhY2tpbmctZGV2LmMKaW5kZXggZWZlMjM3NzQyMDc0Li43YjUxY2I3OTA1YmUgMTAw NjQ0Ci0tLSBhL21tL2JhY2tpbmctZGV2LmMKKysrIGIvbW0vYmFja2luZy1kZXYuYwpAQCAtODI1 LDYgKzgyNSwxOSBAQCBpbnQgYmRpX3JlZ2lzdGVyX2RldihzdHJ1Y3QgYmFja2luZ19kZXZfaW5m byAqYmRpLCBkZXZfdCBkZXYpCiB9CiBFWFBPUlRfU1lNQk9MKGJkaV9yZWdpc3Rlcl9kZXYpOwog CitpbnQgYmRpX3JlZ2lzdGVyX293bmVyKHN0cnVjdCBiYWNraW5nX2Rldl9pbmZvICpiZGksIHN0 cnVjdCBkZXZpY2UgKm93bmVyKQoreworCWludCByYzsKKworCXJjID0gYmRpX3JlZ2lzdGVyKGJk aSwgTlVMTCwgIiV1OiV1IiwgTUFKT1Iob3duZXItPmRldnQpLAorCQkJTUlOT1Iob3duZXItPmRl dnQpKTsKKwlpZiAocmMpCisJCXJldHVybiByYzsKKwliZGktPm93bmVyID0gb3duZXI7CisJZ2V0 X2RldmljZShvd25lcik7Cit9CitFWFBPUlRfU1lNQk9MKGJkaV9yZWdpc3Rlcl9vd25lcik7CisK IC8qCiAgKiBSZW1vdmUgYmRpIGZyb20gYmRpX2xpc3QsIGFuZCBlbnN1cmUgdGhhdCBpdCBpcyBu byBsb25nZXIgdmlzaWJsZQogICovCkBAIC04NDksNiArODYyLDExIEBAIHZvaWQgYmRpX3VucmVn aXN0ZXIoc3RydWN0IGJhY2tpbmdfZGV2X2luZm8gKmJkaSkKIAkJZGV2aWNlX3VucmVnaXN0ZXIo YmRpLT5kZXYpOwogCQliZGktPmRldiA9IE5VTEw7CiAJfQorCisJaWYgKGJkaS0+b3duZXIpIHsK KwkJcHV0X2RldmljZShiZGktPm93bmVyKTsKKwkJYmRpLT5vd25lciA9IE5VTEw7CisJfQogfQog CiB2b2lkIGJkaV9leGl0KHN0cnVjdCBiYWNraW5nX2Rldl9pbmZvICpiZGkpCi0tIAoyLjUuNQoK --001a11352e78831a750538dc5a69--