Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp125291pxb; Tue, 12 Jan 2021 22:27:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJwDJewd5NtgyFaF7/7G/REVnP3PhXVn6PA93LezJVfpnVPGbDVnOBH3Hg1LV8PfzLtQmytP X-Received: by 2002:a17:906:68b:: with SMTP id u11mr436348ejb.195.1610519250946; Tue, 12 Jan 2021 22:27:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610519250; cv=none; d=google.com; s=arc-20160816; b=s9zft9UDnxETTZKJ8Sgiuwn+u1bLapaa5nVyMrfQ/dju+LsFXpXGKjeqh+7b0eSmcw s5FtP/uxDXN+vzXw26WSUgY3wJmnrubI4scAp3kkVKR0x19vSSkGzKRXUSKjbVlJsg3X SDq04RPwarUCcMkOUiM6bDV7DuAeXTTJWBUYSozhNNjLVqxzYgQUatPGqkwvdJpnC2aM OtIAUspM87EodeooQJVjZ2HpwrzwMwt6ukT3fUCHjai0t/Qv5GxfV8tk5Ubd9Nutyet4 GgJLS9TS8/HRubXMWSk0bhlmRgK5ETE4vkn6PQM+Ut9OZIHnvFF1+wd4k8BBVC54x2nY 7kVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=z61CVqSzNzMlo1M35YUfl4qLGoXBlhuFvWX8IJItYJQ=; b=MXkeSSdb0wGsiKAnEaDGn7stuaXy88lU1WM+fYs6/B0UewtHDJ/E5TLl0ymaGrgKN1 sw7OKX1vaR9aCnMvA6kMBvDb7dxWCdYtWTlaUTmvlNfZNOWL7V608WJdHex7otbUodss H18U7++BdINESw1JXuWnQaUYYFWSar7EElgZvr09RjIYzZGYlRpicJb6SF8AIJhEl4Xn fbIvkbBu6EU2HrFTCCPeax+2EGE4LfYylq0mu5ZyDYi8xYlmjY7MNZD+C0+9XKxgdHm6 SNjUYqwfz5kc74jZgYt+wFyZWzjj95MOm1RzW342BP5zPvFRvfp+OPGcGg+HOgW83Kfv MXkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id md16si478394ejb.563.2021.01.12.22.27.07; Tue, 12 Jan 2021 22:27:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725927AbhAMGZo (ORCPT + 99 others); Wed, 13 Jan 2021 01:25:44 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:10718 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725770AbhAMGZo (ORCPT ); Wed, 13 Jan 2021 01:25:44 -0500 Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4DFy7f04gfzl3jM; Wed, 13 Jan 2021 14:23:42 +0800 (CST) Received: from huawei.com (10.175.127.227) by DGGEMS403-HUB.china.huawei.com (10.3.19.203) with Microsoft SMTP Server id 14.3.498.0; Wed, 13 Jan 2021 14:24:49 +0800 From: Ye Bin To: , , , CC: Ye Bin Subject: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach Date: Wed, 13 Jan 2021 14:31:03 +0800 Message-ID: <20210113063103.2698953-1-yebin10@huawei.com> X-Mailer: git-send-email 2.25.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We get follow BUG_ON when rdac scan: [595952.944297] kernel BUG at drivers/scsi/device_handler/scsi_dh_rdac.c:427! [595952.951143] Internal error: Oops - BUG: 0 [#1] SMP ...... [595953.251065] Call trace: [595953.259054] check_ownership+0xb0/0x118 [595953.269794] rdac_bus_attach+0x1f0/0x4b0 [595953.273787] scsi_dh_handler_attach+0x3c/0xe8 [595953.278211] scsi_dh_add_device+0xc4/0xe8 [595953.282291] scsi_sysfs_add_sdev+0x8c/0x2a8 [595953.286544] scsi_probe_and_add_lun+0x9fc/0xd00 [595953.291142] __scsi_scan_target+0x598/0x630 [595953.295395] scsi_scan_target+0x120/0x130 [595953.299481] fc_user_scan+0x1a0/0x1c0 [scsi_transport_fc] [595953.304944] store_scan+0xb0/0x108 [595953.308420] dev_attr_store+0x44/0x60 [595953.312160] sysfs_kf_write+0x58/0x80 [595953.315893] kernfs_fop_write+0xe8/0x1f0 [595953.319888] __vfs_write+0x60/0x190 [595953.323448] vfs_write+0xac/0x1c0 [595953.326836] ksys_write+0x74/0xf0 [595953.330221] __arm64_sys_write+0x24/0x30 BUG_ON code is in check_ownership: list_for_each_entry_rcu(tmp, &h->ctlr->dh_list, node) { /* h->sdev should always be valid */ BUG_ON(!tmp->sdev); tmp->sdev->access_state = access_state; } rdac_bus_attach initialize_controller list_add_rcu(&h->node, &h->ctlr->dh_list); h->sdev = sdev; rdac_bus_detach list_del_rcu(&h->node); h->sdev = NULL; Test as follow steps: (1) Find IO error, remove disk; (2) Insert disk back; (3) trigger scan disk; There is race between rdac_bus_attach and rdac_bus_detach, maybe access rdac_dh_data which h->sdev has been set NULL when process rdac attach. And also find that "h->sdev" set value after add list, this may lead to reference NULL ptr. Signed-off-by: Ye Bin --- drivers/scsi/device_handler/scsi_dh_rdac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c index 5efc959493ec..85a71bafaea7 100644 --- a/drivers/scsi/device_handler/scsi_dh_rdac.c +++ b/drivers/scsi/device_handler/scsi_dh_rdac.c @@ -453,8 +453,8 @@ static int initialize_controller(struct scsi_device *sdev, if (!h->ctlr) err = SCSI_DH_RES_TEMP_UNAVAIL; else { - list_add_rcu(&h->node, &h->ctlr->dh_list); h->sdev = sdev; + list_add_rcu(&h->node, &h->ctlr->dh_list); } spin_unlock(&list_lock); err = SCSI_DH_OK; @@ -778,11 +778,11 @@ static void rdac_bus_detach( struct scsi_device *sdev ) spin_lock(&list_lock); if (h->ctlr) { list_del_rcu(&h->node); - h->sdev = NULL; kref_put(&h->ctlr->kref, release_controller); } spin_unlock(&list_lock); sdev->handler_data = NULL; + synchronize_rcu(); kfree(h); } -- 2.25.4