Received: by 2002:a05:7412:f584:b0:e2:908c:2ebd with SMTP id eh4csp2946018rdb; Wed, 6 Sep 2023 22:39:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHeyi0MxEwuqIXKImW89G9gqPNRazaW9Z7T2tF6qo1JtqWf8YbmAEGfyBFN7AVq/kFKsuiT X-Received: by 2002:a05:6a20:6710:b0:14d:5580:8ff0 with SMTP id q16-20020a056a20671000b0014d55808ff0mr11989601pzh.25.1694065199474; Wed, 06 Sep 2023 22:39:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694065199; cv=none; d=google.com; s=arc-20160816; b=cELr9a81RykTlNcigvTgiL6mTfqMfAMcvPV+wKCDRyJg0TSfCkr9JPSFHVR5GnZJof cSbv6CwlrLEs/WwcKMEIGW19yY05KpnG+Nuyupw9912+DbY6gLm2GkTmELpZ1KyFHPJf c3rJVJk3nQ7J99QzlLJoYgHwQR0ZsyAYu/U5EngQXOYzm5Eb/83sEn/j8WlpeRAj1uMm 5vzDqeUPktUKBEijrluH8fqr6tC7/H07JP2D7nSFyQg0SVTrubxeS+f4X3BqkHUvtjS0 L+joiQ9mIefGeiJpYe0HNIAC1UMctijhr3uJ36SOFFlpuTD5e8q/tx3QYInb5WRx50RF xwCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=ze2uDYzOpOAOnA/uFXt4wbuW1dxErn02W2Ug/zxc18A=; fh=sbrVAjNL7xrzhkWhCAn2NfokEJdEGRxxTGQn7JhyOfw=; b=uCHJ6LV9l4hyhpc+Kvlc7OJ8qRk5JEyYIvhhJRng6VvKovvArAvk3/lolbfhqUTTx1 LpNFrT6OKshFSn1jGrlOLcqQA1bsrpTEM0VnN+c2xLqEVtvqMbuSvdoLzN33aw5ur8Tq oeugTcS9qQyyNWj20eNnDqm1kni5pjRe8/iKHCgjrgTtY0kyf2a/g0/xSiGBeF+UJP5R 0xn4UX2xsjr1BRWZl8rvl8wSyutxJ5YYq+OAtHISUgZ7CMcm0lBmVJdOkjXF0zOHV5NH 9uFJfv1uQy10GHpSyWRu9IA3Lfo/NQv+t5yUX1W0wNKsHlIR5f3eTB+dLwTZf4rMZQuj 7+JA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t16-20020a17090340d000b001c0ab540e62si12882204pld.277.2023.09.06.22.39.48; Wed, 06 Sep 2023 22:39:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240850AbjIGBue (ORCPT + 66 others); Wed, 6 Sep 2023 21:50:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230271AbjIGBue (ORCPT ); Wed, 6 Sep 2023 21:50:34 -0400 X-Greylist: delayed 319 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 06 Sep 2023 18:50:28 PDT Received: from mail-m3191.qiye.163.com (mail-m3191.qiye.163.com [103.74.31.91]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46539E73; Wed, 6 Sep 2023 18:50:27 -0700 (PDT) Received: from [0.0.0.0] (unknown [IPV6:240e:3b7:3271:d360:6019:3b45:b56:d340]) by mail-m15581.qiye.163.com (Hmail) with ESMTPA id 1EE3F72017C; Thu, 7 Sep 2023 09:45:06 +0800 (CST) Message-ID: <77e3e206-fbc7-04ca-41f7-13d6b8435b45@sangfor.com.cn> Date: Thu, 7 Sep 2023 09:45:03 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Subject: Re: [PATCH] scsi: scsi_dh_rdac: Avoid crash when a disk attach failed Content-Language: en-US To: Mike Christie , Huang Cun , jejb@linux.ibm.com, martin.petersen@oracle.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Cc: pengdonglin@sangfor.com.cn References: <20230803112841.588822-1-huangcun@sangfor.com.cn> From: Ding Hui In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVkZSRpNVh5KGR0fGUoaSEofGlUTARMWGhIXJBQOD1 lXWRgSC1lBWUlPSx5BSBlMQUhJTEpBH0hNS0FNS0pCQUgZT05BGU5NQR9IT0tZV1kWGg8SFR0UWU FZT0tIVUpNT0lMTlVKS0tVSkJLS1kG X-HM-Tid: 0a8a6d507ed12e9ekusn1ee3f72017c X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NyI6FTo5Qz1OMx4aDgFLEg86 DysaCz5VSlVKTUJPS05KSktMS0hOVTMWGhIXVR8SFRwTDhI7CBoVHB0UCVUYFBZVGBVFWVdZEgtZ QVlJT0seQUgZTEFISUxKQR9ITUtBTUtKQkFIGU9OQRlOTUEfSE9LWVdZCAFZQU9CTkw3Bg++ X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023/9/6 23:51, Mike Christie wrote: > On 8/3/23 6:28 AM, Huang Cun wrote: >> When a disk fails to attach, the struct rdac_dh_data is released, >> but it is not removed from the ctlr->dh_list. When attaching another >> disk, the released rdac_dh_data will be accessed and the following >> BUG_ON() may be observed: >> >> [ 414.696167] scsi 5:0:0:7: rdac: Attach failed (8) >> ... >> [ 423.615364] kernel BUG at drivers/scsi/device_handler/scsi_dh_rdac.c:427! >> [ 423.615731] invalid opcode: 0000 [#1] SMP NOPTI >> ... >> [ 423.623247] Call Trace: >> [ 423.623598] rdac_bus_attach+0x203/0x4c0 >> [ 423.623949] ? scsi_dh_handler_attach+0x2d/0x90 >> [ 423.624300] scsi_dh_handler_attach+0x2d/0x90 >> [ 423.624652] scsi_sysfs_add_sdev+0x88/0x270 >> [ 423.625004] scsi_probe_and_add_lun+0xc47/0xd50 >> [ 423.625354] scsi_report_lun_scan+0x339/0x3b0 >> [ 423.625705] __scsi_scan_target+0xe9/0x220 >> [ 423.626056] scsi_scan_target+0xf6/0x100 >> [ 423.626404] fc_scsi_scan_rport+0xa5/0xb0 >> [ 423.626757] process_one_work+0x15e/0x3f0 >> [ 423.627106] worker_thread+0x4c/0x440 >> [ 423.627453] ? rescuer_thread+0x350/0x350 >> [ 423.627804] kthread+0xf8/0x130 >> [ 423.628153] ? kthread_destroy_worker+0x40/0x40 >> [ 423.628509] ret_from_fork+0x1f/0x40 >> >> Fixes: 1a5dc166cd88 ("scsi_dh_rdac: update 'access_state' field") >> Signed-off-by: Huang Cun >> Signed-off-by: Ding Hui >> Cc: Donglin Peng >> --- >> drivers/scsi/device_handler/scsi_dh_rdac.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c >> index c5538645057a..9d487c2b7708 100644 >> --- a/drivers/scsi/device_handler/scsi_dh_rdac.c >> +++ b/drivers/scsi/device_handler/scsi_dh_rdac.c >> @@ -762,8 +762,10 @@ static int rdac_bus_attach(struct scsi_device *sdev) >> >> clean_ctlr: >> spin_lock(&list_lock); >> + list_del_rcu(&h->node); >> kref_put(&h->ctlr->kref, release_controller); >> spin_unlock(&list_lock); >> + synchronize_rcu(); >> > > Should this be: > > spin_lock(&list_lock); > list_del_rcu(&h->node); > spin_unlock(&list_lock); > > synchronize_rcu(); > > kref_put(&h->ctlr->kref, release_controller); > > > ? > > If you do the synchronize_rcu after the kref_put, then the kref_put > could free the rdac_dh_data, while check_ownership is still > accessing the rdac_dh_data, right? > You are right. But I think we should keep the kref_put() and release callback be protected by list_lock, and only free the ctlr after synchronize_rcu(). So how about the additional modify (not yet tested): --- a/drivers/scsi/device_handler/scsi_dh_rdac.c +++ b/drivers/scsi/device_handler/scsi_dh_rdac.c @@ -166,6 +166,7 @@ struct rdac_controller { struct scsi_device *ms_sdev; struct list_head ms_head; struct list_head dh_list; + struct rcu_head rcu; }; struct c2_inquiry { @@ -320,7 +321,7 @@ static void release_controller(struct kref *kref) ctlr = container_of(kref, struct rdac_controller, kref); list_del(&ctlr->node); - kfree(ctlr); + kfree_rcu(ctlr, rcu); } static struct rdac_controller *get_controller(int index, char *array_name, -- Thanks, - Ding Hui