[dm-devel] v4.3-rc2 dm-mq bug
Junichi Nomura
j-nomura at ce.jp.nec.com
Wed Sep 30 00:42:25 UTC 2015
On 09/26/15 00:37, Bart Van Assche wrote:
> On 09/24/2015 05:42 PM, Junichi Nomura wrote:
>> Since __dm_destroy() depends on monotonic decrease of md->holders,
>> assertion check of !DMF_FREEING in dm_get() is a valid protection
>> from use-after-free. If we are to remove the check, __dm_destroy()
>> should be changed to cope with the situation.
>>
>> I'm curious why there were pending I/Os after DMF_FEEING set.
>> Can this problem be reproducible with non dm-mq setup or older kernels?
>> How did you remove the dm device in your testing?
>
> Hello Junichi,
>
> Thanks for stepping in.
>
> Sorry but I do not know whether or not this problem is reproducible without dm-mq or with older kernels.
>
> The dm device was removed via the command "dmsetup remove_all".
I tried simply repeating 'dmsetup remove_all' and multipath scan
but couldn't reproduce the problem.
However, when I added scsi device removal and rescan to the mix
the system crashed within a few seconds. It looks like the change
in v4.3-rc which integrates scsi_dh to scsi core introduced
use-after-free. I reported the problem to linux-scsi:
[REGRESSION v4.3] scsi_dh: use-after-free when removing scsi device
http://marc.info/?l=linux-scsi&m=144357350800712&w=2
Though I'm not sure if it's related to your issue, just FYI.
--
Jun'ichi Nomura, NEC Corporation
More information about the dm-devel
mailing list