<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"><style>body { line-height: 1.5; }body { font-size: 10.5pt; font-family: 'Segoe UI'; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div><span></span><span style="font-family: "" segoe="" ui'";="" font-size:="" 14px;="" color:="" rgb(0,="" 0,="" 0);="" background-color:="" rgba(0,="" font-weight:="" normal;="" font-style:="" normal;text-decoration:="" none;'="">We got a NULL pointer exception when testing the two concurrent<br> "vgchange -ay -K <vg name>".</span></div><div><span style="font-family: "" segoe="" ui'";="" font-size:="" 14px;="" color:="" rgb(0,="" 0,="" 0);="" background-color:="" rgba(0,="" font-weight:="" normal;="" font-style:="" normal;text-decoration:="" none;'="">panic call trace:<br> PID: 25992 TASK: ffff883cd7d23500 CPU: 4 COMMAND: "vgchange"<br> #0 [ffff883cd743d600] machine_kexec at ffffffff81038fa9<br> 0000001 [ffff883cd743d660] crash_kexec at ffffffff810c5992<br> 0000002 [ffff883cd743d730] oops_end at ffffffff81515c90<br> 0000003 [ffff883cd743d760] no_context at ffffffff81049f1b<br> 0000004 [ffff883cd743d7b0] __bad_area_nosemaphore at ffffffff8104a1a5<br> 0000005 [ffff883cd743d800] bad_area at ffffffff8104a2ce<br> 0000006 [ffff883cd743d830] __do_page_fault at ffffffff8104aa6f<br> 0000007 [ffff883cd743d950] do_page_fault at ffffffff81517bae<br> 0000008 [ffff883cd743d980] page_fault at ffffffff81514f95<br> [exception RIP: kmem_cache_alloc+108]<br> RIP: ffffffff8116ef3c RSP: ffff883cd743da38 RFLAGS: 00010046<br> RAX: 0000000000000004 RBX: ffffffff81121b90 RCX: ffff881bf1e78cc0<br> RDX: 0000000000000000 RSI: 00000000000000d0 RDI: 0000000000000000<br> RBP: ffff883cd743da68 R8: ffff881bf1a4eb00 R9: 0000000080042000<br> R10: 0000000000002000 R11: 0000000000000000 R12: 00000000000000d0<br> R13: 0000000000000000 R14: 00000000000000d0 R15: 0000000000000246<br> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br> 0000009 [ffff883cd743da70] mempool_alloc_slab at ffffffff81121ba5<br> 0000010 [ffff883cd743da80] mempool_create_node at ffffffff81122083<br> 0000011 [ffff883cd743dad0] mempool_create at ffffffff811220f4<br> 0000012 [ffff883cd743dae0] pool_ctr at ffffffffa08de049 [dm_thin_pool]<br> 0000013 [ffff883cd743dbd0] dm_table_add_target at ffffffffa0005f2f [dm_mod]<br> 0000014 [ffff883cd743dc30] table_load at ffffffffa0008ba9 [dm_mod]<br> 0000015 [ffff883cd743dc90] ctl_ioctl at ffffffffa0009dc4 [dm_mod]<br> this bug's scence is as follows:<br> process A(vgchange -ay -K):<br> <span style="white-space: pre;"> </span>a. send DM_LIST_VERSIONS_CMD ioctl;<br> <span style="white-space: pre;"> </span>b. pool_target not registered;<br> <span style="white-space: pre;"> </span>c. modprobe dm_thin_pool and wait until end.<br> process B(vgchange -ay -K):<br> <span style="white-space: pre;"> </span>a. send DM_LIST_VERSIONS_CMD ioctl;<br> <span style="white-space: pre;"> </span>b. pool_target registered;<br> <span style="white-space: pre;"> </span>c. table_load->dm_table_add_target->pool_ctr;<br> <span style="white-space: pre;"> </span>d. _new_mapping_cache is NULL and panic.<br> note:<br> <span style="white-space: pre;"> </span>1. process A and process B are two concurrent processes.<br> <span style="white-space: pre;"> </span>2. pool_target can be detected by process B but<br> <span style="white-space: pre;"> </span>_new_mapping_cache initialization has not ended.<br> All that we need do is to ensure pool_target registering ops<br> is the last ops in dm_thin_init.<br><br>Signed-off-by: monty <monty_pavel@sina.com><br>---<br> drivers/md/dm-thin.c | 22 ++++++++++------------<br> 1 files changed, 10 insertions(+), 12 deletions(-)<br><br>diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c<br>index 89e5dff..f91d771 100644<br>--- a/drivers/md/dm-thin.c<br>+++ b/drivers/md/dm-thin.c<br>@@ -4355,30 +4355,28 @@ static void thin_io_hints(struct dm_target *ti, struct queue_limits *limits)<br> <br> static int __init dm_thin_init(void)<br> {<br>-<span style="white-space: pre;"> </span>int r;<br>+<span style="white-space: pre;"> </span>int r = -ENOMEM;<br> <br> <span style="white-space: pre;"> </span>pool_table_init();<br> <br>+<span style="white-space: pre;"> </span>_new_mapping_cache = KMEM_CACHE(dm_thin_new_mapping, 0);<br>+<span style="white-space: pre;"> </span>if (!_new_mapping_cache)<br>+<span style="white-space: pre;"> </span><span style="white-space: pre;"> </span>return r;<br>+<br> <span style="white-space: pre;"> </span>r = dm_register_target(&thin_target);<br> <span style="white-space: pre;"> </span>if (r)<br>-<span style="white-space: pre;"> </span><span style="white-space: pre;"> </span>return r;<br>+<span style="white-space: pre;"> </span><span style="white-space: pre;"> </span>goto bad_new_mapping_cache;<br> <br> <span style="white-space: pre;"> </span>r = dm_register_target(&pool_target);<br> <span style="white-space: pre;"> </span>if (r)<br>-<span style="white-space: pre;"> </span><span style="white-space: pre;"> </span>goto bad_pool_target;<br>-<br>-<span style="white-space: pre;"> </span>r = -ENOMEM;<br>-<br>-<span style="white-space: pre;"> </span>_new_mapping_cache = KMEM_CACHE(dm_thin_new_mapping, 0);<br>-<span style="white-space: pre;"> </span>if (!_new_mapping_cache)<br>-<span style="white-space: pre;"> </span><span style="white-space: pre;"> </span>goto bad_new_mapping_cache;<br>+<span style="white-space: pre;"> </span><span style="white-space: pre;"> </span>goto bad_thin_target;<br> <br> <span style="white-space: pre;"> </span>return 0;<br> <br>-bad_new_mapping_cache:<br>-<span style="white-space: pre;"> </span>dm_unregister_target(&pool_target);<br>-bad_pool_target:<br>+bad_thin_target:<br> <span style="white-space: pre;"> </span>dm_unregister_target(&thin_target);<br>+bad_new_mapping_cache:<br>+<span style="white-space: pre;"> </span>kmem_cache_destroy(_new_mapping_cache);<br> <br> <span style="white-space: pre;"> </span>return r;<br> }<br>-- <br>1.7.1</span></div>
</body></html>