【已解决】测试发现一个umount时的异常现场

chenyu105

内核版本 2.6.32
cpu 架构 mips64
复现方法是大IO下，不停的插拔usb
异常现场如下：

1. 
   
2. CPU 1 Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b9b, epc == ffffffffc07127c4, ra == ffffffffc071271c
   
3. [<ffffffffc0638b1c>] die+0xa4/0x130
   
4. [<ffffffffc06491a0>] do_page_fault+0x2e8/0x3b8
   
5. [<ffffffffc0601024>] ret_from_exception+0x0/0x10
   
6. [<ffffffffc07127c4>] __mark_inode_dirty+0x124/0x1f8
   
7. [<ffffffffc0776c30>] ext3_put_super+0xb8/0x2c8
   
8. [<ffffffffc06ec454>] generic_shutdown_super+0x7c/0x130
   
9. [<ffffffffc06ec52c>] kill_block_super+0x24/0x50
   
10. [<ffffffffc06ed57c>] deactivate_super+0x94/0xc0
    
11. [<ffffffffc070b438>] SyS_umount+0xb8/0x4e8
    
12. [<ffffffffc06038c4>] handle_sys64+0x44/0x60
    

复制代码

出错的C代码位置是下面的bdi_cap_writeback_dirty(bdi)，即尝试访问bdi->bdi->capabilities时，
由于bdi为6b6b6b6b6b6b6b6b，导致出错。

1. void __mark_inode_dirty(struct inode *inode, int flags)
   
2. {
   
3.         struct super_block *sb = inode->i_sb;
   
4.         if (!was_dirty) {
   
5.                         struct bdi_writeback *wb = &inode_to_bdi(inode)->wb;
   
6.                         struct backing_dev_info *bdi = wb->bdi;
   
7. 
   
8.                         if (bdi_cap_writeback_dirty(bdi)

复制代码

错误位置，大概是inode_to_bdi 返回的backing_dev_info结构体内的bdi_writeback成员，
其bdi的值有问题。 根据错误地址6b6b6b6b6b6b6b9b
可以知道，这个bdi_writeback成员指向的bdi的值，已经被slab释放了。

1. #define POISON_FREE        0x6b        /* for use-after-free poisoning */

复制代码

我查了下目前内核对inode_to_bdi的补丁，感觉下面这个补丁修改了inode_to_bdi实现，
但感觉和这个故障没太大联系。大家看看这个是不是什么新的bug？

1. diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
   
2. index 5581122..ab38fef 100644
   
3. --- a/fs/fs-writeback.c
   
4. +++ b/fs/fs-writeback.c
   
5. @@ -72,22 +72,11 @@ int writeback_in_progress(struct backing_dev_info *bdi)
   
6. static inline struct backing_dev_info *inode_to_bdi(struct inode *inode)
   
7. {
   
8.         struct super_block *sb = inode->i_sb;
   
9. -       struct backing_dev_info *bdi = inode->i_mapping->backing_dev_info;
   
10. 
    
11. -       /*
    
12. -        * For inodes on standard filesystems, we use superblock's bdi. For
    
13. -        * inodes on virtual filesystems, we want to use inode mapping's bdi
    
14. -        * because they can possibly point to something useful (think about
    
15. -        * block_dev filesystem).
    
16. -        */
    
17. -       if (sb->s_bdi && sb->s_bdi != &noop_backing_dev_info) {
    
18. -               /* Some device inodes could play dirty tricks. Catch them... */
    
19. -               WARN(bdi != sb->s_bdi && bdi_cap_writeback_dirty(bdi),
    
20. -                       "Dirtiable inode bdi %s != sb bdi %s\n",
    
21. -                       bdi->name, sb->s_bdi->name);
    
22. -               return sb->s_bdi;
    
23. -       }
    
24. -       return bdi;
    
25. +       if (strcmp(sb->s_type->name, "bdev") == 0)
    
26. +               return inode->i_mapping->backing_dev_info;
    
27. +
    
28. +       return sb->s_bdi;
    
29. }

复制代码

chenyu105

这个问题，需要合入一个scsi的补丁。 在配置CONFIG_SLAB_DEBUG时容易出是因为magic number 0x6b更容易在第一现场就触发非法地址访问。

1. [SCSI] Fix oops caused by queue refcounting failure
   
2. In certain circumstances, we can get an oops from a torn down device.
   
3. Most notably this is from CD roms trying to call scsi_ioctl.
   
4. The root cause of the problem is the fact that after scsi_remove_device() has been called,
   
5. the queue is fully torn down.
   
6. This is actually wrong since the queue can be used until the sdev release function is called.
   
7. Therefore, we add an extra reference to the queue which is released in sdev->release,
   
8. so the queue always exists.
   
9. Reported-by: Parag Warudkar <parag.lkml@gmail.com>
   
10. Cc: stable@kernel.org
    
11. Signed-off-by: James Bottomley <jbottomley@parallels.com>
    

复制代码

1. diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
   
2. index 58584dc..44e8ca3 100644
   
3. --- a/drivers/scsi/scsi_scan.c
   
4. +++ b/drivers/scsi/scsi_scan.c
   
5. 
   
6. 
   
7. @@ -297,7 +297,7 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget,
   
8. 
   
9. 
   
10. 
    
11. kfree(sdev);
    
12. 
    
13. 
    
14. 
    
15. goto out;
    
16. 
    
17. 
    
18. 
    
19. }
    
20. 
    
21. 
    
22. 
    
23. -
    
24. 
    
25. 
    
26. 
    
27. + blk_get_queue(sdev->request_queue);
    
28. 
    
29. 
    
30. 
    
31. sdev->request_queue->queuedata = sdev;
    
32. 
    
33. 
    
34. 
    
35. scsi_adjust_queue_depth(sdev, 0, sdev->host->cmd_per_lun);
    
36. 
    
37. 
    
38. 
    
39. 
    
40. 
    
41. 
    
42. 
    
43. diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
    
44. index e639125..e0bd3f7 100644
    
45. --- a/drivers/scsi/scsi_sysfs.c
    
46. +++ b/drivers/scsi/scsi_sysfs.c
    
47. 
    
48. 
    
49. 
    
50. @@ -322,6 +322,7 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work)
    
51. 
    
52. 
    
53. 
    
54. kfree(evt);
    
55. 
    
56. 
    
57. 
    
58. }
    
59. 
    
60. 
    
61. 
    
62. 
    
63. 
    
64. 
    
65. 
    
66. + blk_put_queue(sdev->request_queue);
    
67. 
    
68. 
    
69. 
    
70. /* NULL queue means the device can't be used */
    
71. 
    
72. 
    
73. 
    
74. sdev->request_queue = NULL;
    

复制代码

beyondfly

不错，学习了。