<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">From: Jun'ichi Nomura &lt;j-nomura@ce.jp.nec.com&gt;

This patch fixes a regression introduced in v3.8, which causes oops
like this when dm-multipath is used:

general protection fault: 0000 [#1] SMP
RIP: 0010:[&lt;ffffffff810fe754&gt;]  [&lt;ffffffff810fe754&gt;] mempool_free+0x24/0xb0
Call Trace:
  &lt;IRQ&gt;
  [&lt;ffffffff81187417&gt;] bio_put+0x97/0xc0
  [&lt;ffffffffa02247a5&gt;] end_clone_bio+0x35/0x90 [dm_mod]
  [&lt;ffffffff81185efd&gt;] bio_endio+0x1d/0x30
  [&lt;ffffffff811f03a3&gt;] req_bio_endio.isra.51+0xa3/0xe0
  [&lt;ffffffff811f2f68&gt;] blk_update_request+0x118/0x520
  [&lt;ffffffff811f3397&gt;] blk_update_bidi_request+0x27/0xa0
  [&lt;ffffffff811f343c&gt;] blk_end_bidi_request+0x2c/0x80
  [&lt;ffffffff811f34d0&gt;] blk_end_request+0x10/0x20
  [&lt;ffffffffa000b32b&gt;] scsi_io_completion+0xfb/0x6c0 [scsi_mod]
  [&lt;ffffffffa000107d&gt;] scsi_finish_command+0xbd/0x120 [scsi_mod]
  [&lt;ffffffffa000b12f&gt;] scsi_softirq_done+0x13f/0x160 [scsi_mod]
  [&lt;ffffffff811f9fd0&gt;] blk_done_softirq+0x80/0xa0
  [&lt;ffffffff81044551&gt;] __do_softirq+0xf1/0x250
  [&lt;ffffffff8142ee8c&gt;] call_softirq+0x1c/0x30
  [&lt;ffffffff8100420d&gt;] do_softirq+0x8d/0xc0
  [&lt;ffffffff81044885&gt;] irq_exit+0xd5/0xe0
  [&lt;ffffffff8142f3e3&gt;] do_IRQ+0x63/0xe0
  [&lt;ffffffff814257af&gt;] common_interrupt+0x6f/0x6f
  &lt;EOI&gt;
  [&lt;ffffffffa021737c&gt;] srp_queuecommand+0x8c/0xcb0 [ib_srp]
  [&lt;ffffffffa0002f18&gt;] scsi_dispatch_cmd+0x148/0x310 [scsi_mod]
  [&lt;ffffffffa000a38e&gt;] scsi_request_fn+0x31e/0x520 [scsi_mod]
  [&lt;ffffffff811f1e57&gt;] __blk_run_queue+0x37/0x50
  [&lt;ffffffff811f1f69&gt;] blk_delay_work+0x29/0x40
  [&lt;ffffffff81059003&gt;] process_one_work+0x1c3/0x5c0
  [&lt;ffffffff8105b22e&gt;] worker_thread+0x15e/0x440
  [&lt;ffffffff8106164b&gt;] kthread+0xdb/0xe0
  [&lt;ffffffff8142db9c&gt;] ret_from_fork+0x7c/0xb0

The regression was introduced by the change
c0820cf5 "dm: introduce per_bio_data", where dm started to replace
bioset during table replacement.
For bio-based dm, it is good because clone bios do not exist during the
table replacement.
For request-based dm, however, (not-yet-mapped) clone bios may stay in
request queue and survive during the table replacement.
So freeing the old bioset could cause the oops in bio_put().

Since the size of front_pad may change only with bio-based dm,
it is not necessary to replace bioset for request-based dm.

Reported-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Tested-by: Bart Van Assche &lt;bvanassche@acm.org&gt;
Signed-off-by: Jun'ichi Nomura &lt;j-nomura@ce.jp.nec.com&gt;
Acked-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Acked-by: Mike Snitzer &lt;snitzer@redhat.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Alasdair G Kergon &lt;agk@redhat.com&gt;

---
 drivers/md/dm.c |   30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

Index: linux/drivers/md/dm.c
===================================================================
--- linux.orig/drivers/md/dm.c
+++ linux/drivers/md/dm.c
@@ -1947,15 +1947,27 @@ static void __bind_mempools(struct mappe
 {
 	struct dm_md_mempools *p = dm_table_get_md_mempools(t);
 
-	if (md-&gt;io_pool &amp;&amp; (md-&gt;tio_pool || dm_table_get_type(t) == DM_TYPE_BIO_BASED) &amp;&amp; md-&gt;bs) {
-		/*
-		 * The md already has necessary mempools. Reload just the
-		 * bioset because front_pad may have changed because
-		 * a different table was loaded.
-		 */
-		bioset_free(md-&gt;bs);
-		md-&gt;bs = p-&gt;bs;
-		p-&gt;bs = NULL;
+	if (md-&gt;io_pool &amp;&amp; md-&gt;bs) {
+		/* The md already has necessary mempools. */
+		if (dm_table_get_type(t) == DM_TYPE_BIO_BASED) {
+			/*
+			 * Reload bioset because front_pad may have changed
+			 * because a different table was loaded.
+			 */
+			bioset_free(md-&gt;bs);
+			md-&gt;bs = p-&gt;bs;
+			p-&gt;bs = NULL;
+		} else if (dm_table_get_type(t) == DM_TYPE_REQUEST_BASED) {
+			BUG_ON(!md-&gt;tio_pool);
+			/*
+			 * There's no need to reload with request-based dm
+			 * because the size of front_pad doesn't change.
+			 * Note for future: If you are to reload bioset,
+			 * prep-ed requests in the queue may refer
+			 * to bio from the old bioset, so you must walk
+			 * through the queue to unprep.
+			 */
+		}
 		goto out;
 	}
 
</pre></body></html>