From: Ming Lei <ming.lei@redhat.com>
To: "jianchao.wang" <jianchao.w.wang@oracle.com>
Cc: Bart Van Assche <bart.vanassche@wdc.com>,
Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Tejun Heo <tj@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
Israel Rukshin <israelr@mellanox.com>,
Max Gurtovoy <maxg@mellanox.com>,
stable@vger.kernel.org
Subject: Re: [PATCH v4] blk-mq: Fix race conditions in request timeout handling
Date: Tue, 10 Apr 2018 18:04:27 +0800 [thread overview]
Message-ID: <20180410100422.GA14432@ming.t460p> (raw)
In-Reply-To: <f6fcc94b-412c-1552-477e-ba0b0927006c@oracle.com>
On Tue, Apr 10, 2018 at 03:59:30PM +0800, jianchao.wang wrote:
> Hi Bart
>
> On 04/10/2018 09:34 AM, Bart Van Assche wrote:
> > If a completion occurs after blk_mq_rq_timed_out() has reset
> > rq->aborted_gstate and the request is again in flight when the timeout
> > expires then a request will be completed twice: a first time by the
> > timeout handler and a second time when the regular completion occurs
>
> Would you please detail more here about why the request could be completed twice ?
>
> Is it the scenario you described as below in https://marc.info/?l=linux-block&m=151796816127318
>
> The following race can occur between the code that resets the timer
> and completion handling:
> - The code that handles BLK_EH_RESET_TIMER resets aborted_gstate.
> - A completion occurs and blk_mq_complete_request() calls
> __blk_mq_complete_request().
> - The timeout code calls blk_add_timer() and that function sets the
> request deadline and adjusts the timer.
> - __blk_mq_complete_request() frees the request tag.
> - The timer fires and the timeout handler gets called for a freed
> request.
> If yes, how does the timeout handler get the freed request when the tag has been freed ?
Thinking of this patch further.
The issue may not be a double completion issue, and it may be the
following behaviour which breaks NVMe or other drivers easily:
1) there is long delay(synchronize_rcu()) between setting rq->aborted_gstate
and handling the timeout by blk_mq_rq_timed_out().
2) during the long delay, the rq may be completed by hardware, then
if the following timeout is handled as BLK_EH_RESET_TIMER, it is
driver's bug, and driver's .timeout() may be confused about this
behaviour, I guess.
In theory this behaviour should exist in all these approaches,
but just easier to trigger if long delay is introduced before handling
timeout.
Thanks,
Ming
next prev parent reply other threads:[~2018-04-10 10:04 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-10 1:34 [PATCH v4] blk-mq: Fix race conditions in request timeout handling Bart Van Assche
2018-04-10 7:59 ` jianchao.wang
2018-04-10 10:04 ` Ming Lei [this message]
2018-04-10 12:04 ` Shan Hai
2018-04-10 13:01 ` Bart Van Assche
2018-04-10 13:01 ` Bart Van Assche
2018-04-10 14:32 ` jianchao.wang
2018-04-10 8:41 ` Ming Lei
2018-04-10 12:58 ` Bart Van Assche
2018-04-10 12:58 ` Bart Van Assche
2018-04-10 13:55 ` Ming Lei
2018-04-10 14:09 ` Bart Van Assche
2018-04-10 14:09 ` Bart Van Assche
2018-04-10 14:30 ` Ming Lei
2018-04-10 15:02 ` Bart Van Assche
2018-04-10 15:02 ` Bart Van Assche
2018-04-10 15:25 ` Ming Lei
2018-04-10 15:30 ` tj
2018-04-10 15:38 ` Ming Lei
2018-04-10 15:40 ` tj
2018-04-10 21:33 ` tj
2018-04-10 21:46 ` Bart Van Assche
2018-04-10 21:46 ` Bart Van Assche
2018-04-10 21:54 ` tj
2018-04-11 12:50 ` Bart Van Assche
2018-04-11 12:50 ` Bart Van Assche
2018-04-11 14:16 ` tj
2018-04-11 18:38 ` Martin Steigerwald
2018-04-11 18:38 ` Martin Steigerwald
2018-04-11 14:24 ` Sagi Grimberg
2018-04-11 14:43 ` tj
2018-04-11 16:16 ` Israel Rukshin
2018-04-11 17:07 ` tj
2018-04-11 21:31 ` tj
2018-04-12 8:59 ` Israel Rukshin
2018-04-12 13:35 ` tj
2018-04-15 12:28 ` Israel Rukshin
2018-04-18 16:34 ` Bart Van Assche
2018-04-10 9:55 ` Christoph Hellwig
2018-04-10 13:26 ` Bart Van Assche
2018-04-10 13:26 ` Bart Van Assche
2018-04-10 14:50 ` hch
2018-04-10 14:41 ` Jens Axboe
2018-04-10 14:20 ` Tejun Heo
2018-04-10 14:30 ` Bart Van Assche
2018-04-10 14:30 ` Bart Van Assche
2018-04-10 14:33 ` tj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180410100422.GA14432@ming.t460p \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@wdc.com \
--cc=hch@lst.de \
--cc=israelr@mellanox.com \
--cc=jianchao.w.wang@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=maxg@mellanox.com \
--cc=sagi@grimberg.me \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.