From: Keith Busch <kbusch@kernel.org>
To: "jianchao.wang" <jianchao.w.wang@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block <linux-block@vger.kernel.org>,
James Smart <jsmart2021@gmail.com>,
Bart Van Assche <bvanassche@acm.org>,
Ming Lei <tom.leiming@gmail.com>,
Josef Bacik <josef@toxicpanda.com>,
linux-nvme <linux-nvme@lists.infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Busch, Keith" <keith.busch@intel.com>,
Hannes Reinecke <hare@suse.de>,
Johannes Thumshirn <jthumshirn@suse.de>,
Christoph Hellwig <hch@lst.de>, Sagi Grimberg <sagi@grimberg.me>
Subject: Re: [PATCH V2 7/8] nvme: use blk_mq_queue_tag_inflight_iter
Date: Wed, 27 Mar 2019 00:51:56 -0600 [thread overview]
Message-ID: <20190327065156.GC7389@localhost.localdomain> (raw)
In-Reply-To: <9f3a574d-d2ea-3fd0-472c-85ad0bae4daf@oracle.com>
On Wed, Mar 27, 2019 at 10:45:33AM +0800, jianchao.wang wrote:
> 1. a hctx->fq.flush_rq of dead request_queue that shares the same tagset
> The whole request_queue is cleaned up and freed, so the hctx->fq.flush is freed back to a slab
>
> 2. a removed io scheduler's sched request
> The io scheduled is detached and all of the structures are freed, including the pages where sched
> requests locates.
>
> So the pointers in tags->rqs[] may point to memory that is not used as a blk layer request.
Oh, free as in kfree'd, not blk_mq_free_request. So it's a read-after-
free that you're concerned about, not that anyone explicitly changed a
request->state.
We at least can't free the flush_queue until the queue is frozen. If the
queue is frozen, we've completed the special fq->flush_rq where its end_io
replaces tags->rqs[tag] back to the fq->orig_rq from the static_rqs,
so nvme's iterator couldn't see the fq->flush_rq address if it's invalid.
The sched_tags concern, though, appears theoretically possible.
WARNING: multiple messages have this Message-ID (diff)
From: kbusch@kernel.org (Keith Busch)
Subject: [PATCH V2 7/8] nvme: use blk_mq_queue_tag_inflight_iter
Date: Wed, 27 Mar 2019 00:51:56 -0600 [thread overview]
Message-ID: <20190327065156.GC7389@localhost.localdomain> (raw)
In-Reply-To: <9f3a574d-d2ea-3fd0-472c-85ad0bae4daf@oracle.com>
On Wed, Mar 27, 2019@10:45:33AM +0800, jianchao.wang wrote:
> 1. a hctx->fq.flush_rq of dead request_queue that shares the same tagset
> The whole request_queue is cleaned up and freed, so the hctx->fq.flush is freed back to a slab
>
> 2. a removed io scheduler's sched request
> The io scheduled is detached and all of the structures are freed, including the pages where sched
> requests locates.
>
> So the pointers in tags->rqs[] may point to memory that is not used as a blk layer request.
Oh, free as in kfree'd, not blk_mq_free_request. So it's a read-after-
free that you're concerned about, not that anyone explicitly changed a
request->state.
We at least can't free the flush_queue until the queue is frozen. If the
queue is frozen, we've completed the special fq->flush_rq where its end_io
replaces tags->rqs[tag] back to the fq->orig_rq from the static_rqs,
so nvme's iterator couldn't see the fq->flush_rq address if it's invalid.
The sched_tags concern, though, appears theoretically possible.
next prev parent reply other threads:[~2019-03-27 6:50 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-25 5:38 [PATCH V2 0/8]: blk-mq: use static_rqs to iterate busy tags Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 5:38 ` [PATCH V2 1/8] blk-mq: get rid of the synchronize_rcu in __blk_mq_update_nr_hw_queues Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 5:38 ` [PATCH V2 2/8] blk-mq: use static_rqs instead of rqs to iterate tags Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 7:12 ` Dongli Zhang
2019-03-25 7:12 ` Dongli Zhang
2019-03-25 7:14 ` jianchao.wang
2019-03-25 7:14 ` jianchao.wang
2019-03-25 5:38 ` [PATCH V2 3/8] blk-mq: use blk_mq_queue_tag_inflight_iter in debugfs Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 5:38 ` [PATCH V2 4/8] mtip32xx: use blk_mq_queue_tag_inflight_iter Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 5:38 ` [PATCH V2 5/8] nbd: " Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 5:38 ` [PATCH V2 6/8] skd: " Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 5:38 ` [PATCH V2 7/8] nvme: " Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 13:49 ` Keith Busch
2019-03-25 13:49 ` Keith Busch
2019-03-26 1:17 ` jianchao.wang
2019-03-26 1:17 ` jianchao.wang
2019-03-26 2:41 ` Ming Lei
2019-03-26 2:41 ` Ming Lei
2019-03-26 3:05 ` jianchao.wang
2019-03-26 3:05 ` jianchao.wang
2019-03-26 23:57 ` Keith Busch
2019-03-26 23:57 ` Keith Busch
2019-03-27 2:03 ` jianchao.wang
2019-03-27 2:03 ` jianchao.wang
2019-03-27 2:15 ` Keith Busch
2019-03-27 2:15 ` Keith Busch
2019-03-27 2:27 ` jianchao.wang
2019-03-27 2:27 ` jianchao.wang
2019-03-27 2:33 ` Keith Busch
2019-03-27 2:33 ` Keith Busch
2019-03-27 2:45 ` jianchao.wang
2019-03-27 2:45 ` jianchao.wang
2019-03-27 6:51 ` Keith Busch [this message]
2019-03-27 6:51 ` Keith Busch
2019-03-27 7:18 ` jianchao.wang
2019-03-27 7:18 ` jianchao.wang
2019-03-25 5:38 ` [PATCH V2 8/8] blk-mq: remove blk_mq_tagset_busy_iter Jianchao Wang
2019-03-25 5:38 ` Jianchao Wang
2019-03-25 7:18 ` Hannes Reinecke
2019-03-25 7:18 ` Hannes Reinecke
2019-03-25 7:37 ` jianchao.wang
2019-03-25 7:37 ` jianchao.wang
2019-03-25 8:25 ` Hannes Reinecke
2019-03-25 8:25 ` Hannes Reinecke
2019-03-25 9:12 ` jianchao.wang
2019-03-25 9:12 ` jianchao.wang
2019-03-26 14:17 ` Jens Axboe
2019-03-26 14:17 ` Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2019-03-25 5:28 [PATCH V2 0/8]: blk-mq: use static_rqs to iterate busy tags Jianchao Wang
2019-03-25 5:28 ` [PATCH V2 7/8] nvme: use blk_mq_queue_tag_inflight_iter Jianchao Wang
2019-03-25 5:28 ` Jianchao Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327065156.GC7389@localhost.localdomain \
--to=kbusch@kernel.org \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=jianchao.w.wang@oracle.com \
--cc=josef@toxicpanda.com \
--cc=jsmart2021@gmail.com \
--cc=jthumshirn@suse.de \
--cc=keith.busch@intel.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=tom.leiming@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.