From: Christoph Hellwig <hch@lst.de>
To: Ming Lei <ming.lei@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org,
Dongli Zhang <dongli.zhang@oracle.com>,
James Smart <james.smart@broadcom.com>,
Bart Van Assche <bart.vanassche@wdc.com>,
linux-scsi@vger.kernel.org,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Christoph Hellwig <hch@lst.de>,
"James E . J . Bottomley" <jejb@linux.vnet.ibm.com>
Subject: Re: [PATCH V8 5/7] blk-mq: always free hctx after request queue is freed
Date: Sun, 28 Apr 2019 14:14:26 +0200 [thread overview]
Message-ID: <20190428121426.GD4281@lst.de> (raw)
In-Reply-To: <20190428081408.27331-6-ming.lei@redhat.com>
On Sun, Apr 28, 2019 at 04:14:06PM +0800, Ming Lei wrote:
> In normal queue cleanup path, hctx is released after request queue
> is freed, see blk_mq_release().
>
> However, in __blk_mq_update_nr_hw_queues(), hctx may be freed because
> of hw queues shrinking. This way is easy to cause use-after-free,
> because: one implicit rule is that it is safe to call almost all block
> layer APIs if the request queue is alive; and one hctx may be retrieved
> by one API, then the hctx can be freed by blk_mq_update_nr_hw_queues();
> finally use-after-free is triggered.
>
> Fixes this issue by always freeing hctx after releasing request queue.
> If some hctxs are removed in blk_mq_update_nr_hw_queues(), introduce
> a per-queue list to hold them, then try to resuse these hctxs if numa
> node is matched.
This seems a little odd. Wouldn't it be much simpler to just keep
the hctx where it is, that is leave the queue_hw_ctx[] pointer in tact,
but have a flag marking it dead?
next prev parent reply other threads:[~2019-04-28 12:14 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-28 8:14 [PATCH V8 0/7] blk-mq: fix races related with freeing queue Ming Lei
2019-04-28 8:14 ` [PATCH V8 1/7] blk-mq: grab .q_usage_counter when queuing request from plug code path Ming Lei
2019-04-28 12:10 ` Christoph Hellwig
2019-04-29 18:09 ` Bart Van Assche
2019-04-30 0:48 ` Ming Lei
2019-04-28 8:14 ` [PATCH V8 2/7] blk-mq: move cancel of requeue_work into blk_mq_release Ming Lei
2019-04-28 8:14 ` [PATCH V8 3/7] blk-mq: free hw queue's resource in hctx's release handler Ming Lei
2019-04-28 8:14 ` [PATCH V8 4/7] blk-mq: split blk_mq_alloc_and_init_hctx into two parts Ming Lei
2019-04-28 12:12 ` Christoph Hellwig
2019-04-29 6:05 ` Hannes Reinecke
2019-04-30 0:50 ` Ming Lei
2019-04-28 8:14 ` [PATCH V8 5/7] blk-mq: always free hctx after request queue is freed Ming Lei
2019-04-28 12:14 ` Christoph Hellwig [this message]
2019-04-28 13:15 ` Ming Lei
2019-04-28 8:14 ` [PATCH V8 6/7] blk-mq: move cancel of hctx->run_work into blk_mq_hw_sysfs_release Ming Lei
2019-04-28 8:14 ` [PATCH V8 7/7] block: don't drain in-progress dispatch in blk_cleanup_queue() Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190428121426.GD4281@lst.de \
--to=hch@lst.de \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@wdc.com \
--cc=dongli.zhang@oracle.com \
--cc=james.smart@broadcom.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=ming.lei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.