From: Ming Lei <ming.lei@redhat.com>
To: John Garry <john.garry@huawei.com>
Cc: "axboe@kernel.dk" <axboe@kernel.dk>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8
Date: Wed, 19 Aug 2020 16:58:43 +0800 [thread overview]
Message-ID: <20200819085843.GA2730150@T590> (raw)
In-Reply-To: <585bb054-2009-4abc-f1e8-802e494ba49b@huawei.com>
On Wed, Aug 19, 2020 at 08:43:46AM +0100, John Garry wrote:
> On 19/08/2020 01:00, Ming Lei wrote:
> > On Tue, Aug 18, 2020 at 07:19:57PM +0100, John Garry wrote:
> > > On 18/08/2020 13:03, John Garry wrote:
> > > > Hi guys,
> > > >
> > > > JFYI, While doing some testing on v5.9-rc1, I stumbled across this:
> > >
> > > I bisected to here (hopefully without mistake):
> >
> > This one is a long-term problem, see the following discussion:
> >
> > https://lore.kernel.org/linux-block/1553492318-1810-1-git-send-email-jianchao.w.wang@oracle.com/
> >
> >
>
> ah, right. I vaguely remember this. Well, if we didn't have a reliable
> reproducer before, we do now.
OK, that is great, please try the following patch:
diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index 32d82e23b095..f18632c524e9 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -185,19 +185,19 @@ static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
{
struct bt_iter_data *iter_data = data;
struct blk_mq_hw_ctx *hctx = iter_data->hctx;
- struct blk_mq_tags *tags = hctx->tags;
+ struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
bool reserved = iter_data->reserved;
struct request *rq;
if (!reserved)
bitnr += tags->nr_reserved_tags;
- rq = tags->rqs[bitnr];
+ rq = tags->static_rqs[bitnr];
/*
* We can hit rq == NULL here, because the tagging functions
* test and set the bit before assigning ->rqs[].
*/
- if (rq && rq->q == hctx->queue)
+ if (rq && rq->tag >= 0 && rq->q == hctx->queue)
return iter_data->fn(hctx, rq, iter_data->data, reserved);
return true;
}
@@ -406,7 +406,7 @@ void blk_mq_queue_tag_busy_iter(struct request_queue *q, busy_iter_fn *fn,
return;
queue_for_each_hw_ctx(q, hctx, i) {
- struct blk_mq_tags *tags = hctx->tags;
+ struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
/*
* If no software queues are currently mapped to this
--
Ming
next prev parent reply other threads:[~2020-08-19 8:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 12:03 [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8 John Garry
2020-08-18 18:19 ` John Garry
2020-08-19 0:00 ` Ming Lei
2020-08-19 7:43 ` John Garry
2020-08-19 8:58 ` Ming Lei [this message]
2020-08-19 10:14 ` John Garry
2020-08-19 14:21 ` Ming Lei
2020-08-19 16:48 ` John Garry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200819085843.GA2730150@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=john.garry@huawei.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.