From: Jens Axboe <axboe@kernel.dk>
To: Ming Lei <tom.leiming@gmail.com>,
David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: KVM list <kvm@vger.kernel.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"linux-kernel@vger.kernel.org >> Linux Kernel Mailing List"
<linux-kernel@vger.kernel.org>,
Virtualization List <virtualization@lists.linux-foundation.org>,
Christian Borntraeger <borntraeger@de.ibm.com>
Subject: Re: blk-mq crash under KVM in multiqueue block code (with virtio-blk and ext4)
Date: Wed, 17 Sep 2014 08:22:27 -0600 [thread overview]
Message-ID: <54199923.9010201@kernel.dk> (raw)
In-Reply-To: <20140917215226.426f6ce7@tom-ThinkPad-T410>
On 2014-09-17 07:52, Ming Lei wrote:
> On Wed, 17 Sep 2014 14:00:34 +0200
> David Hildenbrand <dahi@linux.vnet.ibm.com> wrote:
>
>>>>>> Does anyone have an idea?
>>>>>> The request itself is completely filled with cc
>>>>>
>>>>> That is very weird, the 'rq' is got from hctx->tags, and rq should be
>>>>> valid, and rq->q shouldn't have been changed even though it was
>>>>> double free or double allocation.
>>>>>
>>>>>> I am currently asking myself if blk_mq_map_request should protect against softirq here but I cant say for sure,as I have never looked into that code before.
>>>>>
>>>>> No, it needn't the protection.
>>>>>
>>>>> Thanks,
>>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe kvm" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>
>>>
>>
>> Digging through the code, I think I found a possible cause:
>>
>> tags->rqs[..] is not initialized with zeroes (via alloc_pages_node in
>> blk-mq.c:blk_mq_init_rq_map()).
>
> Yes, it may cause problem when the request is allocated at the 1st time,
> and timeout handler may comes just after the allocation and before its
> initialization, then oops triggered because of garbage data in the request.
>
> --
> From ffd0824b7b686074c2d5d70bc4e6bba3ba56a30c Mon Sep 17 00:00:00 2001
> From: Ming Lei <ming.lei@canonical.com>
> Date: Wed, 17 Sep 2014 21:00:34 +0800
> Subject: [PATCH] blk-mq: initialize request before the 1st allocation
>
> Otherwise the request can be accessed from timeout handler
> just after its 1st allocation from tag pool and before
> initialization in blk_mq_rq_ctx_init(), so cause oops since
> the request is filled up with garbage data.
>
> Signed-off-by: Ming Lei <ming.lei@canonical.com>
> ---
> block/blk-mq.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 4aac826..d24673f 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -514,6 +514,10 @@ struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag)
> {
> struct request *rq = tags->rqs[tag];
>
> + /* uninitialized request */
> + if (!rq->q || rq->tag == -1)
> + return rq;
> +
> if (!is_flush_request(rq, tag))
> return rq;
>
> @@ -1401,6 +1405,12 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set,
> left -= to_do * rq_size;
> for (j = 0; j < to_do; j++) {
> tags->rqs[i] = p;
> +
> + /* Avoiding early access from timeout handler */
> + tags->rqs[i]->tag = -1;
> + tags->rqs[i]->q = NULL;
> + tags->rqs[i]->cmd_flags = 0;
> +
> if (set->ops->init_request) {
> if (set->ops->init_request(set->driver_data,
> tags->rqs[i], hctx_idx, i,
Another way would be to ensure that the timeout handler doesn't touch
hw_ctx or tag_sets that aren't fully initialized yet. But I think this
is safer/cleaner.
--
Jens Axboe
WARNING: multiple messages have this Message-ID (diff)
From: Jens Axboe <axboe@kernel.dk>
To: Ming Lei <tom.leiming@gmail.com>,
David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>,
rusty Russell <rusty@rustcorp.com.au>,
"Michael S. Tsirkin" <mst@redhat.com>,
KVM list <kvm@vger.kernel.org>,
Virtualization List <virtualization@lists.linux-foundation.org>,
"linux-kernel@vger.kernel.org >> Linux Kernel Mailing List"
<linux-kernel@vger.kernel.org>
Subject: Re: blk-mq crash under KVM in multiqueue block code (with virtio-blk and ext4)
Date: Wed, 17 Sep 2014 08:22:27 -0600 [thread overview]
Message-ID: <54199923.9010201@kernel.dk> (raw)
In-Reply-To: <20140917215226.426f6ce7@tom-ThinkPad-T410>
On 2014-09-17 07:52, Ming Lei wrote:
> On Wed, 17 Sep 2014 14:00:34 +0200
> David Hildenbrand <dahi@linux.vnet.ibm.com> wrote:
>
>>>>>> Does anyone have an idea?
>>>>>> The request itself is completely filled with cc
>>>>>
>>>>> That is very weird, the 'rq' is got from hctx->tags, and rq should be
>>>>> valid, and rq->q shouldn't have been changed even though it was
>>>>> double free or double allocation.
>>>>>
>>>>>> I am currently asking myself if blk_mq_map_request should protect against softirq here but I cant say for sure,as I have never looked into that code before.
>>>>>
>>>>> No, it needn't the protection.
>>>>>
>>>>> Thanks,
>>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe kvm" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>
>>>
>>
>> Digging through the code, I think I found a possible cause:
>>
>> tags->rqs[..] is not initialized with zeroes (via alloc_pages_node in
>> blk-mq.c:blk_mq_init_rq_map()).
>
> Yes, it may cause problem when the request is allocated at the 1st time,
> and timeout handler may comes just after the allocation and before its
> initialization, then oops triggered because of garbage data in the request.
>
> --
> From ffd0824b7b686074c2d5d70bc4e6bba3ba56a30c Mon Sep 17 00:00:00 2001
> From: Ming Lei <ming.lei@canonical.com>
> Date: Wed, 17 Sep 2014 21:00:34 +0800
> Subject: [PATCH] blk-mq: initialize request before the 1st allocation
>
> Otherwise the request can be accessed from timeout handler
> just after its 1st allocation from tag pool and before
> initialization in blk_mq_rq_ctx_init(), so cause oops since
> the request is filled up with garbage data.
>
> Signed-off-by: Ming Lei <ming.lei@canonical.com>
> ---
> block/blk-mq.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 4aac826..d24673f 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -514,6 +514,10 @@ struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag)
> {
> struct request *rq = tags->rqs[tag];
>
> + /* uninitialized request */
> + if (!rq->q || rq->tag == -1)
> + return rq;
> +
> if (!is_flush_request(rq, tag))
> return rq;
>
> @@ -1401,6 +1405,12 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set,
> left -= to_do * rq_size;
> for (j = 0; j < to_do; j++) {
> tags->rqs[i] = p;
> +
> + /* Avoiding early access from timeout handler */
> + tags->rqs[i]->tag = -1;
> + tags->rqs[i]->q = NULL;
> + tags->rqs[i]->cmd_flags = 0;
> +
> if (set->ops->init_request) {
> if (set->ops->init_request(set->driver_data,
> tags->rqs[i], hctx_idx, i,
Another way would be to ensure that the timeout handler doesn't touch
hw_ctx or tag_sets that aren't fully initialized yet. But I think this
is safer/cleaner.
--
Jens Axboe
next prev parent reply other threads:[~2014-09-17 14:22 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-11 10:26 blk-mq crash under KVM in multiqueue block code (with virtio-blk and ext4) Christian Borntraeger
2014-09-11 10:26 ` Christian Borntraeger
2014-09-12 10:56 ` Christian Borntraeger
2014-09-12 10:56 ` Christian Borntraeger
2014-09-12 11:54 ` Ming Lei
2014-09-12 11:54 ` Ming Lei
2014-09-12 20:09 ` Christian Borntraeger
2014-09-12 20:09 ` Christian Borntraeger
2014-09-17 7:59 ` Christian Borntraeger
2014-09-17 7:59 ` Christian Borntraeger
2014-09-17 10:01 ` Ming Lei
2014-09-17 10:01 ` Ming Lei
2014-09-17 12:00 ` David Hildenbrand
2014-09-17 13:52 ` Ming Lei
2014-09-17 13:52 ` Ming Lei
2014-09-17 13:52 ` Ming Lei
2014-09-17 14:11 ` David Hildenbrand
2014-09-17 14:11 ` David Hildenbrand
2014-09-17 14:22 ` Jens Axboe [this message]
2014-09-17 14:22 ` Jens Axboe
2014-09-17 15:24 ` Ming Lei
2014-09-17 15:24 ` Ming Lei
2014-09-17 19:09 ` David Hildenbrand
2014-09-17 19:09 ` David Hildenbrand
2014-09-17 20:16 ` Jens Axboe
2014-09-17 20:16 ` Jens Axboe
2014-09-18 2:13 ` Ming Lei
2014-09-18 2:13 ` Ming Lei
2014-09-17 12:00 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54199923.9010201@kernel.dk \
--to=axboe@kernel.dk \
--cc=borntraeger@de.ibm.com \
--cc=dahi@linux.vnet.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=tom.leiming@gmail.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.