From: Ming Lei <ming.lei@redhat.com>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Hannes Reinecke <hare@suse.de>,
John Garry <john.garry@huawei.com>
Subject: Re: [PATCH] blk-mq: Fix two racy hctx->tags->rqs[] assignments
Date: Sun, 25 Apr 2021 08:13:10 +0800 [thread overview]
Message-ID: <YIS0FuSl/PVAtEZb@T590> (raw)
In-Reply-To: <20210423200109.18430-1-bvanassche@acm.org>
On Fri, Apr 23, 2021 at 01:01:09PM -0700, Bart Van Assche wrote:
> hctx->tags->rqs[] must be cleared before releasing a request tag because
> otherwise clearing that pointer races with the following assignment in
> blk_mq_get_driver_tag():
>
> rcu_assign_pointer(hctx->tags->rqs[rq->tag], rq);
>
> Reported-by: Ming Lei <ming.lei@redhat.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Ming Lei <ming.lei@redhat.com>
> Cc: Hannes Reinecke <hare@suse.de>
> Cc: John Garry <john.garry@huawei.com>
> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
> ---
> block/blk-mq.c | 2 +-
> block/blk-mq.h | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 06d204796c43..1ffaab7c9b11 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -501,8 +501,8 @@ static void __blk_mq_free_request(struct request *rq)
> blk_pm_mark_last_busy(rq);
> rq->mq_hctx = NULL;
> if (rq->tag != BLK_MQ_NO_TAG) {
> - blk_mq_put_tag(hctx->tags, ctx, rq->tag);
> rcu_assign_pointer(hctx->tags->rqs[rq->tag], NULL);
> + blk_mq_put_tag(hctx->tags, ctx, rq->tag);
> }
> if (sched_tag != BLK_MQ_NO_TAG)
> blk_mq_put_tag(hctx->sched_tags, ctx, sched_tag);
> diff --git a/block/blk-mq.h b/block/blk-mq.h
> index 9ccb1818303b..f73cd659eb81 100644
> --- a/block/blk-mq.h
> +++ b/block/blk-mq.h
> @@ -225,8 +225,8 @@ static inline int __blk_mq_active_requests(struct blk_mq_hw_ctx *hctx)
> static inline void __blk_mq_put_driver_tag(struct blk_mq_hw_ctx *hctx,
> struct request *rq)
> {
> - blk_mq_put_tag(hctx->tags, rq->mq_ctx, rq->tag);
> rcu_assign_pointer(hctx->tags->rqs[rq->tag], NULL);
> + blk_mq_put_tag(hctx->tags, rq->mq_ctx, rq->tag);
> rq->tag = BLK_MQ_NO_TAG;
>
> if (rq->rq_flags & RQF_MQ_INFLIGHT) {
>
I'd suggest to document the memory order which is key to the usage's
correctness, especially both memory barriers are implied in allocating
& releasing bit tag.
Thanks,
Ming
prev parent reply other threads:[~2021-04-25 0:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-23 20:01 [PATCH] blk-mq: Fix two racy hctx->tags->rqs[] assignments Bart Van Assche
2021-04-24 19:33 ` Jens Axboe
2021-04-25 0:13 ` Ming Lei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YIS0FuSl/PVAtEZb@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=john.garry@huawei.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.