From: Ming Lei <ming.lei@redhat.com>
To: Yu Kuai <yukuai1@huaweicloud.com>
Cc: axboe@kernel.dk, yukuai3@huawei.com, bvanassche@acm.org,
nilay@linux.ibm.com, hare@suse.de, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, yi.zhang@huawei.com,
yangerkun@huawei.com, johnny.chenyi@huawei.com
Subject: Re: [PATCH 08/16] blk-mq: fix blk_mq_tags double free while nr_requests grown
Date: Thu, 14 Aug 2025 16:20:52 +0800 [thread overview]
Message-ID: <aJ2cZGAWvZ0XfNr4@fedora> (raw)
In-Reply-To: <20250814033522.770575-9-yukuai1@huaweicloud.com>
On Thu, Aug 14, 2025 at 11:35:14AM +0800, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@huawei.com>
>
> In the case user trigger tags grow by queue sysfs attribute nr_requests,
> hctx->sched_tags will be freed directly and replaced with a new
> allocated tags, see blk_mq_tag_update_depth().
>
> The problem is that hctx->sched_tags is from elevator->et->tags, while
> et->tags is still the freed tags, hence later elevator exist will try to
> free the tags again, causing kernel panic.
>
> Fix this problem by using new halper blk_mq_alloc_sched_tags() to
> allocate a new sched_tags. Meanwhile, there is a longterm problem can be
> fixed as well:
>
> If blk_mq_tag_update_depth() succeed for previous hctx, then bitmap depth
> is updated, however, if following hctx failed, q->nr_requests is not
> updated and the previous hctx->sched_tags endup bigger than q->nr_requests.
>
> Fixes: f5a6604f7a44 ("block: fix lockdep warning caused by lock dependency in elv_iosched_store")
> Fixes: e3a2b3f931f5 ("blk-mq: allow changing of queue depth through sysfs")
> Signed-off-by: Yu Kuai <yukuai3@huawei.com>
> ---
> block/blk-mq.c | 31 ++++++++++++++++++++-----------
> 1 file changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index a7d6a20c1524..f1c11f591c27 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -4917,6 +4917,23 @@ void blk_mq_free_tag_set(struct blk_mq_tag_set *set)
> }
> EXPORT_SYMBOL(blk_mq_free_tag_set);
>
> +static int blk_mq_sched_grow_tags(struct request_queue *q, unsigned int nr)
> +{
> + struct elevator_tags *et =
> + blk_mq_alloc_sched_tags(q->tag_set, q->nr_hw_queues, nr);
> + struct blk_mq_hw_ctx *hctx;
> + unsigned long i;
> +
> + if (!et)
> + return -ENOMEM;
> +
> + blk_mq_free_sched_tags(q->elevator->et, q->tag_set);
> + queue_for_each_hw_ctx(q, hctx, i)
> + hctx->sched_tags = et->tags[i];
> + q->elevator->et = et;
> + return 0;
> +}
It depends on protection from elevator_lock, so probably it is
helpful by adding lockdep_assert_held(&q->elevator_lock), otherwise
this fix looks fine:
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Thanks,
Ming
next prev parent reply other threads:[~2025-08-14 8:21 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 3:35 [PATCH 00/16] blk-mq: introduce new queue attribute asyc_dpeth Yu Kuai
2025-08-14 3:35 ` [PATCH 01/16] blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags() Yu Kuai
2025-08-14 8:16 ` Ming Lei
2025-08-14 8:55 ` Yu Kuai
2025-08-14 3:35 ` [PATCH 02/16] blk-mq: remove useless checking from queue_requests_store() Yu Kuai
2025-08-14 3:35 ` [PATCH 03/16] blk-mq: remove useless checkings from blk_mq_update_nr_requests() Yu Kuai
2025-08-14 12:23 ` Nilay Shroff
2025-08-15 1:32 ` Yu Kuai
2025-08-15 11:59 ` Nilay Shroff
2025-08-15 13:35 ` Ming Lei
2025-08-14 3:35 ` [PATCH 04/16] blk-mq: check invalid nr_requests in queue_requests_store() Yu Kuai
2025-08-14 3:35 ` [PATCH 05/16] blk-mq: fix elevator depth_updated method Yu Kuai
2025-08-14 3:35 ` [PATCH 06/16] blk-mq: cleanup shared tags case in blk_mq_update_nr_requests() Yu Kuai
2025-08-14 3:35 ` [PATCH 07/16] blk-mq: split bitmap grow and resize " Yu Kuai
2025-08-14 3:35 ` [PATCH 08/16] blk-mq: fix blk_mq_tags double free while nr_requests grown Yu Kuai
2025-08-14 8:20 ` Ming Lei [this message]
2025-08-14 12:15 ` Nilay Shroff
2025-08-15 1:54 ` Yu Kuai
2025-08-14 3:35 ` [PATCH 09/16] block: convert nr_requests to unsigned int Yu Kuai
2025-08-14 3:35 ` [PATCH 10/16] blk-mq-sched: unify elevators checking for async requests Yu Kuai
2025-08-14 3:35 ` [PATCH 11/16] blk-mq: add a new queue sysfs attribute async_depth Yu Kuai
2025-08-14 3:35 ` [PATCH 12/16] kyber: covert to use request_queue->async_depth Yu Kuai
2025-08-14 3:35 ` [PATCH 13/16] mq-deadline: " Yu Kuai
2025-08-14 3:35 ` [PATCH 14/16] block, bfq: convert " Yu Kuai
2025-08-14 3:35 ` [PATCH 15/16] blk-mq: fix stale nr_requests documentation Yu Kuai
2025-08-14 3:35 ` [PATCH 16/16] blk-mq: add documentation for new queue attribute async_dpeth Yu Kuai
2025-08-14 7:54 ` [PATCH 00/16] blk-mq: introduce new queue attribute asyc_dpeth Ming Lei
2025-08-14 8:22 ` Yu Kuai
2025-08-14 8:27 ` Ming Lei
2025-08-14 8:57 ` Yu Kuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJ2cZGAWvZ0XfNr4@fedora \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=hare@suse.de \
--cc=johnny.chenyi@huawei.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nilay@linux.ibm.com \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai1@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.