From: Hannes Reinecke <hare@suse.de>
To: Ming Lei <ming.lei@redhat.com>, Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, Yu Kuai <yukuai3@huawei.com>,
Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH V3 6/6] blk-mq: manage hctx map via xarray
Date: Mon, 7 Mar 2022 08:44:24 +0100 [thread overview]
Message-ID: <065432ee-7e1b-8c21-4536-2c4a7bb6734b@suse.de> (raw)
In-Reply-To: <20220307064401.30056-7-ming.lei@redhat.com>
On 3/7/22 07:44, Ming Lei wrote:
> Firstly code becomes more clean by switching to xarray from plain array.
>
> Secondly use-after-free on q->queue_hw_ctx can be fixed because
> queue_for_each_hw_ctx() may be run when updating nr_hw_queues is
> in-progress. With this patch, q->hctx_table is defined as xarray, and
> this structure will share same lifetime with request queue, so
> queue_for_each_hw_ctx() can use q->hctx_table to lookup hctx reliably.
>
> Reported-by: Yu Kuai <yukuai3@huawei.com>
> Signed-off-by: Ming Lei <ming.lei@redhat.com>
> ---
> block/blk-mq-tag.c | 2 +-
> block/blk-mq.c | 55 ++++++++++++++++++------------------------
> block/blk-mq.h | 2 +-
> include/linux/blk-mq.h | 3 +--
> include/linux/blkdev.h | 2 +-
> 5 files changed, 28 insertions(+), 36 deletions(-)
>
> diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
> index 1850a4225e12..68ac23d0b640 100644
> --- a/block/blk-mq-tag.c
> +++ b/block/blk-mq-tag.c
> @@ -498,7 +498,7 @@ void blk_mq_queue_tag_busy_iter(struct request_queue *q, busy_tag_iter_fn *fn,
> void *priv)
> {
> /*
> - * __blk_mq_update_nr_hw_queues() updates nr_hw_queues and queue_hw_ctx
> + * __blk_mq_update_nr_hw_queues() updates nr_hw_queues and hctx_table
> * while the queue is frozen. So we can use q_usage_counter to avoid
> * racing with it.
> */
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index bffdd71c670d..a15d12fb227c 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -71,7 +71,8 @@ static int blk_mq_poll_stats_bkt(const struct request *rq)
> static inline struct blk_mq_hw_ctx *blk_qc_to_hctx(struct request_queue *q,
> blk_qc_t qc)
> {
> - return q->queue_hw_ctx[(qc & ~BLK_QC_T_INTERNAL) >> BLK_QC_T_SHIFT];
> + return xa_load(&q->hctx_table,
> + (qc & ~BLK_QC_T_INTERNAL) >> BLK_QC_T_SHIFT);
> }
>
> static inline struct request *blk_qc_to_rq(struct blk_mq_hw_ctx *hctx,
> @@ -573,7 +574,7 @@ struct request *blk_mq_alloc_request_hctx(struct request_queue *q,
> * If not tell the caller that it should skip this queue.
> */
> ret = -EXDEV;
> - data.hctx = q->queue_hw_ctx[hctx_idx];
> + data.hctx = xa_load(&q->hctx_table, hctx_idx);
> if (!blk_mq_hw_queue_mapped(data.hctx))
> goto out_queue_exit;
> cpu = cpumask_first_and(data.hctx->cpumask, cpu_online_mask);
> @@ -3437,6 +3438,8 @@ static void blk_mq_exit_hctx(struct request_queue *q,
>
> blk_mq_remove_cpuhp(hctx);
>
> + xa_erase(&q->hctx_table, hctx_idx);
> +
> spin_lock(&q->unused_hctx_lock);
> list_add(&hctx->hctx_list, &q->unused_hctx_list);
> spin_unlock(&q->unused_hctx_lock);
> @@ -3476,8 +3479,15 @@ static int blk_mq_init_hctx(struct request_queue *q,
> if (blk_mq_init_request(set, hctx->fq->flush_rq, hctx_idx,
> hctx->numa_node))
> goto exit_hctx;
> +
> + if (xa_insert(&q->hctx_table, hctx_idx, hctx, GFP_KERNEL))
> + goto exit_flush_rq;
> +
> return 0;
> > + exit_flush_rq:
> + if (set->ops->exit_request)
> + set->ops->exit_request(set, hctx->fq->flush_rq, hctx_idx);
Why is this here? It's not directly related to the xarray conversion, so
it should rather go into a separate patch.
> exit_hctx:
> if (set->ops->exit_hctx)
> set->ops->exit_hctx(hctx, hctx_idx);
> @@ -3856,7 +3866,7 @@ void blk_mq_release(struct request_queue *q)
> kobject_put(&hctx->kobj);
> }
>
> - kfree(q->queue_hw_ctx);
> + xa_destroy(&q->hctx_table);
>
> /*
> * release .mq_kobj and sw queue's kobject now because
> @@ -3946,45 +3956,28 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
> struct request_queue *q)
> {
> int i, j, end;
> - struct blk_mq_hw_ctx **hctxs = q->queue_hw_ctx;
> -
> - if (q->nr_hw_queues < set->nr_hw_queues) {
> - struct blk_mq_hw_ctx **new_hctxs;
> -
> - new_hctxs = kcalloc_node(set->nr_hw_queues,
> - sizeof(*new_hctxs), GFP_KERNEL,
> - set->numa_node);
> - if (!new_hctxs)
> - return;
> - if (hctxs)
> - memcpy(new_hctxs, hctxs, q->nr_hw_queues *
> - sizeof(*hctxs));
> - q->queue_hw_ctx = new_hctxs;
> - kfree(hctxs);
> - hctxs = new_hctxs;
> - }
>
> /* protect against switching io scheduler */
> mutex_lock(&q->sysfs_lock);
> for (i = 0; i < set->nr_hw_queues; i++) {
> int old_node;
> int node = blk_mq_get_hctx_node(set, i);
> - struct blk_mq_hw_ctx *old_hctx = hctxs[i];
> + struct blk_mq_hw_ctx *old_hctx = xa_load(&q->hctx_table, i);
>
> if (old_hctx) {
> old_node = old_hctx->numa_node;
> blk_mq_exit_hctx(q, set, old_hctx, i);
> }
>
> - hctxs[i] = blk_mq_alloc_and_init_hctx(set, q, i, node);
> - if (!hctxs[i]) {
> + if (!blk_mq_alloc_and_init_hctx(set, q, i, node)) {
> + struct blk_mq_hw_ctx *hctx;
> +
> if (!old_hctx)
> break;
> pr_warn("Allocate new hctx on node %d fails, fallback to previous one on node %d\n",
> node, old_node);
> - hctxs[i] = blk_mq_alloc_and_init_hctx(set, q, i,
> - old_node);
> - WARN_ON_ONCE(!hctxs[i]);
> + hctx = blk_mq_alloc_and_init_hctx(set, q, i, old_node);
> + WARN_ON_ONCE(!hctx);
> }
> }
> /*
> @@ -4001,12 +3994,10 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
> }
>
> for (; j < end; j++) {
> - struct blk_mq_hw_ctx *hctx = hctxs[j];
> + struct blk_mq_hw_ctx *hctx = xa_load(&q->hctx_table, j);
>
> - if (hctx) {
> + if (hctx)
> blk_mq_exit_hctx(q, set, hctx, j);
> - hctxs[j] = NULL;
> - }
Do you need to call 'xa_load' here? Isn't it sufficient to call
blk_mq_exit_hctx() and have it skip any non-present entries?
> }
> mutex_unlock(&q->sysfs_lock);
> }
> @@ -4046,6 +4037,8 @@ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
> INIT_LIST_HEAD(&q->unused_hctx_list);
> spin_lock_init(&q->unused_hctx_lock);
>
> + xa_init(&q->hctx_table);
> +
> blk_mq_realloc_hw_ctxs(set, q);
> if (!q->nr_hw_queues)
> goto err_hctxs;
> @@ -4075,7 +4068,7 @@ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
> return 0;
>
> err_hctxs:
> - kfree(q->queue_hw_ctx);
> + xa_destroy(&q->hctx_table);
> q->nr_hw_queues = 0;
> blk_mq_sysfs_deinit(q);
> err_poll:
> diff --git a/block/blk-mq.h b/block/blk-mq.h
> index 948791ea2a3e..2615bd58bad3 100644
> --- a/block/blk-mq.h
> +++ b/block/blk-mq.h
> @@ -83,7 +83,7 @@ static inline struct blk_mq_hw_ctx *blk_mq_map_queue_type(struct request_queue *
> enum hctx_type type,
> unsigned int cpu)
> {
> - return q->queue_hw_ctx[q->tag_set->map[type].mq_map[cpu]];
> + return xa_load(&q->hctx_table, q->tag_set->map[type].mq_map[cpu]);
> }
>
> static inline enum hctx_type blk_mq_get_hctx_type(unsigned int flags)
> diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h
> index 3a41d50b85d3..7aa5c54901a9 100644
> --- a/include/linux/blk-mq.h
> +++ b/include/linux/blk-mq.h
> @@ -917,8 +917,7 @@ static inline void *blk_mq_rq_to_pdu(struct request *rq)
> }
>
> #define queue_for_each_hw_ctx(q, hctx, i) \
> - for ((i) = 0; (i) < (q)->nr_hw_queues && \
> - ({ hctx = (q)->queue_hw_ctx[i]; 1; }); (i)++)
> + xa_for_each(&(q)->hctx_table, (i), (hctx))
>
> #define hctx_for_each_ctx(hctx, ctx, i) \
> for ((i) = 0; (i) < (hctx)->nr_ctx && \
> diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
> index f757f9c2871f..a53ae40aaded 100644
> --- a/include/linux/blkdev.h
> +++ b/include/linux/blkdev.h
> @@ -355,7 +355,7 @@ struct request_queue {
> unsigned int queue_depth;
>
> /* hw dispatch queues */
> - struct blk_mq_hw_ctx **queue_hw_ctx;
> + struct xarray hctx_table;
> unsigned int nr_hw_queues;
>
> /*
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
next prev parent reply other threads:[~2022-03-07 7:44 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-07 6:43 [PATCH V3 0/6] blk-mq: update_nr_hw_queues related improvement & bugfix Ming Lei
2022-03-07 6:43 ` [PATCH V3 1/6] blk-mq: figure out correct numa node for hw queue Ming Lei
2022-03-07 7:34 ` Hannes Reinecke
2022-03-07 6:43 ` [PATCH V3 2/6] blk-mq: simplify reallocation of hw ctxs a bit Ming Lei
2022-03-07 7:35 ` Hannes Reinecke
2022-03-07 6:43 ` [PATCH V3 3/6] blk-mq: reconfigure poll after queue map is changed Ming Lei
2022-03-07 7:10 ` Christoph Hellwig
2022-03-07 7:36 ` Hannes Reinecke
2022-03-07 6:43 ` [PATCH V3 4/6] block: mtip32xx: don't touch q->queue_hw_ctx Ming Lei
2022-03-07 7:36 ` Hannes Reinecke
2022-03-07 6:44 ` [PATCH V3 5/6] blk-mq: prepare for implementing hctx table via xarray Ming Lei
2022-03-07 7:10 ` Christoph Hellwig
2022-03-07 7:38 ` Hannes Reinecke
2022-03-07 6:44 ` [PATCH V3 6/6] blk-mq: manage hctx map " Ming Lei
2022-03-07 7:13 ` Christoph Hellwig
2022-03-07 7:44 ` Ming Lei
2022-03-07 7:44 ` Hannes Reinecke [this message]
2022-03-07 7:49 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=065432ee-7e1b-8c21-4536-2c4a7bb6734b@suse.de \
--to=hare@suse.de \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox