From: James Smart <james.smart@broadcom.com>
To: Jens Axboe <axboe@kernel.dk>, Ming Lei <ming.lei@redhat.com>
Cc: linux-block@vger.kernel.org, Andrew Jones <drjones@redhat.com>,
Bart Van Assche <bart.vanassche@wdc.com>,
linux-scsi@vger.kernel.org,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Christoph Hellwig <hch@lst.de>,
"James E . J . Bottomley" <jejb@linux.vnet.ibm.com>,
stable <stable@vger.kernel.org>,
"jianchao . wang" <jianchao.w.wang@oracle.com>
Subject: Re: [PATCH V2] SCSI: fix queue cleanup race before queue initialization is done
Date: Fri, 29 Mar 2019 13:21:12 -0700 [thread overview]
Message-ID: <baba41b1-8495-8bd1-0bea-341d207852a7@broadcom.com> (raw)
In-Reply-To: <dc374ec8-2ea2-0792-4677-0ae81fa7826e@kernel.dk>
On 11/21/2018 5:42 PM, Jens Axboe wrote:
> On 11/21/18 6:00 PM, Ming Lei wrote:
>> On Wed, Nov 21, 2018 at 02:47:35PM -0700, Jens Axboe wrote:
>>> On 11/14/18 8:20 AM, Jens Axboe wrote:
>>>> On 11/14/18 1:25 AM, Ming Lei wrote:
>>>>> c2856ae2f315d ("blk-mq: quiesce queue before freeing queue") has
>>>>> already fixed this race, however the implied synchronize_rcu()
>>>>> in blk_mq_quiesce_queue() can slow down LUN probe a lot, so caused
>>>>> performance regression.
>>>>>
>>>>> Then 1311326cf4755c7 ("blk-mq: avoid to synchronize rcu inside blk_cleanup_queue()")
>>>>> tried to quiesce queue for avoiding unnecessary synchronize_rcu()
>>>>> only when queue initialization is done, because it is usual to see
>>>>> lots of inexistent LUNs which need to be probed.
>>>>>
>>>>> However, turns out it isn't safe to quiesce queue only when queue
>>>>> initialization is done. Because when one SCSI command is completed,
>>>>> the user of sending command can be waken up immediately, then the
>>>>> scsi device may be removed, meantime the run queue in scsi_end_request()
>>>>> is still in-progress, so kernel panic can be caused.
>>>>>
>>>>> In Red Hat QE lab, there are several reports about this kind of kernel
>>>>> panic triggered during kernel booting.
>>>>>
>>>>> This patch tries to address the issue by grabing one queue usage
>>>>> counter during freeing one request and the following run queue.
>>>> Thanks applied, this bug was elusive but ever present in recent
>>>> testing that we did internally, it's been a huge pain in the butt.
>>>> The symptoms were usually a crash in blk_mq_get_driver_tag() with
>>>> hctx->tags == NULL, or a crash inside deadline request insert off
>>>> requeue.
All,
We are seeing errors with the following error:
[44492.814347] BUG: unable to handle kernel NULL pointer dereference at
(null)
[44492.814383] IP: [<ffffffff8135a10b>] sbitmap_any_bit_set+0xb/0x30
...
[44492.815634] Call Trace:
[44492.815652] [<ffffffff81303a88>] blk_mq_run_hw_queues+0x48/0x90
[44492.819755] [<ffffffff813053cc>] blk_mq_requeue_work+0x10c/0x120
[44492.819777] [<ffffffff81098cb4>] process_one_work+0x154/0x410
[44492.819781] [<ffffffff81099896>] worker_thread+0x116/0x4a0
[44492.819784] [<ffffffff8109edb9>] kthread+0xc9/0xe0
[44492.819790] [<ffffffff81619b05>] ret_from_fork+0x55/0x80
[44492.822798] DWARF2 unwinder stuck at ret_from_fork+0x55/0x80
[44492.822798]
[44492.822799] Leftover inexact backtrace:
[44492.822802] [<ffffffff8109ecf0>] ? kthread_park+0x50/0x50
[44492.822818] Code: c6 44 0f 46 ce 83 c2 01 45 89 ca 4c 89 54 01 08 48
8b 4f
10 2b 74 01 08 39 57 08 77 d8 f3 c3 90 8b 4f 08 85 c9 74 1f 48 8b 57 10
<48> 83
3a 00 75 18 31 c0 eb 0a 48 83 c2 40 48 83 3a 00 75 0a 83
[44492.822820] RIP [<ffffffff8135a10b>] sbitmap_any_bit_set+0xb/0x30
[44492.822821] RSP <ffff8807219ffdd8>
[44492.822821] CR2: 0000000000000000
It appears the queue has been freed thus the bitmap is bad.
Looking at the commit relative to this email thread:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/scsi/scsi_lib.c?id=8dc765d438f1e42b3e8227b3b09fad7d73f4ec9a
It's interesting that the queue reference taken was released after the
kblockd_schedule_work() call was made, and it's this work element that
is hitting the issue. So perhaps the patch missed keeping the reference
until the requeue_work item finished ?
-- james
next prev parent reply other threads:[~2019-03-29 20:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-14 8:25 [PATCH V2] SCSI: fix queue cleanup race before queue initialization is done Ming Lei
2018-11-14 15:02 ` Bart Van Assche
2018-11-15 0:48 ` Ming Lei
2018-11-14 15:20 ` Jens Axboe
2018-11-15 1:02 ` Ming Lei
2018-11-21 21:47 ` Jens Axboe
2018-11-21 22:02 ` Theodore Y. Ts'o
2018-11-22 3:43 ` Theodore Y. Ts'o
2018-11-22 1:00 ` Ming Lei
2018-11-22 1:42 ` Jens Axboe
2018-11-22 2:00 ` Ming Lei
2018-11-22 2:14 ` Jens Axboe
2018-11-22 2:47 ` Ming Lei
2019-03-29 20:21 ` James Smart [this message]
2019-03-29 23:22 ` Ming Lei
2019-03-31 3:11 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=baba41b1-8495-8bd1-0bea-341d207852a7@broadcom.com \
--to=james.smart@broadcom.com \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@wdc.com \
--cc=drjones@redhat.com \
--cc=hch@lst.de \
--cc=jejb@linux.vnet.ibm.com \
--cc=jianchao.w.wang@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=ming.lei@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox