From: Tejun Heo <tj@kernel.org>
To: Jens Axboe <axboe@kernel.dk>, Shaohua Li <shaohua.li@intel.com>,
Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
linux-next@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
linux-scsi@vger.kernel.org, linux-ide@vger.kernel.org,
x86@kernel.org
Subject: [PATCH block:for-3.3/core] cfq: merged request shouldn't jump to a different cfqq
Date: Thu, 5 Jan 2012 18:17:07 -0800 [thread overview]
Message-ID: <20120106021707.GA6276@google.com> (raw)
In-Reply-To: <20120105183842.GF18486@google.com>
When two requests are merged, if the absorbed request is older than
the absorbing one, cfq_merged_requests() tries to reposition it in the
cfqq->fifo list by list_move()'ing the absorbing request to the
absorbed one before removing it.
This works if both requests are on the same cfqq but nothing
guarantees that and the code ends up moving the merged request to a
different cfqq's fifo list without adjusting the rest. This leads to
the following failures.
* A request may be on the fifo list of a cfqq without holding
reference to it and the cfqq can be freed before requst is finished.
Among other things, this triggers list debug warning and slab debug
use-after-free warning.
* As a request can be on the wrong fifo queue, it may be issued and
completed before its cfqq is scheduled. If the cfqq didn't have
other requests on it, it would be empty by the time it's dispatched
triggering BUG_ON() in cfq_dispatch_request().
Fix it by making cfq_merged_requests() scan the absorbing request's
fifo list for the correct slot and move there instead.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Hugh Dickins <hughd@google.com>
Cc: stable@vger.kernel.org
---
It survived my testing long enough and I'm relatively confident this
should fix the crash but I might have gotten the scanning wrong, so
please pay extra attention there.
I suspect we just didn't have enough backward request-request merges
before the recent plug merge updates to trigger this bug.
Thanks.
block/cfq-iosched.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
index 163263d..a235cf3 100644
--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -1663,8 +1663,15 @@ cfq_merged_requests(struct request_queue *q, struct request *rq,
*/
if (!list_empty(&rq->queuelist) && !list_empty(&next->queuelist) &&
time_before(rq_fifo_time(next), rq_fifo_time(rq))) {
- list_move(&rq->queuelist, &next->queuelist);
+ struct request *pos = rq;
+
rq_set_fifo_time(rq, rq_fifo_time(next));
+
+ list_for_each_entry_continue_reverse(pos, &cfqq->fifo, queuelist)
+ if (time_before_eq(rq_fifo_time(pos), rq_fifo_time(rq)))
+ break;
+ if (rq != pos)
+ list_move(&rq->queuelist, &pos->queuelist);
}
if (cfqq->next_rq == next)
next prev parent reply other threads:[~2012-01-06 2:17 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20111221174733.9ba0861e762e8d96844b060b@canb.auug.org.au>
2011-12-21 23:15 ` linux-next: Tree for Dec 21 Andrew Morton
2011-12-22 23:08 ` Andrew Morton
2011-12-22 23:20 ` Tejun Heo
2011-12-22 23:24 ` Andrew Morton
2011-12-22 23:38 ` Tejun Heo
2011-12-22 23:44 ` Andrew Morton
2011-12-22 23:46 ` Tejun Heo
2011-12-23 0:42 ` Tejun Heo
2011-12-24 5:13 ` Hugh Dickins
2011-12-25 1:02 ` [PATCH block/for-3.3/core] block: an exiting task should be allowed to create io_context Tejun Heo
2011-12-25 13:29 ` Jens Axboe
2011-12-27 22:07 ` Andrew Morton
2011-12-28 8:33 ` Hugh Dickins
2011-12-28 16:48 ` Tejun Heo
2011-12-28 17:50 ` Hugh Dickins
2011-12-28 17:55 ` Tejun Heo
2011-12-28 21:19 ` Tejun Heo
2012-01-03 17:35 ` Tejun Heo
2012-01-03 17:59 ` Tejun Heo
2012-01-03 20:09 ` Tejun Heo
2012-01-03 20:20 ` Jens Axboe
2012-01-03 22:13 ` Tejun Heo
2012-01-03 22:35 ` Tejun Heo
2012-01-05 1:24 ` Tejun Heo
2012-01-05 18:36 ` Hugh Dickins
2012-01-05 18:38 ` Tejun Heo
2012-01-06 2:17 ` Tejun Heo [this message]
2012-01-06 2:36 ` [PATCH block:for-3.3/core] cfq: merged request shouldn't jump to a different cfqq Tejun Heo
2012-01-06 3:14 ` Shaohua Li
2012-01-06 3:04 ` Tejun Heo
2012-01-06 3:30 ` Tejun Heo
2012-01-06 3:52 ` [PATCH block:for-3.3/core] block: disable ELEVATOR_INSERT_SORT_MERGE Tejun Heo
2012-01-06 4:19 ` Shaohua Li
2012-01-06 4:38 ` Tejun Heo
2012-01-06 8:15 ` Shaohua Li
2012-01-06 15:34 ` Tejun Heo
2012-01-06 3:34 ` [PATCH block:for-3.3/core] cfq: merged request shouldn't jump to a different cfqq Shaohua Li
2012-01-06 3:22 ` Tejun Heo
2012-01-06 4:15 ` Shaohua Li
2012-01-06 4:40 ` Tejun Heo
2012-01-06 2:47 ` Shaohua Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120106021707.GA6276@google.com \
--to=tj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=hughd@google.com \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=shaohua.li@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).