From: Vivek Goyal <vgoyal@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux kernel mailing list <linux-kernel@vger.kernel.org>,
Tejun Heo <tj@kernel.org>, Chris Mason <chris.mason@oracle.com>
Subject: Re: Kernel crash in icq_free_icq_rcu
Date: Tue, 17 Jan 2012 16:01:14 -0500 [thread overview]
Message-ID: <20120117210114.GA23527@redhat.com> (raw)
In-Reply-To: <20120117205816.GF19223@redhat.com>
On Tue, Jan 17, 2012 at 03:58:16PM -0500, Vivek Goyal wrote:
[..]
> > >> Can you try this?
> > >
> > > Nope, this does not help either. Can reproduce the issue with below
> > > patch applied.
> > >
> > >>
> > >>
> > >> diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
> > >> index 163263d..ee55019 100644
> > >> --- a/block/cfq-iosched.c
> > >> +++ b/block/cfq-iosched.c
> > >> @@ -3117,18 +3117,17 @@ cfq_should_preempt(struct cfq_data *cfqd, struct cfq_queue *new_cfqq,
> > >> */
> > >> static void cfq_preempt_queue(struct cfq_data *cfqd, struct cfq_queue *cfqq)
> > >> {
> > >> - struct cfq_queue *old_cfqq = cfqd->active_queue;
> > >> -
> > >> cfq_log_cfqq(cfqd, cfqq, "preempt");
> > >> - cfq_slice_expired(cfqd, 1);
> > >>
> > >> /*
> > >> * workload type is changed, don't save slice, otherwise preempt
> > >> * doesn't happen
> > >> */
> > >> - if (cfqq_type(old_cfqq) != cfqq_type(cfqq))
> > >> + if (cfqq_type(cfqd->active_queue) != cfqq_type(cfqq))
> > >> cfqq->cfqg->saved_workload_slice = 0;
> > >>
> > >> + cfq_slice_expired(cfqd, 1);
> > >> +
> > >
> > > cfq_slice_expired() will overwrite the value of
> > > cfqq->cfqg->saved_workload_slice. So we need to set it to zero after
> > > cfq_slice_expired.
> >
> > Good point, lets just fix that up afterwards, the use-after-free needs
> > to go asap.
> >
> > > I was thinking of just saving the workload type of cfqq before
> > > cfq_slice_expired() so that we don't access old cfqq after
> > > cfq_slice_expired(). But then I noticed that we don't drop a cfqq
> > > reference in cfq_slice_expired(). So not sure how cfq_slice_expired()
> > > can lead to freeing up of queue. It should happen only when process
> > > has exited and last request on the queue if finished.
> >
> > It does, it drops a ref to the cic which in turn drops the active async
> > and sync queues.
>
> Ok, I see it now. Thanks.
>
> I modified your patch a bit. It does not seem to solve my problem but
> might help with Chris Mason's boot issue.
>
> Chris, can you please give it a try.
Oops, old mail id of chris. Fixing it now.
Thanks
Vivek
>
> Thanks
> Vivek
>
> ---
> block/cfq-iosched.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Index: linux-2.6/block/cfq-iosched.c
> ===================================================================
> --- linux-2.6.orig/block/cfq-iosched.c 2012-01-18 02:49:33.000000000 -0500
> +++ linux-2.6/block/cfq-iosched.c 2012-01-18 02:50:31.000000000 -0500
> @@ -3117,7 +3117,7 @@ cfq_should_preempt(struct cfq_data *cfqd
> */
> static void cfq_preempt_queue(struct cfq_data *cfqd, struct cfq_queue *cfqq)
> {
> - struct cfq_queue *old_cfqq = cfqd->active_queue;
> + enum wl_type_t old_cfqq_wl_type = cfqq_type(cfqd->active_queue);
>
> cfq_log_cfqq(cfqd, cfqq, "preempt");
> cfq_slice_expired(cfqd, 1);
> @@ -3126,7 +3126,7 @@ static void cfq_preempt_queue(struct cfq
> * workload type is changed, don't save slice, otherwise preempt
> * doesn't happen
> */
> - if (cfqq_type(old_cfqq) != cfqq_type(cfqq))
> + if (old_cfqq_wl_type != cfqq_type(cfqq))
> cfqq->cfqg->saved_workload_slice = 0;
>
> /*
next prev parent reply other threads:[~2012-01-17 21:01 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-17 20:18 Kernel crash in icq_free_icq_rcu Vivek Goyal
2012-01-17 20:19 ` Jens Axboe
2012-01-17 20:40 ` Vivek Goyal
2012-01-17 20:42 ` Jens Axboe
2012-01-17 20:58 ` Vivek Goyal
2012-01-17 21:01 ` Vivek Goyal [this message]
2012-01-17 21:48 ` Tejun Heo
2012-01-17 22:07 ` Vivek Goyal
2012-01-18 1:01 ` Shaohua Li
2012-01-18 1:03 ` Tejun Heo
2012-01-18 1:05 ` Shaohua Li
2012-01-18 1:11 ` Tejun Heo
2012-01-18 1:30 ` Shaohua Li
2012-01-18 2:26 ` Shaohua Li
2012-01-18 4:23 ` Shaohua Li
2012-01-18 6:03 ` Shaohua Li
2012-01-18 13:51 ` Vivek Goyal
2012-01-18 14:20 ` Vivek Goyal
2012-01-18 16:09 ` Tejun Heo
2012-01-18 16:24 ` Jens Axboe
2012-01-18 16:31 ` Jens Axboe
2012-01-18 16:36 ` Vivek Goyal
2012-01-18 17:10 ` Tejun Heo
2012-01-18 19:07 ` Jens Axboe
2012-01-18 19:05 ` Jens Axboe
2012-01-18 16:55 ` Tejun Heo
2012-01-18 16:07 ` Tejun Heo
2012-01-19 1:41 ` [patch]block: fix NULL icq_cache reference Shaohua Li
2012-01-19 1:43 ` Tejun Heo
2012-01-19 8:20 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120117210114.GA23527@redhat.com \
--to=vgoyal@redhat.com \
--cc=axboe@kernel.dk \
--cc=chris.mason@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox