| Message ID | 20210909090054.492923-1-houtao1@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | block: check the existence of tags[hctx_idx] in blk_mq_clear_rq_mapping() | expand |
Hello Hou, On Thu, Sep 09, 2021 at 05:00:54PM +0800, Hou Tao wrote: > According to commit 4412efecf7fd ("Revert "blk-mq: remove code for > dealing with remapping queue""), for some devices queue hctx may not > being mapped, and tagset->tags[hctx_idx] will be released and be NULL. > > If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping() > will be called for all hctxs in blk_mq_sched_free_requests() during > scheduler switch, and these will be oops. So checking the existence of > tags[hctx_idx] before going on in blk_mq_clear_rq_mapping(). unmapped hctx should be caused by blk_mq_update_nr_hw_queues() only, but scheduler tags is updated there too, so not sure it is one real issue, did you observe such kernel panic? any kernel log? Thanks, Ming
Hi, On 9/9/2021 5:19 PM, Ming Lei wrote: > Hello Hou, > > On Thu, Sep 09, 2021 at 05:00:54PM +0800, Hou Tao wrote: >> According to commit 4412efecf7fd ("Revert "blk-mq: remove code for >> dealing with remapping queue""), for some devices queue hctx may not >> being mapped, and tagset->tags[hctx_idx] will be released and be NULL. >> >> If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping() >> will be called for all hctxs in blk_mq_sched_free_requests() during >> scheduler switch, and these will be oops. So checking the existence of >> tags[hctx_idx] before going on in blk_mq_clear_rq_mapping(). > unmapped hctx should be caused by blk_mq_update_nr_hw_queues() only, > but scheduler tags is updated there too, so not sure it is one real > issue, did you observe such kernel panic? any kernel log? Not a real issue, just find the potential "problem" during code review. But is the case below possible ? There is an unmapped hctx and a freed tags[hctx_idx] after blk_mq_update_nr_hw_queues(), and IO scheduler is used. When switching IO scheduler to none, the previous schedule tag on each hctx will be freed in blk_mq_sched_free_requests(). blk_mq_sched_free_requests() will call blk_mq_free_rqs(), and blk_mq_free_rqs() will access the NULLed tags[hctx_idx]. Regards, Tao > > Thanks, > Ming > > .
On Thu, Sep 09, 2021 at 07:14:20PM +0800, Hou Tao wrote: > Hi, > > On 9/9/2021 5:19 PM, Ming Lei wrote: > > Hello Hou, > > > > On Thu, Sep 09, 2021 at 05:00:54PM +0800, Hou Tao wrote: > >> According to commit 4412efecf7fd ("Revert "blk-mq: remove code for > >> dealing with remapping queue""), for some devices queue hctx may not > >> being mapped, and tagset->tags[hctx_idx] will be released and be NULL. > >> > >> If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping() > >> will be called for all hctxs in blk_mq_sched_free_requests() during > >> scheduler switch, and these will be oops. So checking the existence of > >> tags[hctx_idx] before going on in blk_mq_clear_rq_mapping(). > > unmapped hctx should be caused by blk_mq_update_nr_hw_queues() only, > > but scheduler tags is updated there too, so not sure it is one real > > issue, did you observe such kernel panic? any kernel log? > Not a real issue, just find the potential "problem" during code review. > > But is the case below possible ? > There is an unmapped hctx and a freed tags[hctx_idx] after > blk_mq_update_nr_hw_queues(), and IO scheduler is used. When > switching IO scheduler to none, the previous schedule tag > on each hctx will be freed in blk_mq_sched_free_requests(). > blk_mq_sched_free_requests() will call blk_mq_free_rqs(), and > > blk_mq_free_rqs() will access the NULLed tags[hctx_idx]. It isn't possible. One invariant is that the first 'q->nr_hw_queues' elements of ->queue_hw_ctx[] / ->tags[] are valid and the others are freed after blk_mq_update_nr_hw_queues() returns. thanks, Ming
diff --git a/block/blk-mq.c b/block/blk-mq.c index 65d3a63aecc6..c3d701f44e49 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2297,6 +2297,10 @@ static void blk_mq_clear_rq_mapping(struct blk_mq_tag_set *set, struct page *page; unsigned long flags; + /* If the hctx is unmapped, drv_tags may be NULL */ + if (!drv_tags) + return; + list_for_each_entry(page, &tags->page_list, lru) { unsigned long start = (unsigned long)page_address(page); unsigned long end = start + order_to_size(page->private);
According to commit 4412efecf7fd ("Revert "blk-mq: remove code for dealing with remapping queue""), for some devices queue hctx may not being mapped, and tagset->tags[hctx_idx] will be released and be NULL. If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping() will be called for all hctxs in blk_mq_sched_free_requests() during scheduler switch, and these will be oops. So checking the existence of tags[hctx_idx] before going on in blk_mq_clear_rq_mapping(). Signed-off-by: Hou Tao <houtao1@huawei.com> --- block/blk-mq.c | 4 ++++ 1 file changed, 4 insertions(+)