git.ipfire.org Git - thirdparty/linux.git/commit

author	Ming Lei <ming.lei@redhat.com>
	Tue, 11 May 2021 15:22:35 +0000 (23:22 +0800)
committer	Jens Axboe <axboe@kernel.dk>
	Mon, 24 May 2021 12:47:22 +0000 (06:47 -0600)
commit	bd63141d585bef14f4caf111f6d0e27fe2300ec6
tree	18c509a0a1fb0b90746396b360a5b1e5b46bae37	tree \| snapshot
parent	2e315dc07df009c3e29d6926871f62a30cfae394	commit \| diff

blk-mq: clear stale request in tags->rq[] before freeing one request pool

refcount_inc_not_zero() in bt_tags_iter() still may read one freed
request.

Fix the issue by the following approach:

1) hold a per-tags spinlock when reading ->rqs[tag] and calling
refcount_inc_not_zero in bt_tags_iter()

2) clearing stale request referred via ->rqs[tag] before freeing
request pool, the per-tags spinlock is held for clearing stale
->rq[tag]

So after we cleared stale requests, bt_tags_iter() won't observe
freed request any more, also the clearing will wait for pending
request reference.

The idea of clearing ->rqs[] is borrowed from John Garry's previous
patch and one recent David's patch.

Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210511152236.763464-4-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

block/blk-mq-tag.c		diff \| blob \| blame \| history
block/blk-mq-tag.h		diff \| blob \| blame \| history
block/blk-mq.c		diff \| blob \| blame \| history