[PATCH] block: check the existence of tags[hctx_idx] in blk_mq_clear_rq_mapping()

[PATCH] block: check the existence of tags[hctx_idx] in blk_mq_clear_rq_mapping()

[Hou Tao]

According to commit 4412efecf7fd ("Revert "blk-mq: remove code for
dealing with remapping queue""), for some devices queue hctx may not
being mapped, and tagset->tags[hctx_idx] will be released and be NULL.

If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping()
will be called for all hctxs in blk_mq_sched_free_requests() during
scheduler switch, and these will be oops. So checking the existence of
tags[hctx_idx] before going on in blk_mq_clear_rq_mapping().

Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 block/blk-mq.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 65d3a63aecc6..c3d701f44e49 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2297,6 +2297,10 @@ static void blk_mq_clear_rq_mapping(struct blk_mq_tag_set *set,
 	struct page *page;
 	unsigned long flags;
 
+	/* If the hctx is unmapped, drv_tags may be NULL */
+	if (!drv_tags)
+		return;
+
 	list_for_each_entry(page, &tags->page_list, lru) {
 		unsigned long start = (unsigned long)page_address(page);
 		unsigned long end = start + order_to_size(page->private);
-- 
2.29.2

Re: [PATCH] block: check the existence of tags[hctx_idx] in blk_mq_clear_rq_mapping()

[Ming Lei]

Hello Hou,

On Thu, Sep 09, 2021 at 05:00:54PM +0800, Hou Tao wrote:
> According to commit 4412efecf7fd ("Revert "blk-mq: remove code for
> dealing with remapping queue""), for some devices queue hctx may not
> being mapped, and tagset->tags[hctx_idx] will be released and be NULL.
> 
> If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping()
> will be called for all hctxs in blk_mq_sched_free_requests() during
> scheduler switch, and these will be oops. So checking the existence of
> tags[hctx_idx] before going on in blk_mq_clear_rq_mapping().

unmapped hctx should be caused by blk_mq_update_nr_hw_queues() only,
but scheduler tags is updated there too, so not sure it is one real
issue, did you observe such kernel panic? any kernel log?


Thanks,
Ming

Re: [PATCH] block: check the existence of tags[hctx_idx] in blk_mq_clear_rq_mapping()

[Hou Tao]

Hi,

On 9/9/2021 5:19 PM, Ming Lei wrote:
> Hello Hou,
>
> On Thu, Sep 09, 2021 at 05:00:54PM +0800, Hou Tao wrote:
>> According to commit 4412efecf7fd ("Revert "blk-mq: remove code for
>> dealing with remapping queue""), for some devices queue hctx may not
>> being mapped, and tagset->tags[hctx_idx] will be released and be NULL.
>>
>> If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping()
>> will be called for all hctxs in blk_mq_sched_free_requests() during
>> scheduler switch, and these will be oops. So checking the existence of
>> tags[hctx_idx] before going on in blk_mq_clear_rq_mapping().
> unmapped hctx should be caused by blk_mq_update_nr_hw_queues() only,
> but scheduler tags is updated there too, so not sure it is one real
> issue, did you observe such kernel panic? any kernel log?
Not a real issue, just find the potential "problem" during code review.

But is the case below possible ?
There is an unmapped hctx and a freed tags[hctx_idx] after
blk_mq_update_nr_hw_queues(), and IO scheduler is used. When
switching IO scheduler to none, the previous schedule tag
on each hctx will be freed in blk_mq_sched_free_requests().
blk_mq_sched_free_requests() will call blk_mq_free_rqs(), and

blk_mq_free_rqs() will access the NULLed tags[hctx_idx].

Regards,

Tao

>
> Thanks,
> Ming
>
> .

Re: [PATCH] block: check the existence of tags[hctx_idx] in blk_mq_clear_rq_mapping()

[Ming Lei]

On Thu, Sep 09, 2021 at 07:14:20PM +0800, Hou Tao wrote:
> Hi,
> 
> On 9/9/2021 5:19 PM, Ming Lei wrote:
> > Hello Hou,
> >
> > On Thu, Sep 09, 2021 at 05:00:54PM +0800, Hou Tao wrote:
> >> According to commit 4412efecf7fd ("Revert "blk-mq: remove code for
> >> dealing with remapping queue""), for some devices queue hctx may not
> >> being mapped, and tagset->tags[hctx_idx] will be released and be NULL.
> >>
> >> If an IO scheduler is used on these devices, blk_mq_clear_rq_mapping()
> >> will be called for all hctxs in blk_mq_sched_free_requests() during
> >> scheduler switch, and these will be oops. So checking the existence of
> >> tags[hctx_idx] before going on in blk_mq_clear_rq_mapping().
> > unmapped hctx should be caused by blk_mq_update_nr_hw_queues() only,
> > but scheduler tags is updated there too, so not sure it is one real
> > issue, did you observe such kernel panic? any kernel log?
> Not a real issue, just find the potential "problem" during code review.
> 
> But is the case below possible ?
> There is an unmapped hctx and a freed tags[hctx_idx] after
> blk_mq_update_nr_hw_queues(), and IO scheduler is used. When
> switching IO scheduler to none, the previous schedule tag
> on each hctx will be freed in blk_mq_sched_free_requests().
> blk_mq_sched_free_requests() will call blk_mq_free_rqs(), and
> 
> blk_mq_free_rqs() will access the NULLed tags[hctx_idx].

It isn't possible. One invariant is that the first 'q->nr_hw_queues'
elements of ->queue_hw_ctx[] / ->tags[] are valid and the others are
freed after blk_mq_update_nr_hw_queues() returns.


thanks,
Ming