Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5018775img; Tue, 26 Mar 2019 23:51:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQAawurcwyiofrNrjrW1TqWz1VOS6O+OrbSbR4iHmhHce9ELRIX94R5tUEkYRL8OFseDWF X-Received: by 2002:a62:e911:: with SMTP id j17mr33708823pfh.107.1553669503138; Tue, 26 Mar 2019 23:51:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553669503; cv=none; d=google.com; s=arc-20160816; b=d6B/VKRdNGfIwhd4fsxBVPCok118j0BEbRFm8tjgao6sQfJOiNL7Pk1kXZ6G3OebrK gAJ2GuyaP7+3ALUYAJQxuBHZqbFIfEk4cIndasAQOcvkTyfQSlGBO63VQJUlnkqPq/30 4saLzxg7QOEQfb8bZwAIhvCAb6zOk4w6nC0r5nL1cAZdCvvQ1UTCC8WTMvZ1rf4IqDcu 53t4gpfPVsJQZJvTn5TT8R9hbJb+yKwKnZ3F/DinkQfLJH2upgaD5+WTuSHOGvf8kJnw hnoWgJln+zt10oc7zKt+l/Qu6i66qPoLbOVcdBfueo5d1rm/nuyrE7YXp8V7FYdZJZ5A FgWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=5ZETApmgERgNA632pfIpehq47P8S0DhM9whecNCv6Xs=; b=VtHncYhZK6g/qa5cZSPiNWJwMeZu+up1swLlGXzCGSN1XcfjQkupy39IBFQLB+I7sw 7/iCyO74Hwpz1Z8dPf80uDN64qyHZ1t2vXVpbJGKo8WSPME9FK1/9Spq8PDmX61l+Ayr DQd1oMZvxEQbEb4HKYq6J4658AkqX27eVt5GFrvfg0Dxrj1MN7crz4FCyrVs/2uAze/w ks7eNzMSWV9NNZUTK+liHSQ6Y/X/u2jbc9oWQRBq1rp0W9Zgi2YBLolH81ugOJgA5K4/ HTuhW0v1hvyr/B8SeE8UTk0eCzBKkM+vFNvt3O1k2M/Y9PEkJcUeQfdEOSte9obheGal Q+8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t21si9302503plr.366.2019.03.26.23.51.27; Tue, 26 Mar 2019 23:51:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731798AbfC0Gur (ORCPT + 99 others); Wed, 27 Mar 2019 02:50:47 -0400 Received: from mga01.intel.com ([192.55.52.88]:15182 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725791AbfC0Gur (ORCPT ); Wed, 27 Mar 2019 02:50:47 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Mar 2019 23:50:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,275,1549958400"; d="scan'208";a="126216665" Received: from unknown (HELO localhost.localdomain) ([10.232.112.69]) by orsmga007.jf.intel.com with ESMTP; 26 Mar 2019 23:50:45 -0700 Date: Wed, 27 Mar 2019 00:51:56 -0600 From: Keith Busch To: "jianchao.wang" Cc: Jens Axboe , linux-block , James Smart , Bart Van Assche , Ming Lei , Josef Bacik , linux-nvme , Linux Kernel Mailing List , "Busch, Keith" , Hannes Reinecke , Johannes Thumshirn , Christoph Hellwig , Sagi Grimberg Subject: Re: [PATCH V2 7/8] nvme: use blk_mq_queue_tag_inflight_iter Message-ID: <20190327065156.GC7389@localhost.localdomain> References: <20190325134917.GA4328@localhost.localdomain> <70e14e12-2ffc-37db-dd8f-229bc580546e@oracle.com> <20190326235726.GC4328@localhost.localdomain> <20190327021521.GA7389@localhost.localdomain> <1bbe1b5c-3564-55e8-6824-f679b3c5dd3f@oracle.com> <20190327023354.GB7389@localhost.localdomain> <9f3a574d-d2ea-3fd0-472c-85ad0bae4daf@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9f3a574d-d2ea-3fd0-472c-85ad0bae4daf@oracle.com> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 27, 2019 at 10:45:33AM +0800, jianchao.wang wrote: > 1. a hctx->fq.flush_rq of dead request_queue that shares the same tagset > The whole request_queue is cleaned up and freed, so the hctx->fq.flush is freed back to a slab > > 2. a removed io scheduler's sched request > The io scheduled is detached and all of the structures are freed, including the pages where sched > requests locates. > > So the pointers in tags->rqs[] may point to memory that is not used as a blk layer request. Oh, free as in kfree'd, not blk_mq_free_request. So it's a read-after- free that you're concerned about, not that anyone explicitly changed a request->state. We at least can't free the flush_queue until the queue is frozen. If the queue is frozen, we've completed the special fq->flush_rq where its end_io replaces tags->rqs[tag] back to the fq->orig_rq from the static_rqs, so nvme's iterator couldn't see the fq->flush_rq address if it's invalid. The sched_tags concern, though, appears theoretically possible.