Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2825340pxk; Sun, 20 Sep 2020 19:29:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzaLYVVzdi+JBUcoErsfn/AozWpxY2DIXzqwLpK9o88QcIa6vXo09puUgVM6X2OMyrlvvJU X-Received: by 2002:a17:906:715b:: with SMTP id z27mr50238437ejj.166.1600655356716; Sun, 20 Sep 2020 19:29:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600655356; cv=none; d=google.com; s=arc-20160816; b=BUMfdWD7sq7fydz0BEEcUaZximEOovMV2tRsB87yIeS5vMQpAMc8iOF6juN9g2loDT MsqWAmOPfsAoosyiOCoPjBo/fE75coOuwDABu01+S4wCIK4MUbLCo0viJczfvdPwgncE uddqWAlaJ94yMFvNTHXhUBmqMXNP+QZMchU7N7nmEugamWNsLlt45RNQyHR3W+D2XVbG Wu8H/pB6Nn4+nJqw4LvpcoJQ4RSJ/jfGRBdOggB+J8aRlIqGM/qjLJMMBpVLX5Otkd73 CQY2Q20zDkYEh/h9Hx0CFm8MBD8sG3OJufNzRE1SRayZFR4vPoZ/12xt8N8R5275VjKK DA7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=Anab+DoAzdqvSEEzIa9GmpWC/PBNrsC7M4vkx3KU/U8=; b=VNcJcipWGsLa2HnU4kd7ug1w+/wfWR04R4PPKp9KzRv/CCjeLGJ/JI5S2xKxJkY9Tf RxXdZOQpL0725KsTi09nr5oQKh5Lbi5oUBJMJOrOjncRrfb0jAo2PTrkVqfmNG34uJsr lM5o2qcJxWGH3z8VsBQypIpXlEqL4YOqCUQjommnNSHLEf/O0om3nd0OkzXXNyu992jv cZ8jY4rCq2JjNzxajQbuTKSyUOZsbzVM1dTZHE9Rp4ABpUkqqGkEjTXMrQJsVkr4VY/Y eKQ1CY1QU6oKyjHER+hZm38Wj4VIBTdbuAGSiwEpAvEvu8tUKmnKQK8eIBT7BX6riVzQ ViWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c24si7418910eja.263.2020.09.20.19.28.53; Sun, 20 Sep 2020 19:29:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726253AbgIUC1l convert rfc822-to-8bit (ORCPT + 99 others); Sun, 20 Sep 2020 22:27:41 -0400 Received: from smtp.h3c.com ([60.191.123.56]:45879 "EHLO h3cspam01-ex.h3c.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726104AbgIUC1l (ORCPT ); Sun, 20 Sep 2020 22:27:41 -0400 Received: from DAG2EX10-IDC.srv.huawei-3com.com ([10.8.0.73]) by h3cspam01-ex.h3c.com with ESMTPS id 08L2QjpK039265 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 21 Sep 2020 10:26:45 +0800 (GMT-8) (envelope-from tian.xianting@h3c.com) Received: from DAG2EX03-BASE.srv.huawei-3com.com (10.8.0.66) by DAG2EX10-IDC.srv.huawei-3com.com (10.8.0.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 21 Sep 2020 10:26:46 +0800 Received: from DAG2EX03-BASE.srv.huawei-3com.com ([fe80::5d18:e01c:bbbd:c074]) by DAG2EX03-BASE.srv.huawei-3com.com ([fe80::5d18:e01c:bbbd:c074%7]) with mapi id 15.01.1713.004; Mon, 21 Sep 2020 10:26:46 +0800 From: Tianxianting To: Keith Busch CC: "axboe@fb.com" , "hch@lst.de" , "sagi@grimberg.me" , "linux-nvme@lists.infradead.org" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] [v2] nvme: use correct upper limit for tag in nvme_handle_cqe() Thread-Topic: [PATCH] [v2] nvme: use correct upper limit for tag in nvme_handle_cqe() Thread-Index: AQHWjamkvjMzTC+ou0aptn5bKR4hY6luQCAAgAEKLTCAAxV5EA== Date: Mon, 21 Sep 2020 02:26:46 +0000 Message-ID: <1f0a3015fd6f40e792a15486f34491c7@h3c.com> References: <20200918104420.30219-1-tian.xianting@h3c.com> <20200918192034.GA4030837@dhcp-10-100-145-180.wdl.wdc.com> Accept-Language: en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.99.141.128] x-sender-location: DAG2 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-DNSRBL: X-MAIL: h3cspam01-ex.h3c.com 08L2QjpK039265 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Keith, I found an extreme case, in function blk_mq_alloc_map_and_requests(), it will adjust tagset depth by 'set->queue_depth >>= 1' if there is no enough memory for rqs. If this happens, the real available number of tags(nr_tags) is much smaller than nvmeq->q_depth. So the judgement "if (unlikely(cqe->command_id >= nvmeq->q_depth))" in nvme_handle_cqe() is really meaningless. I figured out a new patch, which replaces the meaningless judgement by checking whether the returned req is null, if it is null, directly return. Would you please spare several minutes to review below new patch? thanks https://lkml.org/lkml/2020/9/20/400 -----Original Message----- From: tianxianting (RD) Sent: Saturday, September 19, 2020 11:15 AM To: 'Keith Busch' Cc: axboe@fb.com; hch@lst.de; sagi@grimberg.me; linux-nvme@lists.infradead.org; linux-kernel@vger.kernel.org Subject: RE: [PATCH] [v2] nvme: use correct upper limit for tag in nvme_handle_cqe() Hi Keith, Thanks a lot for your comments, I will try to figure out a safe fix for this issue, then for you review:) -----Original Message----- From: Keith Busch [mailto:kbusch@kernel.org] Sent: Saturday, September 19, 2020 3:21 AM To: tianxianting (RD) Cc: axboe@fb.com; hch@lst.de; sagi@grimberg.me; linux-nvme@lists.infradead.org; linux-kernel@vger.kernel.org Subject: Re: [PATCH] [v2] nvme: use correct upper limit for tag in nvme_handle_cqe() On Fri, Sep 18, 2020 at 06:44:20PM +0800, Xianting Tian wrote: > @@ -940,7 +940,9 @@ static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx) > struct nvme_completion *cqe = &nvmeq->cqes[idx]; > struct request *req; > > - if (unlikely(cqe->command_id >= nvmeq->q_depth)) { > + if (unlikely(cqe->command_id >= > + nvmeq->qid ? nvmeq->dev->tagset.queue_depth : > + nvmeq->dev->admin_tagset.queue_depth)) { Both of these values are set before blk_mq_alloc_tag_set(), so you still have a race. The interrupt handler probably just shouldn't be registered with the queue before the tagset is initialized since there can't be any work for the handler to do before that happens anyway. The controller is definitely broken, though, and will lead to unavoidable corruption if it's really behaving this way.