Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp2335062lqb; Mon, 27 May 2024 16:51:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV/XHI50/2ZHfw6b+xO0yQBit6xUou31umUfyXcKLPcs9Z9oig+R0Hewa16LC4Ei3w6Vr5xFvGK+aTz9QhmKD8dKp4drBxxtua838UrFQ== X-Google-Smtp-Source: AGHT+IFipD0NuC+EEVsvNrfo7Ap19urCRJkMTxIMZh+oGic7lpVVNWSsfh4ldJ2Kkmh6ASRfYcwU X-Received: by 2002:a17:903:190:b0:1f4:4b4c:d8af with SMTP id d9443c01a7336-1f44b4cdb7fmr113785715ad.53.1716853884662; Mon, 27 May 2024 16:51:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716853884; cv=pass; d=google.com; s=arc-20160816; b=a23Z2R0amkM89sw34e+jx18bzxOf4npNO/pHQ8jOCyPq1BJc/zXGRYbDbb7egxtRZB 70uPq4Oz5DBvpWF0TgzRCACA3GdOUFfaOCqfiC84Hhc/CNBbQ4DLE9FKNEKOHu9X9ZVG deetdw8Aj/ijE4IafVqo33+fefL4Wph+tOaKeCTQJAi4MOebIrzbYdCAFlAgWGJl3+5Q WQfDVxSpNxmaYDCdeeNOWLQL9Nxbthb6SmjOgq8GeV8nR0mJj/bfWOxI0pAN1WOAPDfK TtqrhwO1Otoc3MXrduZ3C+S+fvSN6RXeRPKImIhjAlgSWEqGmEVCq+0cYjXp64T2PM1c EZEA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=0fpWO7udVhwAzpQwUrBlzWeCLVvMJ31xIxpXuSXcUbY=; fh=fjHQcNINNGH2hLSp81WQHEPClJmGYjrqEWMo+Ek2tgY=; b=GsUjHv3zTdDswveFDTd9wqEkHNa5i375gfr4BCGYYq71V7fETxemIsBbwRR3tyl2JZ Oci3E6ZLPjvrTA+Pd0c+csubnln+M+GJGjBy4o+pk3sVVUMQ7Wr+EkCOPvJ4aOwZwnrn ScvzQrzRPFhmRqpnZDkiMNpQPMq0JTGBgbO1thUv8pRXn7fUFBg1onVv1f5/B1n0B7Js ML48sFCfHfs7JA4/pkhCl1zR9VHSLAxTRKTetAnlfDZoXxREqCksAe3hskT6CrpQmTKS HhbJfaE6KGTXqYkzmM87r9aji+qQtjhHbTXyh3it1GpYspWDqcOtv4ID22y78nDgl03g hCDw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=l1pdGKFL; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-191523-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191523-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d9443c01a7336-1f47a5c723fsi40885455ad.382.2024.05.27.16.51.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 May 2024 16:51:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-191523-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=l1pdGKFL; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-191523-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191523-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9FDAE281A5D for ; Mon, 27 May 2024 23:51:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DB15D13B79B; Mon, 27 May 2024 23:51:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="l1pdGKFL" Received: from out-172.mta1.migadu.com (out-172.mta1.migadu.com [95.215.58.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A69A910A1E for ; Mon, 27 May 2024 23:51:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716853880; cv=none; b=AJExOLHw+VdlWXc9T3mdm7T4SbrvdXwnLJoDb7b0hdNKjG4lgVZKK8RChmMQKUibjK7sKiiSoAPGwA+lVukBYz2rV7OwH+oOVVDuVE0fOW9LBJbIuO0kudbC4YTUTnHYu3o9/t6xa7ExjpWvKaio7PpKZu+Srg3KqqWKSIT7aUE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716853880; c=relaxed/simple; bh=tI9NBeK3FA4hVFn/PTMTjI//Pvzk9b2OpSVaf+DnJp4=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Z4oVJke89Gcn5ZB85R16riTh4442tDseXV7WWsutnLhun3ABLgnxnfkD2ETAFAF5MVlmM+4Hk/ZVGeOhAtg6eNBP/Immw8VuDu7VNo6ENS6BNwBW2vf9i79ZB/06GTGINaMEA+SlY9O98NZktaHQ939ag5Ie0uxS0XqhxXJarxY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=l1pdGKFL; arc=none smtp.client-ip=95.215.58.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev X-Envelope-To: f.weber@proxmox.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1716853870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0fpWO7udVhwAzpQwUrBlzWeCLVvMJ31xIxpXuSXcUbY=; b=l1pdGKFL7C3+FBQCwK3MPAziwcUlVq3vi28NG03hjzuwaww5Xx4cevfnA5pvQWdf5M1ERm V4JoaXQ2pbBd2oV7DZ/4tWEDocd/B4IVO8LrLy70e1ChsScfwiT7WL2WsVpOr28/GG15sQ TwgTuoIHjH2Uui5XmTwCIVJ/IH/1CPo= X-Envelope-To: axboe@kernel.dk X-Envelope-To: ming.lei@redhat.com X-Envelope-To: hch@lst.de X-Envelope-To: bvanassche@acm.org X-Envelope-To: linux-block@vger.kernel.org X-Envelope-To: linux-kernel@vger.kernel.org X-Envelope-To: zhouchengming@bytedance.com Message-ID: <8b1400e6-b35e-486b-8ea0-de76270267c0@linux.dev> Date: Tue, 28 May 2024 07:50:58 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH v4 4/4] blk-flush: reuse rq queuelist in flush state machine Content-Language: en-US To: Friedrich Weber , axboe@kernel.dk, ming.lei@redhat.com, hch@lst.de, bvanassche@acm.org Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhouchengming@bytedance.com References: <20230717040058.3993930-1-chengming.zhou@linux.dev> <20230717040058.3993930-5-chengming.zhou@linux.dev> <14b89dfb-505c-49f7-aebb-01c54451db40@proxmox.com> <984f1f77-288c-441a-a649-5f320249b576@linux.dev> <4d799672-378b-42b1-896b-38df2c5e9c84@proxmox.com> <0783d367-4608-4b16-9b88-6eaf5d5706eb@linux.dev> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Chengming Zhou In-Reply-To: <0783d367-4608-4b16-9b88-6eaf5d5706eb@linux.dev> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 2024/5/28 07:34, Chengming Zhou wrote: > On 2024/5/28 00:04, Friedrich Weber wrote: >> Hi Chengming, >> >> Thank you for taking a look at this! >> >> On 27/05/2024 07:09, Chengming Zhou wrote: >>>> I've used this reproducer for a bisect, which produced >>>> >>>> 81ada09cc25e (blk-flush: reuse rq queuelist in flush state machine) >>>> >>>> as the first commit with which I can reproduce the crashes. I'm not 100% >>>> sure it is this one because the reproducer is a bit flaky. But it does >>>> sound plausible, as the commit is included in our 6.8 kernel, and >>>> touches `queuelist` which is AFAICT where blk_flush_complete_seq >>>> dereferences the NULL pointer. >>> >>> Ok, it will be better that I can reproduce it locally, will try later. >> >> Interestingly, so far I haven't been able to reproduce the crash when >> generating IO on the host itself, I only got crashes when generating IO >> in a QEMU VM. >> >> The reproducer in more detail: > > Thanks for these details, I will try to setup and reproduce when I back to work. > >> >> - Compile Linux 6.9 with CONFIG_FAULT_INJECTION, > [...] >>> >>> BUG shows it panic on 0000000000000008, not sure what it's accessing then, >>> does it means rq->queuelist.next == 0 or something? Could you use add2line >>> to show the exact source code line that panic? I use blk_flush_complete_seq+0x296/0x2e0 >>> and get block/blk-flush.c:190, which is "fq->flush_data_in_flight++;", >>> obviously fq can't be NULL. (I'm using the v6.9 kernel) >> >> Sorry for the confusion, the crash dump was from a kernel compiled at >> 81ada09cc25e -- with 6.9, the offset seems to be different. See [2] for >> a kernel 6.9 crash dump. >> >> I don't know too much about kernel debugging, but I tried to get >> something useful out of addr2line: >> >> # addr2line -f -e /usr/lib/debug/vmlinux-6.9.0-debug2 >> blk_flush_complete_seq+0x291/0x2d0 >> __list_del >> /[...]./include/linux/list.h:195 >> >> I tried to find the relevant portions in `objdump -SD blk-flush.o`, see >> [3]. If I'm not mistaken, blk_flush_complete_seq+0x291 should point to >> >> 351: 48 89 4f 08 mov %rcx,0x8(%rdi) >> >> To me this looks like part of >> >> list_move_tail(&rq->queuelist, pending); >> >> What do you think? > > Yeah, it seems correct, so the rq->queuelist.next == NULL. It can't be NULL > if went through REQ_FSEQ_POSTFLUSH, so it must be REQ_FSEQ_PREFLUSH. It means > we allocated a request but its queuelist is not initialized or corrupted? > > Anyway, I will use below changes for debugging when reproduce, and you could > also try this to see if we could get something useful. :) > > diff --git a/block/blk-mq.c b/block/blk-mq.c > index 3b4df8e5ac9e..6e3a6cd7739d 100644 > --- a/block/blk-mq.c > +++ b/block/blk-mq.c > @@ -2989,6 +2989,8 @@ void blk_mq_submit_bio(struct bio *bio) > blk_mq_use_cached_rq(rq, plug, bio); > } > > + BUG_ON(rq->queuelist.next == NULL); > + > trace_block_getrq(bio); > > rq_qos_track(q, rq, bio); > @@ -3006,6 +3008,8 @@ void blk_mq_submit_bio(struct bio *bio) > if (bio_zone_write_plugging(bio)) > blk_zone_write_plug_init_request(rq); > > + BUG_ON(rq->queuelist.next == NULL); > + > if (op_is_flush(bio->bi_opf) && blk_insert_flush(rq)) > return; > Ah, I forgot to change to your kernel version, then should be: diff --git a/block/blk-mq.c b/block/blk-mq.c index d98654869615..908fdfb62132 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2963,6 +2963,8 @@ void blk_mq_submit_bio(struct bio *bio) return; } + BUG_ON(rq->queuelist.next == NULL); + trace_block_getrq(bio); rq_qos_track(q, rq, bio); @@ -2977,6 +2979,8 @@ void blk_mq_submit_bio(struct bio *bio) return; } + BUG_ON(rq->queuelist.next == NULL); + if (op_is_flush(bio->bi_opf) && blk_insert_flush(rq)) return;