On Thu, May 25, 2017 at 04:38:09PM -0700, Bart Van Assche wrote:
> Requests that got stuck in a block driver are neither on
> blk_mq_ctx.rq_list nor on any hw dispatch queue. Make these
> visible in debugfs through the "busy" attribute.
The name of 'busy' isn't very explicit about this case, and I
guess you mean the requests are dispatched to hardware, so
'dispatched' or sort of name may be more accurate.
>
> Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx>
> Cc: Christoph Hellwig <hch@xxxxxx>
> Cc: Hannes Reinecke <hare@xxxxxxxx>
> Cc: Omar Sandoval <osandov@xxxxxx>
> Cc: Ming Lei <ming.lei@xxxxxxxxxx>
> ---
> block/blk-mq-debugfs.c | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c
> index 8b06a12c1461..70a2b955afee 100644
> --- a/block/blk-mq-debugfs.c
> +++ b/block/blk-mq-debugfs.c
> @@ -370,6 +370,30 @@ static const struct seq_operations hctx_dispatch_seq_ops = {
> .show = blk_mq_debugfs_rq_show,
> };
>
> +struct show_busy_ctx {
> + struct seq_file *m;
> + struct blk_mq_hw_ctx *hctx;
> +};
> +
> +static void hctx_show_busy(struct request *rq, void *data, bool reserved)
> +{
> + const struct show_busy_ctx *ctx = data;
> +
> + if (blk_mq_map_queue(rq->q, rq->mq_ctx->cpu) == ctx->hctx &&
> + test_bit(REQ_ATOM_STARTED, &rq->atomic_flags))
During this small window, the request can be freed and reallocated
in another I/O path, then use-after-free is caused.
> + blk_mq_debugfs_rq_show(ctx->m, &rq->queuelist);
> +}
> +
> +static int hctx_busy_show(void *data, struct seq_file *m)
> +{
> + struct blk_mq_hw_ctx *hctx = data;
> + struct show_busy_ctx ctx = { .m = m, .hctx = hctx };
> +
> + blk_mq_tagset_busy_iter(hctx->queue->tag_set, hctx_show_busy, &ctx);
This way is easy to cause use-after-free, so as a debug function,
you can't affect the normal function.
But the new fixed blk_mq_quiesce_queue() can be used before calling
blk_mq_tagset_busy_iter() to avoid the race.
http://marc.info/?l=linux-block&m=149578610419654&w=2
Thanks,
Ming
