On Mon, May 21, 2018 at 10:25:17AM -0600, Keith Busch wrote: > On Tue, May 22, 2018 at 12:08:37AM +0800, Ming Lei wrote: > > Please take a look at blk_mq_complete_request(). Even with Bart's > > change, the request still won't be completed by driver. The request can > > only be completed by either driver or blk-mq, not both. > > So you're saying blk-mq can't complete a request the driver returned to > blk-mq to complete. And that's the nvme driver's problem to fix? For avoiding use-after-free, one request can only be completed by one path, either by timeout path or normal completion(irq or cancel) from driver. So before handling this req's timeout, this request has to be marked as completed by blk-mq timeout code already, then nvme_cancel_request() can't cover this timed-out request. Thanks, Ming
