On 06/24/18 23:20, Jianchao Wang wrote:
blk_mq_run_hw_queues and blk_mq_start_stopped_hw_queues in queue_state_write will invoke queue_for_each_hw_ctx. It will race with blk_mq_realloc_hw_ctxs and incur NULL pointer reference. Put them under sysfs_lock to serialize the accessing to queue_hw_ctx and nr_hw_queues.
The above looks wrong to me. blk_mq_realloc_hw_ctxs() starts with calling blk_mq_unregister_hctx(). That last function uses kobject_del() and kobject_del() waits until all pending sysfs callback functions for the deleted objects have finished.
Bart.
