On 12/4/18 8:03 PM, Ming Lei wrote: > On Wed, Dec 05, 2018 at 10:58:02AM +0800, Ming Lei wrote: >> On Tue, Dec 04, 2018 at 07:30:24PM -0700, Jens Axboe wrote: >>> On 12/4/18 7:27 PM, Ming Lei wrote: >>>> On Tue, Dec 04, 2018 at 07:16:11PM -0700, Jens Axboe wrote: >>>>> On 12/4/18 6:37 PM, Ming Lei wrote: >>>>>> On Tue, Dec 04, 2018 at 03:47:46PM -0700, Jens Axboe wrote: >>>>>>> If we attempt a direct issue to a SCSI device, and it returns BUSY, then >>>>>>> we queue the request up normally. However, the SCSI layer may have >>>>>>> already setup SG tables etc for this particular command. If we later >>>>>>> merge with this request, then the old tables are no longer valid. Once >>>>>>> we issue the IO, we only read/write the original part of the request, >>>>>>> not the new state of it. >>>>>>> >>>>>>> This causes data corruption, and is most often noticed with the file >>>>>>> system complaining about the just read data being invalid: >>>>>>> >>>>>>> [ 235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256) >>>>>>> >>>>>>> because most of it is garbage... >>>>>>> >>>>>>> This doesn't happen from the normal issue path, as we will simply defer >>>>>>> the request to the hardware queue dispatch list if we fail. Once it's on >>>>>>> the dispatch list, we never merge with it. >>>>>>> >>>>>>> Fix this from the direct issue path by flagging the request as >>>>>>> REQ_NOMERGE so we don't change the size of it before issue. >>>>>>> >>>>>>> See also: >>>>>>> https://bugzilla.kernel.org/show_bug.cgi?id=201685 >>>>>>> >>>>>>> Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'") >>>>>>> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> >>>>>>> >>>>>>> --- >>>>>>> >>>>>>> diff --git a/block/blk-mq.c b/block/blk-mq.c >>>>>>> index 3f91c6e5b17a..d8f518c6ea38 100644 >>>>>>> --- a/block/blk-mq.c >>>>>>> +++ b/block/blk-mq.c >>>>>>> @@ -1715,6 +1715,15 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx, >>>>>>> break; >>>>>>> case BLK_STS_RESOURCE: >>>>>>> case BLK_STS_DEV_RESOURCE: >>>>>>> + /* >>>>>>> + * If direct dispatch fails, we cannot allow any merging on >>>>>>> + * this IO. Drivers (like SCSI) may have set up permanent state >>>>>>> + * for this request, like SG tables and mappings, and if we >>>>>>> + * merge to it later on then we'll still only do IO to the >>>>>>> + * original part. >>>>>>> + */ >>>>>>> + rq->cmd_flags |= REQ_NOMERGE; >>>>>>> + >>>>>>> blk_mq_update_dispatch_busy(hctx, true); >>>>>>> __blk_mq_requeue_request(rq); >>>>>>> break; >>>>>>> >>>>>> >>>>>> Not sure it is enough to just mark it as NOMERGE, for example, driver >>>>>> may have setup the .special_vec for discard, and NOMERGE may not prevent >>>>>> request from entering elevator queue completely. Cause 'rq.rb_node' and >>>>>> 'rq.special_vec' share same space. >>>>> >>>>> We should rather limit the scope of the direct dispatch instead. It >>>>> doesn't make sense to do for anything but read/write anyway. >>>> >>>> discard is kind of write, and it isn't treated very specially in make >>>> request path, except for multi-range discard. >>> >>> The point of direct dispatch is to reduce latencies for requests, >>> discards are so damn slow on ALL devices anyway that it doesn't make any >>> sense to try direct dispatch to begin with, regardless of whether it >>> possible or not. >> >> SCSI MQ device may benefit from direct dispatch from reduced lock contention. >> >>> >>>>>> So how about inserting this request via blk_mq_request_bypass_insert() >>>>>> in case that direct issue returns BUSY? Then it is invariant that >>>>>> any request queued via .queue_rq() won't enter scheduler queue. >>>>> >>>>> I did consider this, but I didn't want to experiment with exercising >>>>> a new path for an important bug fix. You do realize that your original >>>>> patch has been corrupting data for months? I think a little caution >>>>> is in order here. >>>> >>>> But marking NOMERGE still may have a hole on re-insert discard request as >>>> mentioned above. >>> >>> What I said was further limit the scope of direct dispatch, which means >>> not allowing anything that isn't a read/write. >> >> IMO, the conservative approach is to take the one used in legacy io >> path, in which it is never allowed to re-insert queued request to >> scheduler queue except for requeue, however RQF_DONTPREP is cleared >> before requeuing request to scheduler. >> >>> >>>> Given we never allow to re-insert queued request to scheduler queue >>>> except for 6ce3dd6eec1, I think it is the correct thing to do, and the >>>> fix is simple too. >>> >>> As I said, it's not the time to experiment. This issue has been there >>> since 4.19-rc1. The alternative is yanking both those patches, and then >>> looking at it later when the direct issue path has been cleaned up >>> first. >> >> The issue should have been there from v4.1, especially after commit >> f984df1f0f7 ("blk-mq: do limited block plug for multiple queue case"), >> which is the 1st one to re-insert the queued request into scheduler >> queue. > > But at that time, there isn't io scheduler for MQ, so in theory the > issue should be there since v4.11, especially 945ffb60c11d ("mq-deadline: > add blk-mq adaptation of the deadline IO scheduler"). Ming, I'm getting really tired of this. As mentioned in the other email, we're not having a theoretical or hypothetical debate here. The facts are on the table, there's no point in trying to shift blame. We need to deal with the current situation. -- Jens Axboe
