On 6/6/19 4:43 PM, Ming Lei wrote:
> On Thu, Jun 06, 2019 at 04:47:14PM +0200, Benjamin Block wrote:
>> On Tue, Jun 04, 2019 at 09:08:02PM +0800, Ming Lei wrote:
>>> In theory, IO scheduler belongs to request queue, and the request pool
>>> of sched tags belongs to the request queue too.
>>>
>>> However, the current tags allocation interfaces are re-used for both
>>> driver tags and sched tags, and driver tags is definitely host wide,
>>> and doesn't belong to any request queue, same with its request pool.
>>> So we need tagset instance for freeing request of sched tags.
>>>
>>> Meantime, blk_mq_free_tag_set() often follows blk_cleanup_queue() in case
>>> of non-BLK_MQ_F_TAG_SHARED, this way requires that request pool of sched
>>> tags to be freed before calling blk_mq_free_tag_set().
>>>
>>> Commit 47cdee29ef9d94e ("block: move blk_exit_queue into __blk_release_queue")
>>> moves blk_exit_queue into __blk_release_queue for simplying the fast
>>> path in generic_make_request(), then causes oops during freeing requests
>>> of sched tags in __blk_release_queue().
>>>
>>> Fix the above issue by move freeing request pool of sched tags into
>>> blk_cleanup_queue(), this way is safe becasue queue has been frozen and no any
>>> in-queue requests at that time. Freeing sched tags has to be kept in queue's
>>> release handler becasue there might be un-completed dispatch activity
>>> which might refer to sched tags.
>>>
>>> Cc: Bart Van Assche <bvanassche@xxxxxxx>
>>> Cc: Christoph Hellwig <hch@xxxxxx>
>>> Fixes: 47cdee29ef9d94e485eb08f962c74943023a5271 ("block: move blk_exit_queue into __blk_release_queue")
>>> Reported-by: kernel test robot <rong.a.chen@xxxxxxxxx>
>>> Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
>>
>> Our CI meanwhile also crashes regularly because of this:
>>
>> run blktests block/002 at 2019-06-06 14:44:55
>> Unable to handle kernel pointer dereference in virtual kernel address space, Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803
>> Fault in home space mode while using kernel ASCE.
>> AS:0000000057290007 R3:0000000000000024
>> Oops: 0038 ilc:3 [#1] PREEMPT SMP
>> Modules linked in: ...
>> CPU: 4 PID: 139 Comm: kworker/4:2 Kdump: loaded Not tainted 5.2.0-rc3-master-05489-g55f909514069 #3
>> Hardware name: IBM 3906 M03 703 (LPAR)
>> Workqueue: events __blk_release_queue
>> Krnl PSW : 0704e00180000000 000000005657db18 (blk_mq_free_rqs+0x48/0x128)
>> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
>> Krnl GPRS: 00000000a8309db5 6b6b6b6b6b6b6b6b 000000008beb3858 00000000a2befbc8
>> 0000000000000000 0000000000000001 0000000056bb16c8 00000000b4070aa8
>> 000000008beb3858 000000008bc46b38 00000000a2befbc8 0000000000000000
>> 00000000bafb8100 00000000568e8040 000003e0092b3c30 000003e0092b3be0
>> Krnl Code: 000000005657db0a: a7f4006e brc 15,5657dbe6
>> 000000005657db0e: e31020380004 lg %r1,56(%r2)
>> #000000005657db14: b9040082 lgr %r8,%r2
>> >000000005657db18: e31010500002 ltg %r1,80(%r1)
>> 000000005657db1e: a784ffee brc 8,5657dafa
>> 000000005657db22: e32030000012 lt %r2,0(%r3)
>> 000000005657db28: a784ffe9 brc 8,5657dafa
>> 000000005657db2c: b9040074 lgr %r7,%r4
>> Call Trace:
>> ([<000000008ff8ed00>] 0x8ff8ed00)
>> [<0000000056582958>] blk_mq_sched_tags_teardown+0x68/0x98
>> [<0000000056583396>] blk_mq_exit_sched+0xc6/0xd8
>> [<0000000056569324>] elevator_exit+0x54/0x70
>> [<0000000056570644>] __blk_release_queue+0x84/0x110
>> [<0000000055f416c6>] process_one_work+0x3a6/0x6b8
>> [<0000000055f41c50>] worker_thread+0x278/0x478
>> [<0000000055f49e08>] kthread+0x160/0x178
>> [<00000000568d83e8>] ret_from_fork+0x34/0x38
>> INFO: lockdep is turned off.
>> Last Breaking-Event-Address:
>> [<000000005657daf6>] blk_mq_free_rqs+0x26/0x128
>> Kernel panic - not syncing: Fatal exception: panic_on_oops
>> run blktests block/003 at 2019-06-06 14:44:56
>>
>> When I tried to reproduced this with this patch, it went away (at least all of
>> blktest/block ran w/o crash).
>>
>> I don't feel competent enough to review this patch right now, but it would be
>> good if we get something upstream for this.
>
> Hi Jens, Christoph and Guys,
>
> Could you take a look at this patch? We have at least 3 reports on this
> issue, and I believe more will come if it isn't fixed.
I have queued it up.
--
Jens Axboe
