MQ_RQ_COMPLETE is one transient state, because the .complete callback ends or requeues this request, then the request state is updated to IDLE. blk_mq_request_completed() is often used by driver for avoiding double completion with help of driver's specific sync approach. Such as, NVMe TCP calls blk_mq_request_completed() in its timeout handler and abort handler for avoiding double completion. If request's state is updated to IDLE in either one, another code path may think this request as not completed, and will complete it one more time. Then double completion is triggered. Yi reported[1] that 'refcount_t: underflow; use-after-free' of rq->ref is triggered in blktests(nvme/012) on one very slow machine. Fixes this issue by thinking request as completed if its state becomes not IN_FLIGHT. Reported-by: Yi Zhang <yi.zhang@xxxxxxxxxx> Cc: Chao Leng <lengchao@xxxxxxxxxx> Cc: Sagi Grimberg <sagi@xxxxxxxxxxx> Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx> --- include/linux/blk-mq.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h index b23eeca4d677..9a0c1f8ac42d 100644 --- a/include/linux/blk-mq.h +++ b/include/linux/blk-mq.h @@ -486,9 +486,15 @@ static inline int blk_mq_request_started(struct request *rq) return blk_mq_rq_state(rq) != MQ_RQ_IDLE; } +/* + * It is often called in abort handler for avoiding double completion, + * MQ_RQ_COMPLETE is one transient state because .complete callback + * may end or requeue this request, in either way the request is marked + * as IDLE. So return true if this request's state become not IN_FLIGHT. + */ static inline int blk_mq_request_completed(struct request *rq) { - return blk_mq_rq_state(rq) == MQ_RQ_COMPLETE; + return blk_mq_rq_state(rq) != MQ_RQ_IN_FLIGHT; } void blk_mq_start_request(struct request *rq); -- 2.25.2