On 3/16/21 9:15 AM, John Garry wrote:
I'll have a look at this ASAP - a bit busy.
But a quick scan and I notice this:
> @@ -226,6 +226,7 @@ static inline void __blk_mq_put_driver_tag(struct
blk_mq_hw_ctx *hctx,
> struct request *rq)
> {
> blk_mq_put_tag(hctx->tags, rq->mq_ctx, rq->tag);
> + rcu_assign_pointer(hctx->tags->rqs[rq->tag], NULL);
Wasn't a requirement to not touch the fastpath at all, including even if
only NULLifying a pointer?
IIRC, Kashyap some time ago had a patch like above (but without RCU
usage), but the request from Jens was to not touch the fastpath.
Maybe I'm mistaken - I will try to dig up the thread.
Hi John,
I agree that Jens asked at the end of 2018 not to touch the fast path to
fix this use-after-free (maybe that request has been repeated more
recently). If Jens or anyone else feels strongly about not clearing
hctx->tags->rqs[rq->tag] from the fast path then I will make that
change. My motivation for clearing these pointers from the fast path is
as follows:
- This results in code that is easier to read and easier to maintain.
- Every modern CPU pipelines store instructions so the performance
impact of adding an additional store should be small.
- Since the block layer has a tendency to reuse tags that have been
freed recently, it is likely that hctx->tags->rqs[rq->tag] will be used
for a next request and hence that it will have to be loaded into the CPU
cache anyway.
Bart.
