On 16/03/2021 17:00, Bart Van Assche wrote:
On 3/16/21 9:15 AM, John Garry wrote:
I'll have a look at this ASAP - a bit busy.
But a quick scan and I notice this:
> @@ -226,6 +226,7 @@ static inline void
__blk_mq_put_driver_tag(struct blk_mq_hw_ctx *hctx,
> struct request *rq)
> {
> blk_mq_put_tag(hctx->tags, rq->mq_ctx, rq->tag);
> + rcu_assign_pointer(hctx->tags->rqs[rq->tag], NULL);
Wasn't a requirement to not touch the fastpath at all, including even
if only NULLifying a pointer?
IIRC, Kashyap some time ago had a patch like above (but without RCU
usage), but the request from Jens was to not touch the fastpath.
Maybe I'm mistaken - I will try to dig up the thread.
Hi Bart,
I agree that Jens asked at the end of 2018 not to touch the fast path to
fix this use-after-free (maybe that request has been repeated more
recently). If Jens or anyone else feels strongly about not clearing
hctx->tags->rqs[rq->tag] from the fast path then I will make that
change.
Is that possible for this same approach? I need to check the code more..
And don't we still have the problem that some iter callbacks may
sleep/block, which is not allowed in an RCU read-side critical section?
My motivation for clearing these pointers from the fast path is
as follows:
- This results in code that is easier to read and easier to maintain.
- Every modern CPU pipelines store instructions so the performance
impact of adding an additional store should be small.
- Since the block layer has a tendency to reuse tags that have been
freed recently, it is likely that hctx->tags->rqs[rq->tag] will be used
for a next request and hence that it will have to be loaded into the CPU
cache anyway.
Those points make sense to me, but obviously it's the maintainers call.
Thanks,
john
