On 11/23/21 19:58, Sean Anderson wrote:
The ioprio and iolatency rqos never get free'd on error or queue exit, causing
the following leaks:
unreferenced object 0xffff97b143bc0900 (size 64):
comm "kworker/u2:3", pid 101, jiffies 4294877468 (age 159.967s)
hex dump (first 32 bytes):
00 15 f9 86 ff ff ff ff 60 f4 cf 45 b1 97 ff ff ........`..E....
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000063d10c99>] blk_ioprio_init+0x25/0xe0
[<000000005dd8844d>] blkcg_init_queue+0x8d/0x140
[<00000000bd7aac9b>] blk_alloc_queue+0x1ef/0x280
[<0000000044d961f9>] blk_mq_init_queue+0x1a/0x60
[<0000000031908ee1>] scsi_alloc_sdev+0x20f/0x370
[<00000000e99f53d3>] scsi_probe_and_add_lun+0x9db/0xe10
[<00000000942c5af3>] __scsi_scan_target+0xfc/0x5b0
[<000000007194bb8f>] scsi_scan_channel+0x58/0x90
[<00000000ebf8a49b>] scsi_scan_host_selected+0xe9/0x120
[<00000000f745ec7d>] do_scan_async+0x18/0x160
[<000000006f6ff8ca>] async_run_entry_fn+0x30/0x130
[<000000003d813304>] process_one_work+0x1e8/0x3c0
[<0000000020b6d54d>] worker_thread+0x50/0x3c0
[<000000007fc10a0f>] kthread+0x132/0x160
[<0000000010197ee2>] ret_from_fork+0x22/0x30
unreferenced object 0xffff97b143da4360 (size 96):
comm "kworker/u2:3", pid 101, jiffies 4294877468 (age 159.987s)
hex dump (first 32 bytes):
40 1b f9 86 ff ff ff ff 60 f4 cf 45 b1 97 ff ff @.......`..E....
01 00 00 00 00 00 00 00 00 09 bc 43 b1 97 ff ff ...........C....
backtrace:
[<000000000ffb4700>] blk_iolatency_init+0x25/0x160
[<00000000c4cdb872>] blkcg_init_queue+0xc7/0x140
[<00000000bd7aac9b>] blk_alloc_queue+0x1ef/0x280
[<0000000044d961f9>] blk_mq_init_queue+0x1a/0x60
[<0000000031908ee1>] scsi_alloc_sdev+0x20f/0x370
[<00000000e99f53d3>] scsi_probe_and_add_lun+0x9db/0xe10
[<00000000942c5af3>] __scsi_scan_target+0xfc/0x5b0
[<000000007194bb8f>] scsi_scan_channel+0x58/0x90
[<00000000ebf8a49b>] scsi_scan_host_selected+0xe9/0x120
[<00000000f745ec7d>] do_scan_async+0x18/0x160
[<000000006f6ff8ca>] async_run_entry_fn+0x30/0x130
[<000000003d813304>] process_one_work+0x1e8/0x3c0
[<0000000020b6d54d>] worker_thread+0x50/0x3c0
[<000000007fc10a0f>] kthread+0x132/0x160
[<0000000010197ee2>] ret_from_fork+0x22/0x30
Fixes: d70675121546 ("block: introduce blk-iolatency io controller")
Fixes: 556910e39249 ("block: Introduce the ioprio rq-qos policy")
Signed-off-by: Sean Anderson <seanga2@xxxxxxxxx>
---
block/blk-cgroup.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 663aabfeba18..ced5ee637405 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -32,6 +32,7 @@
#include <linux/psi.h>
#include "blk.h"
#include "blk-ioprio.h"
+#include "blk-rq-qos.h"
#include "blk-throttle.h"
/*
@@ -1200,16 +1201,18 @@ int blkcg_init_queue(struct request_queue *q)
ret = blk_throtl_init(q);
if (ret)
- goto err_destroy_all;
+ goto err_qos_exit;
ret = blk_iolatency_init(q);
if (ret) {
blk_throtl_exit(q);
- goto err_destroy_all;
+ goto err_qos_exit;
}
return 0;
+err_qos_exit:
+ rq_qos_exit(q);
err_destroy_all:
blkg_destroy_all(q);
return ret;
@@ -1229,6 +1232,7 @@ int blkcg_init_queue(struct request_queue *q)
*/
void blkcg_exit_queue(struct request_queue *q)
{
+ rq_qos_exit(q);
blkg_destroy_all(q);
blk_throtl_exit(q);
}
Thanks for having reported this. However, I'm not sure the above patch
is the best way to fix this. I'd prefer to restore the rq_qos_exit(q) in
blk_cleanup_queue() and also to add the following to such a patch:
Fixes: commit 8e141f9eb803 ("block: drain file system I/O on
del_gendisk"). As far as I can see calling rq_qos_exit(q) twice for the
same request queue is fine.
Bart.