On Thu, 2012-01-05 at 18:17 -0800, Tejun Heo wrote: > When two requests are merged, if the absorbed request is older than > the absorbing one, cfq_merged_requests() tries to reposition it in the > cfqq->fifo list by list_move()'ing the absorbing request to the > absorbed one before removing it. > > This works if both requests are on the same cfqq but nothing > guarantees that and the code ends up moving the merged request to a > different cfqq's fifo list without adjusting the rest. This leads to > the following failures. > > * A request may be on the fifo list of a cfqq without holding > reference to it and the cfqq can be freed before requst is finished. > Among other things, this triggers list debug warning and slab debug > use-after-free warning. > > * As a request can be on the wrong fifo queue, it may be issued and > completed before its cfqq is scheduled. If the cfqq didn't have > other requests on it, it would be empty by the time it's dispatched > triggering BUG_ON() in cfq_dispatch_request(). > > Fix it by making cfq_merged_requests() scan the absorbing request's > fifo list for the correct slot and move there instead. > > Signed-off-by: Tejun Heo <tj@xxxxxxxxxx> > Reported-by: Hugh Dickins <hughd@xxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > --- > It survived my testing long enough and I'm relatively confident this > should fix the crash but I might have gotten the scanning wrong, so > please pay extra attention there. > > I suspect we just didn't have enough backward request-request merges > before the recent plug merge updates to trigger this bug. The patch itself looks good to me, but I'm wondering if we really need do reposition of the fifo list for merged request. it's rare case and not worthy such complexity to me. Thanks, Shaohua -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html