On 2024/6/27 1:13, Bart Van Assche wrote:
> On 6/25/24 8:56 PM, Peter Wang (王信友) wrote:
>> Sorry I have not explain root-cause clearly.
>> I will add more clear root-cause analyze next version.
>>
>> And it is not an invalid pointer is passed to blk_mq_unique_tag(),
>> I means blk_mq_unique_tag function try access null pointer.
>> It is differnt and cause misunderstanding.
>>
>> The null pinter blk_mq_unique_tag try access is:
>> rq->mq_hctx(NULL)->queue_num.
>>
>> The racing flow is:
>>
>> Thread A
>> ufshcd_err_handler step 1
>> ufshcd_cmd_inflight(true) step 3
>> ufshcd_mcq_req_to_hwq
>> blk_mq_unique_tag
>> rq->mq_hctx->queue_num step 5
>>
>> Thread B
>> ufs_mtk_mcq_intr(cq complete ISR) step 2
>> scsi_done
>> ...
>> __blk_mq_free_request
>> rq->mq_hctx = NULL; step 4
>
> How about surrounding the blk_mq_unique_tag() call with
> atomic_inc_not_zero(&req->ref) / atomic_dec(&req->ref)?
>
Hi Bart,
A small wonder, then should we append __blk_mq_free_request() if
req->ref decreased to 0 like following?
if (req_ref_put_and_test(rq))
__blk_mq_free_request(rq);
> Thanks,
>
> Bart.
>
