[PATCH] blk: fix tag shrinking (revive real_max_size)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 Hello, Andrew.

 The patch posted in the following mail (from me) incorrectly removed
blk_queue_tag->real_max_depth.

http://marc.theaimsgroup.com/?l=linux-kernel&m=111399777404464&w=2

commit: fa72b903f75e4f0f0b2c2feed093005167da4023

 The original resize implementation was incorrect in the following
points.

 * actual allocation size of tag_index was shorter than real_max_size,
   but assumed to be of the same size, possibly causing memory access
   beyond the allocated area.
 * bits in tag_map between max_deptn and real_max_depth were
   initialized to 1's, making the tags permanently reserved.

 In an attempt to fix above two bugs, I had removed allocation
optimization in init_tag_map and real_max_size.  Tag map/index were
allocated and freed immediately during resize.  Unfortunately, I
wasn't considering that tag map/index can be resized dynamically with
tags beyond new_depth active.  This led to accessing freed area after
shrinking tags and led to the following bug reporting thread on
linux-scsi.

http://marc.theaimsgroup.com/?l=linux-scsi&m=112319898111885&w=2

 To fix the problem, I've revived real_max_depth without allocation
optimization in init_tag_map, and Andrew Vasquez confirmed that the
problem was fixed.  As Jens is not going to be available for a week,
he asked me to make sure that this patch reaches you.

http://marc.theaimsgroup.com/?l=linux-scsi&m=112325778530886&w=2

 So, here's the patch.  The patch is against today's Linus git head
(2f60f8d3573ff90fe5d75a6d11fd2add1248e7d6).  The patch also applies to
linux-2.6.13-rc4-mm1 with offset of 1.  I apologize for the bug and
hassle.  Thank you.

--------------------------------------------------------------------

 Revive blk_queue_tag->real_max_size.  Previous commit
fa72b903f75e4f0f0b2c2feed093005167da4023 incorrectly removed this
field breaking dynamic shrinking of tags.  This patch revives
real_max_size sans buggy allocation optimization the original code
had.  Also, a comment was added to make sure that real_max_size is
needed for dynamic shrinking.


Signed-off-by: Tejun Heo <[email protected]>


diff --git a/drivers/block/ll_rw_blk.c b/drivers/block/ll_rw_blk.c
--- a/drivers/block/ll_rw_blk.c
+++ b/drivers/block/ll_rw_blk.c
@@ -719,7 +719,7 @@ struct request *blk_queue_find_tag(reque
 {
 	struct blk_queue_tag *bqt = q->queue_tags;
 
-	if (unlikely(bqt == NULL || tag >= bqt->max_depth))
+	if (unlikely(bqt == NULL || tag >= bqt->real_max_depth))
 		return NULL;
 
 	return bqt->tag_index[tag];
@@ -798,6 +798,7 @@ init_tag_map(request_queue_t *q, struct 
 
 	memset(tag_index, 0, depth * sizeof(struct request *));
 	memset(tag_map, 0, nr_ulongs * sizeof(unsigned long));
+	tags->real_max_depth = depth;
 	tags->max_depth = depth;
 	tags->tag_index = tag_index;
 	tags->tag_map = tag_map;
@@ -872,11 +873,22 @@ int blk_queue_resize_tags(request_queue_
 		return -ENXIO;
 
 	/*
+	 * if we already have large enough real_max_depth.  just
+	 * adjust max_depth.  *NOTE* as requests with tag value
+	 * between new_depth and real_max_depth can be in-flight, tag
+	 * map can not be shrunk blindly here.
+	 */
+	if (new_depth <= bqt->real_max_depth) {
+		bqt->max_depth = new_depth;
+		return 0;
+	}
+
+	/*
 	 * save the old state info, so we can copy it back
 	 */
 	tag_index = bqt->tag_index;
 	tag_map = bqt->tag_map;
-	max_depth = bqt->max_depth;
+	max_depth = bqt->real_max_depth;
 
 	if (init_tag_map(q, bqt, new_depth))
 		return -ENOMEM;
@@ -913,7 +925,7 @@ void blk_queue_end_tag(request_queue_t *
 
 	BUG_ON(tag == -1);
 
-	if (unlikely(tag >= bqt->max_depth))
+	if (unlikely(tag >= bqt->real_max_depth))
 		/*
 		 * This can happen after tag depth has been reduced.
 		 * FIXME: how about a warning or info message here?
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -301,6 +301,7 @@ struct blk_queue_tag {
 	struct list_head busy_list;	/* fifo list of busy tags */
 	int busy;			/* current depth */
 	int max_depth;			/* what we will send to device */
+	int real_max_depth;		/* what the array can hold */
 	atomic_t refcnt;		/* map can be shared */
 };
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux