From 7db814465395f3196ee98c8bd40d214d63e4f708 Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Mon, 23 Oct 2017 16:04:11 +0300 Subject: [PATCH 1/4] nvme-rdma: fix possible hang when issuing commands during ctrl removal nvme_rdma_queue_is_ready() fails requests in case a queue is not LIVE. If the controller is in RECONNECTING state, we might be in this state for a long time (until we successfully reconnect) and we are better off with failing the request fast. Otherwise, we fail with BLK_STS_RESOURCE to have the block layer try again soon. In case we are removing the controller when the admin queue is not LIVE, we will terminate the request with BLK_STS_RESOURCE but it happens before we call blk_mq_start_request() so the request timeout never expires, and the queue will never get back to LIVE (because we are removing the controller). This causes the removal operation to block infinitly [1]. Thus, if we are removing (state DELETING), and the queue is not LIVE, we need to fail the request permanently as there is no chance for it to ever complete successfully. [1] -- sysrq: SysRq : Show Blocked State task PC stack pid father kworker/u66:2 D 0 440 2 0x80000000 Workqueue: nvme-wq nvme_rdma_del_ctrl_work [nvme_rdma] Call Trace: __schedule+0x3e9/0xb00 schedule+0x40/0x90 schedule_timeout+0x221/0x580 io_schedule_timeout+0x1e/0x50 wait_for_completion_io_timeout+0x118/0x180 blk_execute_rq+0x86/0xc0 __nvme_submit_sync_cmd+0x89/0xf0 nvmf_reg_write32+0x4b/0x90 [nvme_fabrics] nvme_shutdown_ctrl+0x41/0xe0 nvme_rdma_shutdown_ctrl+0xca/0xd0 [nvme_rdma] nvme_rdma_remove_ctrl+0x2b/0x40 [nvme_rdma] nvme_rdma_del_ctrl_work+0x25/0x30 [nvme_rdma] process_one_work+0x1fd/0x630 worker_thread+0x1db/0x3b0 kthread+0x11e/0x150 ret_from_fork+0x27/0x40 01 D 0 2868 2862 0x00000000 Call Trace: __schedule+0x3e9/0xb00 schedule+0x40/0x90 schedule_timeout+0x260/0x580 wait_for_completion+0x108/0x170 flush_work+0x1e0/0x270 nvme_rdma_del_ctrl+0x5a/0x80 [nvme_rdma] nvme_sysfs_delete+0x2a/0x40 dev_attr_store+0x18/0x30 sysfs_kf_write+0x45/0x60 kernfs_fop_write+0x124/0x1c0 __vfs_write+0x28/0x150 vfs_write+0xc7/0x1b0 SyS_write+0x49/0xa0 entry_SYSCALL_64_fastpath+0x18/0xad -- Reported-by: Bart Van Assche Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig --- drivers/nvme/host/rdma.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index 87bac27ec64b..0ebb539f3bd3 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -1614,12 +1614,15 @@ nvme_rdma_queue_is_ready(struct nvme_rdma_queue *queue, struct request *rq) /* * reconnecting state means transport disruption, which * can take a long time and even might fail permanently, - * so we can't let incoming I/O be requeued forever. - * fail it fast to allow upper layers a chance to - * failover. + * fail fast to give upper layers a chance to failover. + * deleting state means that the ctrl will never accept + * commands again, fail it permanently. */ - if (queue->ctrl->ctrl.state == NVME_CTRL_RECONNECTING) + if (queue->ctrl->ctrl.state == NVME_CTRL_RECONNECTING || + queue->ctrl->ctrl.state == NVME_CTRL_DELETING) { + nvme_req(rq)->status = NVME_SC_ABORT_REQ; return BLK_STS_IOERR; + } return BLK_STS_RESOURCE; /* try again later */ } } From efea2abcb03215f2efadfe994ff7f652aaff196b Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Fri, 27 Oct 2017 08:23:21 -0600 Subject: [PATCH 2/4] virtio_blk: Fix an SG_IO regression Avoid that submitting an SG_IO ioctl triggers a kernel oops that is preceded by: usercopy: kernel memory overwrite attempt detected to (null) () (6 bytes) kernel BUG at mm/usercopy.c:72! Reported-by: Dann Frazier Fixes: commit ca18d6f769d2 ("block: Make most scsi_req_init() calls implicit") Signed-off-by: Bart Van Assche Cc: Michael S. Tsirkin Cc: Dann Frazier Cc: # v4.13 Reviewed-by: Christoph Hellwig Moved virtblk_initialize_rq() inside CONFIG_VIRTIO_BLK_SCSI. Signed-off-by: Jens Axboe --- drivers/block/virtio_blk.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 34e17ee799be..68846897d213 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -593,10 +593,22 @@ static int virtblk_map_queues(struct blk_mq_tag_set *set) return blk_mq_virtio_map_queues(set, vblk->vdev, 0); } +#ifdef CONFIG_VIRTIO_BLK_SCSI +static void virtblk_initialize_rq(struct request *req) +{ + struct virtblk_req *vbr = blk_mq_rq_to_pdu(req); + + scsi_req_init(&vbr->sreq); +} +#endif + static const struct blk_mq_ops virtio_mq_ops = { .queue_rq = virtio_queue_rq, .complete = virtblk_request_done, .init_request = virtblk_init_request, +#ifdef CONFIG_VIRTIO_BLK_SCSI + .initialize_rq_fn = virtblk_initialize_rq, +#endif .map_queues = virtblk_map_queues, }; From 5e0fab57fb3e0e553758067a15eefdc796ef0a76 Mon Sep 17 00:00:00 2001 From: Keith Busch Date: Fri, 27 Oct 2017 13:51:22 -0600 Subject: [PATCH 3/4] nvme: Fix setting logical block format when revalidating Revalidating the disk needs to set the logical block format and capacity, otherwise it can't figure out if the users modified anything about the namespace. Fixes: cdbff4f26bd9 ("nvme: remove nvme_revalidate_ns") Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Jens Axboe --- drivers/nvme/host/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 5a14cc7f28ee..37f9039bb9ca 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -1249,6 +1249,7 @@ static int nvme_revalidate_disk(struct gendisk *disk) goto out; } + __nvme_revalidate_disk(disk, id); nvme_report_ns_ids(ctrl, ns->ns_id, id, eui64, nguid, &uuid); if (!uuid_equal(&ns->uuid, &uuid) || memcmp(&ns->nguid, &nguid, sizeof(ns->nguid)) || From 79d73346ac05bc31f2e96f899c4e9aaaa616a8d4 Mon Sep 17 00:00:00 2001 From: Hongxu Jia Date: Tue, 31 Oct 2017 15:39:40 +0800 Subject: [PATCH 4/4] ide:ide-cd: fix kernel panic resulting from missing scsi_req_init Since we split the scsi_request out of struct request, while the standard prep_rq_fn builds 10 byte cmds, it missed to invoke scsi_req_init() to initialize certain fields of a scsi_request structure (.__cmd[], .cmd, .cmd_len and .sense_len but no other members of struct scsi_request). An example panic on virtual machines (qemu/virtualbox) to boot from IDE cdrom: ... [ 8.754381] Call Trace: [ 8.755419] blk_peek_request+0x182/0x2e0 [ 8.755863] blk_fetch_request+0x1c/0x40 [ 8.756148] ? ktime_get+0x40/0xa0 [ 8.756385] do_ide_request+0x37d/0x660 [ 8.756704] ? cfq_group_service_tree_add+0x98/0xc0 [ 8.757011] ? cfq_service_tree_add+0x1e5/0x2c0 [ 8.757313] ? ktime_get+0x40/0xa0 [ 8.757544] __blk_run_queue+0x3d/0x60 [ 8.757837] queue_unplugged+0x2f/0xc0 [ 8.758088] blk_flush_plug_list+0x1f4/0x240 [ 8.758362] blk_finish_plug+0x2c/0x40 ... [ 8.770906] RIP: ide_cdrom_prep_fn+0x63/0x180 RSP: ffff92aec018bae8 [ 8.772329] ---[ end trace 6408481e551a85c9 ]--- ... Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") Signed-off-by: Hongxu Jia Signed-off-by: Jens Axboe --- drivers/ide/ide-cd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c index 81e18f9628d0..a7355ab3bb22 100644 --- a/drivers/ide/ide-cd.c +++ b/drivers/ide/ide-cd.c @@ -1328,6 +1328,7 @@ static int ide_cdrom_prep_fs(struct request_queue *q, struct request *rq) unsigned long blocks = blk_rq_sectors(rq) / (hard_sect >> 9); struct scsi_request *req = scsi_req(rq); + scsi_req_init(req); memset(req->cmd, 0, BLK_MAX_CDB); if (rq_data_dir(rq) == READ)