[PATCH OLK-5.10 0/2] fix queue start/stop imbalance under race - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-6.6 0/4] CVE-2026-23320

[PATCH OLK-5.10 0/2] fix queue start/stop imbalance under race

older
[PATCH OLK-6.6 0/2] fix queue...

Zheng Qixing

27 Mar 2026 27 Mar '26

2:38 p.m.

Zheng Qixing (2): dm: fix queue start/stop imbalance under suspend/load/resume races dm: fix queue start/stop imbalance under remove/resume races drivers/md/dm-core.h | 1 + drivers/md/dm.c | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) -- 2.39.2

Reply

Sign in to reply online Use email software

Show replies by date

Zheng Qixing

27 Mar 27 Mar

2:38 p.m.

New subject: [PATCH OLK-5.10 1/2] dm: fix queue start/stop imbalance under suspend/load/resume races

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/7056 ------------------ When suspend and load run concurrently, __dm_suspend() may skip dm_stop_queue(). As a result, the queue’s quiesce depth is not incremented. Later, once load has finished and __dm_resume() runs, which triggers: Call Trace: <TASK> dm_start_queue+0x16/0x20 [dm_mod] __dm_resume+0xac/0xb0 [dm_mod] dm_resume+0x12d/0x150 [dm_mod] do_resume+0x2c2/0x420 [dm_mod] dev_suspend+0x30/0x130 [dm_mod] ctl_ioctl+0x402/0x570 [dm_mod] dm_ctl_ioctl+0x23/0x30 [dm_mod] Fix this by explicitly tracking whether the request queue was stopped in __dm_suspend() via a new DMF_QUEUE_STOPPED flag. Only call dm_start_queue() in __dm_resume() if the queue was actually stopped. Fixes: e70feb8b3e68 ("blk-mq: support concurrent queue quiesce/unquiesce") Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- drivers/md/dm-core.h | 1 + drivers/md/dm.c | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index ed7285836692..8896c9a2f2aa 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -136,6 +136,7 @@ struct mapped_device { #define DMF_DEFERRED_REMOVE 6 #define DMF_SUSPENDED_INTERNALLY 7 #define DMF_POST_SUSPENDING 8 +#define DMF_QUEUE_STOPPED 9 void disable_discard(struct mapped_device *md); void disable_write_same(struct mapped_device *md); diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 43cbfe359527..462f7cf9536f 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2524,8 +2524,10 @@ static int __dm_suspend(struct mapped_device *md, struct dm_table *map, * Stop md->queue before flushing md->wq in case request-based * dm defers requests to md->wq from md->queue. */ - if (dm_request_based(md)) + if (dm_request_based(md)) { dm_stop_queue(md->queue); + set_bit(DMF_QUEUE_STOPPED, &md->flags); + } flush_workqueue(md->wq); @@ -2547,7 +2549,7 @@ static int __dm_suspend(struct mapped_device *md, struct dm_table *map, if (r < 0) { dm_queue_flush(md); - if (dm_request_based(md)) + if (test_and_clear_bit(DMF_QUEUE_STOPPED, &md->flags)) dm_start_queue(md->queue); unlock_fs(md); @@ -2630,7 +2632,7 @@ static int __dm_resume(struct mapped_device *md, struct dm_table *map) * so that mapping of targets can work correctly. * Request-based dm is queueing the deferred I/Os in its request_queue. */ - if (dm_request_based(md)) + if (test_and_clear_bit(DMF_QUEUE_STOPPED, &md->flags)) dm_start_queue(md->queue); unlock_fs(md); -- 2.39.2

Reply

Sign in to reply online Use email software

Zheng Qixing

2:38 p.m.

New subject: [PATCH OLK-5.10 2/2] dm: fix queue start/stop imbalance under remove/resume races

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/7056 ------------------ When dm remove races with resume, DMF_SUSPENDED may be set by __dm_destroy(), without actually quiescing the request queue. Then in __dm_resume(), it will call dm_start_queue() for request-based devices. This results in blk_mq_unquiesce_queue() being invoked with q->quiesce_depth == 0, triggering: WARNING: at block/blk-mq.c blk_mq_unquiesce_queue+0xa0/0xc0 Call Trace: <TASK> dm_start_queue+0x16/0x20 [dm_mod] __dm_resume+0xac/0xb0 [dm_mod] dm_resume+0x12d/0x150 [dm_mod] do_resume+0x2c2/0x420 [dm_mod] dev_suspend+0x30/0x130 [dm_mod] ctl_ioctl+0x402/0x570 [dm_mod] dm_ctl_ioctl+0x23/0x30 [dm_mod] Fix it by adding check of DMF_FREEING in dm_resume(). If the mapped device is being destroyed, simply bail out early and skip resume. This prevents unbalanced start/stop of the queue during the remove/resume race. Fixes: e70feb8b3e68 ("blk-mq: support concurrent queue quiesce/unquiesce") Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- drivers/md/dm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 462f7cf9536f..6f7c9bc2c3e0 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2652,6 +2652,9 @@ int dm_resume(struct mapped_device *md) if (!dm_suspended_md(md)) goto out; + if (test_bit(DMF_FREEING, &md->flags)) + goto out; + if (dm_suspended_internally_md(md)) { /* already internally suspended, wait for internal resume */ mutex_unlock(&md->suspend_lock); -- 2.39.2

Reply

Sign in to reply online Use email software

patchwork bot

3:05 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://atomgit.com/openeuler/kernel/merge_requests/21404 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/DDE... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/21404 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/DDE...

Reply

Sign in to reply online Use email software

0

Age (days ago)

0

Last active (days ago)

3 comments

2 participants

tags

participants (2)

patchwork bot
Zheng Qixing