Skip to content

Commit b531899

Browse files
author
Ming Lei
committed
blk-mq: Defer freeing flush queue to SRCU callback
JIRA: https://issues.redhat.com/browse/RHEL-120078 commit 135b852 Author: Ming Lei <ming.lei@redhat.com> Date: Sat Aug 30 10:18:22 2025 +0800 blk-mq: Defer freeing flush queue to SRCU callback The freeing of the flush queue/request in blk_mq_exit_hctx() can race with tag iterators that may still be accessing it. To prevent a potential use-after-free, the deallocation should be deferred until after a grace period. With this way, we can replace the big tags->lock in tags iterator code path with srcu for solving the issue. This patch introduces an SRCU-based deferred freeing mechanism for the flush queue. The changes include: - Adding a `rcu_head` to `struct blk_flush_queue`. - Creating a new callback function, `blk_free_flush_queue_callback`, to handle the actual freeing. - Replacing the direct call to `blk_free_flush_queue()` in `blk_mq_exit_hctx()` with `call_srcu()`, using the `tags_srcu` instance to ensure synchronization with tag iterators. Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Ming Lei <ming.lei@redhat.com> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Ming Lei <ming.lei@redhat.com>
1 parent ec821ac commit b531899

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

block/blk-mq.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3908,6 +3908,14 @@ static void blk_mq_clear_flush_rq_mapping(struct blk_mq_tags *tags,
39083908
spin_unlock_irqrestore(&tags->lock, flags);
39093909
}
39103910

3911+
static void blk_free_flush_queue_callback(struct rcu_head *head)
3912+
{
3913+
struct blk_flush_queue *fq =
3914+
container_of(head, struct blk_flush_queue, rcu_head);
3915+
3916+
blk_free_flush_queue(fq);
3917+
}
3918+
39113919
/* hctx->ctxs will be freed in queue's release handler */
39123920
static void blk_mq_exit_hctx(struct request_queue *q,
39133921
struct blk_mq_tag_set *set,
@@ -3927,7 +3935,8 @@ static void blk_mq_exit_hctx(struct request_queue *q,
39273935
if (set->ops->exit_hctx)
39283936
set->ops->exit_hctx(hctx, hctx_idx);
39293937

3930-
blk_free_flush_queue(hctx->fq);
3938+
call_srcu(&set->tags_srcu, &hctx->fq->rcu_head,
3939+
blk_free_flush_queue_callback);
39313940
hctx->fq = NULL;
39323941

39333942
xa_erase(&q->hctx_table, hctx_idx);

block/blk.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ struct blk_flush_queue {
3232
struct list_head flush_queue[2];
3333
unsigned long flush_data_in_flight;
3434
struct request *flush_rq;
35+
struct rcu_head rcu_head;
3536
};
3637

3738
bool is_flush_rq(struct request *req);

0 commit comments

Comments
 (0)