Skip to content

Commit 9210c07

Browse files
Dongli ZhangChristoph Hellwig
Dongli Zhang
authored and
Christoph Hellwig
committed
nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll()
There may be a race between nvme_reap_pending_cqes() and nvme_poll(), e.g., when doing live reset while polling the nvme device. CPU X CPU Y nvme_poll() nvme_dev_disable() -> nvme_stop_queues() -> nvme_suspend_io_queues() -> nvme_suspend_queue() -> spin_lock(&nvmeq->cq_poll_lock); -> nvme_reap_pending_cqes() -> nvme_process_cq() -> nvme_process_cq() In the above scenario, the nvme_process_cq() for the same queue may be running on both CPU X and CPU Y concurrently. It is much more easier to reproduce the issue when CONFIG_PREEMPT is enabled in kernel. When CONFIG_PREEMPT is disabled, it would take longer time for nvme_stop_queues()-->blk_mq_quiesce_queue() to wait for grace period. This patch protects nvme_process_cq() with nvmeq->cq_poll_lock in nvme_reap_pending_cqes(). Fixes: fa46c6f ("nvme/pci: move cqe check after device shutdown") Signed-off-by: Dongli Zhang <[email protected]> Reviewed-by: Ming Lei <[email protected]> Reviewed-by: Keith Busch <[email protected]> Signed-off-by: Christoph Hellwig <[email protected]>
1 parent b69e2ef commit 9210c07

File tree

1 file changed

+7
-4
lines changed

1 file changed

+7
-4
lines changed

drivers/nvme/host/pci.c

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1382,16 +1382,19 @@ static void nvme_disable_admin_queue(struct nvme_dev *dev, bool shutdown)
13821382

13831383
/*
13841384
* Called only on a device that has been disabled and after all other threads
1385-
* that can check this device's completion queues have synced. This is the
1386-
* last chance for the driver to see a natural completion before
1387-
* nvme_cancel_request() terminates all incomplete requests.
1385+
* that can check this device's completion queues have synced, except
1386+
* nvme_poll(). This is the last chance for the driver to see a natural
1387+
* completion before nvme_cancel_request() terminates all incomplete requests.
13881388
*/
13891389
static void nvme_reap_pending_cqes(struct nvme_dev *dev)
13901390
{
13911391
int i;
13921392

1393-
for (i = dev->ctrl.queue_count - 1; i > 0; i--)
1393+
for (i = dev->ctrl.queue_count - 1; i > 0; i--) {
1394+
spin_lock(&dev->queues[i].cq_poll_lock);
13941395
nvme_process_cq(&dev->queues[i]);
1396+
spin_unlock(&dev->queues[i].cq_poll_lock);
1397+
}
13951398
}
13961399

13971400
static int nvme_cmb_qdepth(struct nvme_dev *dev, int nr_io_queues,

0 commit comments

Comments
 (0)