Commit 771f295a authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso

blk-mq: fix corruption with direct issue

Closes: #915666
parent 1966fd8d
......@@ -34,6 +34,9 @@ linux (4.19.7-1~exp1) UNRELEASED; urgency=medium
* debian/rules: Mark more targets as phony
* libcpupower: Hide private function and drop it from .symbols file
[ Salvatore Bonaccorso ]
* blk-mq: fix corruption with direct issue (Closes: #915666)
-- Uwe Kleine-König <> Wed, 28 Nov 2018 12:20:46 +0100
linux (4.19.5-1~exp1) experimental; urgency=medium
From: Jens Axboe <>
Date: Tue, 4 Dec 2018 20:06:48 -0700
Subject: blk-mq: fix corruption with direct issue
If we attempt a direct issue to a SCSI device, and it returns BUSY, then
we queue the request up normally. However, the SCSI layer may have
already setup SG tables etc for this particular command. If we later
merge with this request, then the old tables are no longer valid. Once
we issue the IO, we only read/write the original part of the request,
not the new state of it.
This causes data corruption, and is most often noticed with the file
system complaining about the just read data being invalid:
[ 235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256)
because most of it is garbage...
This doesn't happen from the normal issue path, as we will simply defer
the request to the hardware queue dispatch list if we fail. Once it's on
the dispatch list, we never merge with it.
Fix this from the direct issue path by flagging the request as
REQ_NOMERGE so we don't change the size of it before issue.
See also:
Tested-by: Guenter Roeck <>
Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'")
Signed-off-by: Jens Axboe <>
block/blk-mq.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 3f91c6e5b17a..3262d83b9e07 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1715,6 +1715,15 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx,
+ /*
+ * If direct dispatch fails, we cannot allow any merging on
+ * this IO. Drivers (like SCSI) may have set up permanent state
+ * for this request, like SG tables and mappings, and if we
+ * merge to it later on then we'll still only do IO to the
+ * original part.
+ */
+ rq->cmd_flags |= REQ_NOMERGE;
blk_mq_update_dispatch_busy(hctx, true);
@@ -1727,6 +1736,18 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx,
return ret;
+ * Don't allow direct dispatch of anything but regular reads/writes,
+ * as some of the other commands can potentially share request space
+ * with data we need for the IO scheduler. If we attempt a direct dispatch
+ * on those and fail, we can't safely add it to the scheduler afterwards
+ * without potentially overwriting data that the driver has already written.
+ */
+static bool blk_rq_can_direct_dispatch(struct request *rq)
+ return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE;
static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
struct request *rq,
blk_qc_t *cookie,
@@ -1748,7 +1769,7 @@ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
goto insert;
- if (q->elevator && !bypass_insert)
+ if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert))
goto insert;
if (!blk_mq_get_dispatch_budget(hctx))
@@ -1810,6 +1831,9 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx,
struct request *rq = list_first_entry(list, struct request,
+ if (!blk_rq_can_direct_dispatch(rq))
+ break;
ret = blk_mq_request_issue_directly(rq);
if (ret != BLK_STS_OK) {
......@@ -91,6 +91,7 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
# Miscellaneous features
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment