NVMe induced NULL deref in bt_iter()
Sagi Grimberg
sagi at grimberg.me
Mon Jul 3 23:58:58 PDT 2017
> So looks it is still a normal release in initiator.
>
> Per my experience, without quiescing queue before
> blk_mq_tagset_busy_iter() for canceling requests, request double free
> can be caused: one submitted req in .queue_rq can completed in
> blk_mq_end_request(), meantime it can be completed in
> nvme_cancel_request(). That is why we have to quiescing queue
> first before canceling request in this way. Except for NVMe, looks
> NBD and mtip32xx need fix too.
Let me cook some patches for those as well...
More information about the Linux-nvme
mailing list