From nobody Tue Apr  7 14:04:29 2026
Received: from sender4-op-o15.zoho.com (sender4-op-o15.zoho.com
 [136.143.188.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A38D37104C
	for <linux-kernel@vger.kernel.org>; Thu, 26 Feb 2026 02:57:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=136.143.188.15
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772074662; cv=pass;
 b=d8U2F2qsuyiDW2Z0jO/MRvo00XYuETKWVCqQGhpJjNio099p16zmxYeRScVHqzy/mIokw8QnBKHDdUWI+bd6fxGE5dujgWsIHIq7TQexZjdZflW9UCqfRNJzwEpWjJWy5c+qdnSRsf9ytcUgDU1qkf0ZL++FJKUJ4HK08jbcRHw=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772074662; c=relaxed/simple;
	bh=G5b72HfKWuXYwZ6VlnHYS1xuLZTAW5LrQw5mObxUPm4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=s7rL1t1fMefkhdv4heTLmXuC6CR8qOj/PcZmfad2d82o9r2vClrmsEUZdBlwR0mwheMQ18hCLXvvNF9snayEja+qyPlEL9Ir4ZlpC8abLPjXsRoC7xNxz/9TKxnMW+l7Uzq7O2NnT+MgEHK8aclWza/TA1KESRfawMNyUEm0QSk=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty;
 spf=pass smtp.mailfrom=linux.beauty;
 dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b=Pzp+aac2; arc=pass smtp.client-ip=136.143.188.15
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b="Pzp+aac2"
ARC-Seal: i=1; a=rsa-sha256; t=1772074653; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fe1e9zUixitXwPn64G7HAbbul6e/G2HOnMq4Fp8AVQKeCQV9yBruYUmFJK4nmvYeijOWNqRlo0y2D9nR+sRrObHC3eGhPCe0p+uG30w1C/CoqoRE21eLO6RbaUlhyIUOb5QRlgTemfM/ZCTh0+h2jx8JXGfW7cCTczmLC9NEhiA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772074653;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=NGwdvopqV5dpjItLDiwWZsiiVWpt8I+LlteAlx+Vpso=;
	b=L9GfOtsJNTDkTk5fzoVfoYPvDoatpEb60TvsjUtRFbhrYV+Nh6hIhV0M9TcSSVKYGt2CgpnDfGlNzGMlx6IMw/4fKsCTetJ6278X9Cr+pOoEChuGq2BG4cf2V/0C3KcBI3AIbKPZlWF6+pVVomggZYgVazkplAG8iumfd0Ajmi4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=linux.beauty;
	spf=pass  smtp.mailfrom=me@linux.beauty;
	dmarc=pass header.from=<me@linux.beauty>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1772074653;
	s=zmail; d=linux.beauty; i=me@linux.beauty;
	h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
	bh=NGwdvopqV5dpjItLDiwWZsiiVWpt8I+LlteAlx+Vpso=;
	b=Pzp+aac24AKPxNy4ykwRT7p/B1a5E3ZH9Cu1jfUwFW8v4Wx+bnihRaPfaS20xoSR
	Eztx6R9tA86fnw5vNwiuhy47EvUBy0g+PV7V+drUT9dcWzj1n6zEEmhrN6NCVvFxj80
	OU8otqcWvpuY/htODiL7JuBlPGFd5K9Nev7mRrbE=
Received: by mx.zohomail.com with SMTPS id 1772074650605524.6827548090777;
	Wed, 25 Feb 2026 18:57:30 -0800 (PST)
From: Li Chen <me@linux.beauty>
To: Pankaj Gupta <pankaj.gupta.linux@gmail.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Vishal Verma <vishal.l.verma@intel.com>,
	Dave Jiang <dave.jiang@intel.com>,
	Ira Weiny <ira.weiny@intel.com>,
	virtualization@lists.linux.dev,
	nvdimm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: Li Chen <me@linux.beauty>
Subject: [PATCH v3 1/5] nvdimm: virtio_pmem: always wake -ENOSPC waiters
Date: Thu, 26 Feb 2026 10:57:06 +0800
Message-ID: <20260226025712.2236279-2-me@linux.beauty>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260226025712.2236279-1-me@linux.beauty>
References: <20260226025712.2236279-1-me@linux.beauty>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset="utf-8"

virtio_pmem_host_ack() reclaims virtqueue descriptors with
virtqueue_get_buf(). The -ENOSPC waiter wakeup is tied to completing the
returned token. If token completion is skipped for any reason, reclaimed
descriptors may not wake a waiter and the submitter may sleep forever
waiting for a free slot. Always wake one -ENOSPC waiter for each virtqueue
completion before touching the returned token.

Signed-off-by: Li Chen <me@linux.beauty>
---
v2->v3:
- Split out the waiter wakeup ordering change from READ_ONCE()/WRITE_ONCE()
  updates (now patch 2/5), per Pankaj's suggestion.

 drivers/nvdimm/nd_virtio.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c
index af82385be7c6..a1ad8d67ad2d 100644
--- a/drivers/nvdimm/nd_virtio.c
+++ b/drivers/nvdimm/nd_virtio.c
@@ -9,26 +9,33 @@
 #include "virtio_pmem.h"
 #include "nd.h"
=20
+static void virtio_pmem_wake_one_waiter(struct virtio_pmem *vpmem)
+{
+	struct virtio_pmem_request *req_buf;
+
+	if (list_empty(&vpmem->req_list))
+		return;
+
+	req_buf =3D list_first_entry(&vpmem->req_list,
+				   struct virtio_pmem_request, list);
+	req_buf->wq_buf_avail =3D true;
+	wake_up(&req_buf->wq_buf);
+	list_del(&req_buf->list);
+}
+
  /* The interrupt handler */
 void virtio_pmem_host_ack(struct virtqueue *vq)
 {
 	struct virtio_pmem *vpmem =3D vq->vdev->priv;
-	struct virtio_pmem_request *req_data, *req_buf;
+	struct virtio_pmem_request *req_data;
 	unsigned long flags;
 	unsigned int len;
=20
 	spin_lock_irqsave(&vpmem->pmem_lock, flags);
 	while ((req_data =3D virtqueue_get_buf(vq, &len)) !=3D NULL) {
+		virtio_pmem_wake_one_waiter(vpmem);
 		req_data->done =3D true;
 		wake_up(&req_data->host_acked);
-
-		if (!list_empty(&vpmem->req_list)) {
-			req_buf =3D list_first_entry(&vpmem->req_list,
-					struct virtio_pmem_request, list);
-			req_buf->wq_buf_avail =3D true;
-			wake_up(&req_buf->wq_buf);
-			list_del(&req_buf->list);
-		}
 	}
 	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
 }
--=20
2.52.0
From nobody Tue Apr  7 14:04:29 2026
Received: from sender4-op-o15.zoho.com (sender4-op-o15.zoho.com
 [136.143.188.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78B68372B3D
	for <linux-kernel@vger.kernel.org>; Thu, 26 Feb 2026 02:57:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=136.143.188.15
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772074668; cv=pass;
 b=SIz4DxssaSbBkC1cFLuLQ6UKKQ71HcDJ4E0ex0SSYMfD5xZvrW5PWWxG7cjhLF2BlxRsKfA+EcQy9RKOEJkY8Di2coErw8cO0uNT2cvTWatCpXEHBVDfgcFJDYPhn6Lfh3YvQq7Y7PAKcRjXiBJ2BZ21naWwQTHYCvI7s2Pe0Ec=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772074668; c=relaxed/simple;
	bh=FTPzy2Ja9TzQHUhKRmFBDjXdPOtdEpZol0MHss4wVN0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=f2B4zqoffXXF4/U6N0ThKtI1AmXOLuldyF48IdSWa90IaqrTTiKqiwMJ/CDDalv1Hudv6HUCNl+1AUt6oi0/4ZRxJE2E88SY+XDx8KsOq64+k+EfaAJ01XgkZ58dntT7cCA49yCjGrbvLmpeYLPYeC1qpiiY+ixTO1XiFKZK5QA=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty;
 spf=pass smtp.mailfrom=linux.beauty;
 dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b=erGro9/h; arc=pass smtp.client-ip=136.143.188.15
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b="erGro9/h"
ARC-Seal: i=1; a=rsa-sha256; t=1772074655; cv=none;
	d=zohomail.com; s=zohoarc;
	b=acwNJF8ZV+lMkKhv6RY6RWDeI2hEnkgylVAbLLRZnq/+GBkwwwm0rXKc0v7oayIvQSPnIrRxNPFNseH91TWcBFMCvDI7Q23X5hfX28qS/pAEmoDUC0KpAJMG9nDnuqqeeNU2OHqpBtkZ3LsBNkbAz3SiR5+btg62SlgmAEl9UoY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772074655;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=YYgP/LCldFwD04IaoaUAa6Vhao4j048xK5R4cG9FPOg=;
	b=aOtpJzpAVllEVjiG3jlUgYuzVo07blmeTEs0V+YJDfEawkGcnC+7kv4lIUVU++QhJvOpiLKFAxmJgmdYfHYGa9iw7bDto0f21lWTFx5M2gJhZNwoYFui2qX+jQOLGy/fyDHsDegMfOju1vBj6lJghjA8z6TsWGatWhoR2OvzD0A=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=linux.beauty;
	spf=pass  smtp.mailfrom=me@linux.beauty;
	dmarc=pass header.from=<me@linux.beauty>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1772074655;
	s=zmail; d=linux.beauty; i=me@linux.beauty;
	h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
	bh=YYgP/LCldFwD04IaoaUAa6Vhao4j048xK5R4cG9FPOg=;
	b=erGro9/hNOh1zjykjUsw2nB9n1AwEZiUM0p6gqPSiRyA6yo2h4/r1YRDnFJRFqFn
	tQwFdhhw3o16wZYMobLfr+Mg88wTZuNQPFrAoPbIU4u/7fcXdKomBhjdxVV1Nzi9hq5
	VYlFL4mrAj4zUW+OFGhnp6SxgUWO0nt8D4hl5Q+4=
Received: by mx.zohomail.com with SMTPS id 1772074653879983.229166346284;
	Wed, 25 Feb 2026 18:57:33 -0800 (PST)
From: Li Chen <me@linux.beauty>
To: Pankaj Gupta <pankaj.gupta.linux@gmail.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Vishal Verma <vishal.l.verma@intel.com>,
	Dave Jiang <dave.jiang@intel.com>,
	Ira Weiny <ira.weiny@intel.com>,
	virtualization@lists.linux.dev,
	nvdimm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: Li Chen <me@linux.beauty>
Subject: [PATCH v3 2/5] nvdimm: virtio_pmem: use READ_ONCE()/WRITE_ONCE() for
 wait flags
Date: Thu, 26 Feb 2026 10:57:07 +0800
Message-ID: <20260226025712.2236279-3-me@linux.beauty>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260226025712.2236279-1-me@linux.beauty>
References: <20260226025712.2236279-1-me@linux.beauty>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset="utf-8"

Use READ_ONCE()/WRITE_ONCE() for the wait_event() flags (done and
wq_buf_avail). They are observed by waiters without pmem_lock, so make
the accesses explicit single loads/stores and avoid compiler
reordering/caching across the wait/wake paths.

Signed-off-by: Li Chen <me@linux.beauty>
---
v2->v3:
- Split out READ_ONCE()/WRITE_ONCE() updates from patch 1/5 (no functional
  change intended).

 drivers/nvdimm/nd_virtio.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c
index a1ad8d67ad2d..ada0c679cf2e 100644
--- a/drivers/nvdimm/nd_virtio.c
+++ b/drivers/nvdimm/nd_virtio.c
@@ -18,9 +18,9 @@ static void virtio_pmem_wake_one_waiter(struct virtio_pme=
m *vpmem)
=20
 	req_buf =3D list_first_entry(&vpmem->req_list,
 				   struct virtio_pmem_request, list);
-	req_buf->wq_buf_avail =3D true;
+	list_del_init(&req_buf->list);
+	WRITE_ONCE(req_buf->wq_buf_avail, true);
 	wake_up(&req_buf->wq_buf);
-	list_del(&req_buf->list);
 }
=20
  /* The interrupt handler */
@@ -34,7 +34,7 @@ void virtio_pmem_host_ack(struct virtqueue *vq)
 	spin_lock_irqsave(&vpmem->pmem_lock, flags);
 	while ((req_data =3D virtqueue_get_buf(vq, &len)) !=3D NULL) {
 		virtio_pmem_wake_one_waiter(vpmem);
-		req_data->done =3D true;
+		WRITE_ONCE(req_data->done, true);
 		wake_up(&req_data->host_acked);
 	}
 	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
@@ -66,7 +66,7 @@ static int virtio_pmem_flush(struct nd_region *nd_region)
 	if (!req_data)
 		return -ENOMEM;
=20
-	req_data->done =3D false;
+	WRITE_ONCE(req_data->done, false);
 	init_waitqueue_head(&req_data->host_acked);
 	init_waitqueue_head(&req_data->wq_buf);
 	INIT_LIST_HEAD(&req_data->list);
@@ -87,12 +87,12 @@ static int virtio_pmem_flush(struct nd_region *nd_regio=
n)
 					GFP_ATOMIC)) =3D=3D -ENOSPC) {
=20
 		dev_info(&vdev->dev, "failed to send command to virtio pmem device, no f=
ree slots in the virtqueue\n");
-		req_data->wq_buf_avail =3D false;
+		WRITE_ONCE(req_data->wq_buf_avail, false);
 		list_add_tail(&req_data->list, &vpmem->req_list);
 		spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
=20
 		/* A host response results in "host_ack" getting called */
-		wait_event(req_data->wq_buf, req_data->wq_buf_avail);
+		wait_event(req_data->wq_buf, READ_ONCE(req_data->wq_buf_avail));
 		spin_lock_irqsave(&vpmem->pmem_lock, flags);
 	}
 	err1 =3D virtqueue_kick(vpmem->req_vq);
@@ -106,7 +106,7 @@ static int virtio_pmem_flush(struct nd_region *nd_regio=
n)
 		err =3D -EIO;
 	} else {
 		/* A host response results in "host_ack" getting called */
-		wait_event(req_data->host_acked, req_data->done);
+		wait_event(req_data->host_acked, READ_ONCE(req_data->done));
 		err =3D le32_to_cpu(req_data->resp.ret);
 	}
=20
--=20
2.52.0
From nobody Tue Apr  7 14:04:29 2026
Received: from sender4-op-o15.zoho.com (sender4-op-o15.zoho.com
 [136.143.188.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12B6E37104C;
	Thu, 26 Feb 2026 02:57:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=136.143.188.15
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772074678; cv=pass;
 b=CJ07v+7FfZ+hVTFOY6SR2WiZq2wzpkjaVR2GmFIAI0vf6JW4TO4Bmug+jenzwaT6kC7yhecOQOmLtfeWQCbc2rgecgBxONc02j0u7SE52oraS/+pXMLvAOfuiKesh/DvT4AJ1iBLxKi/LHdn9z8SQAr8lyNChesyw5GYs9akTNI=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772074678; c=relaxed/simple;
	bh=O/LisHOxnvsb5Dqd5u8jcdfT+/3yN1d88jMC2Se/cfw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=LOuze79zpYTN/TEugVmC56RQBt+JDgaCt/Wwz8+hDwlH52UbZ1eNJ5e7P9clJ8zJ9dIgVTmAYci+0UO0MY69jrNiYP2gf5/9iTgpDx1ij1lhH7NxdLNCndyCc1JpkteSVzK+iIVAPTtyTD/aiTmaFiOzSyCpbJeOAWRJdBX+A+Q=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty;
 spf=pass smtp.mailfrom=linux.beauty;
 dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b=tY+f45iX; arc=pass smtp.client-ip=136.143.188.15
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b="tY+f45iX"
ARC-Seal: i=1; a=rsa-sha256; t=1772074661; cv=none;
	d=zohomail.com; s=zohoarc;
	b=O8M0QGr9gmlXX+Me3lzhusG/A0AdLs2mungSvq97ERHrZcJqhpwIZRBatnYwcQHZj7au5sgsJ5D/UfD/bfHiYBu97iof7u+j06Z5eXdgeSOY5KNLxnV6OpK/7pt8heFWVfqH+R1fybAZvgSxZgANi05+M9l0M6Y6hDwNvswTcLg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772074661;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=lBU9qgcPvDyg8bOg8EfAruhG0zrehzJsYcTv4V658BY=;
	b=db/sJUw/UBXzFcytzCCr5GBsD+e2mEsDGv9cmSjNXeZtgsD7JPCQN7IR6kpOp7/XtvKRSov6B7jLaIsYBLj33Oq/UrtNDQqlxCZy1p/CaOuQZFBojjrzTOg1N0FtNsFf02J5/yyhZ10NjBiDzBol0cMkqsDQHaxb9JyS1J9CcJI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=linux.beauty;
	spf=pass  smtp.mailfrom=me@linux.beauty;
	dmarc=pass header.from=<me@linux.beauty>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1772074661;
	s=zmail; d=linux.beauty; i=me@linux.beauty;
	h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
	bh=lBU9qgcPvDyg8bOg8EfAruhG0zrehzJsYcTv4V658BY=;
	b=tY+f45iX4GAYSD4xX/WiyiR58IvYGxAEbQFdEEiC4RgS34RKdV75AsNW+mdoPo5x
	EYrq5IE1UxORGn09hNKBUc6mk3fZ+kQLDHEae9pIXj9ZPPE2iIPvXu1SkGjeiqubvc1
	w37WuE2hPh5mi+RA5cMDwe2A3aYs61SDQqPUrkkw=
Received: by mx.zohomail.com with SMTPS id 1772074658800313.4974609710948;
	Wed, 25 Feb 2026 18:57:38 -0800 (PST)
From: Li Chen <me@linux.beauty>
To: Pankaj Gupta <pankaj.gupta.linux@gmail.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Vishal Verma <vishal.l.verma@intel.com>,
	Dave Jiang <dave.jiang@intel.com>,
	Ira Weiny <ira.weiny@intel.com>,
	Cornelia Huck <cohuck@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Jakub Staron <jstaron@google.com>,
	virtualization@lists.linux.dev,
	nvdimm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org,
	Li Chen <me@linux.beauty>
Subject: [PATCH v3 3/5] nvdimm: virtio_pmem: refcount requests for token
 lifetime
Date: Thu, 26 Feb 2026 10:57:08 +0800
Message-ID: <20260226025712.2236279-4-me@linux.beauty>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260226025712.2236279-1-me@linux.beauty>
References: <20260226025712.2236279-1-me@linux.beauty>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset="utf-8"

KASAN reports slab-use-after-free in __wake_up_common():
BUG: KASAN: slab-use-after-free in __wake_up_common+0x114/0x160
Read of size 8 at addr ffff88810fdcb710 by task swapper/0/0

CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted
6.19.0-next-20260220-00006-g1eae5f204ec3 #4 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux
1.17.0-2-2 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x6d/0xb0
 print_report+0x170/0x4e2
 ? __pfx__raw_spin_lock_irqsave+0x10/0x10
 ? __virt_addr_valid+0x1dc/0x380
 kasan_report+0xbc/0xf0
 ? __wake_up_common+0x114/0x160
 ? __wake_up_common+0x114/0x160
 __wake_up_common+0x114/0x160
 ? __pfx__raw_spin_lock_irqsave+0x10/0x10
 __wake_up+0x36/0x60
 virtio_pmem_host_ack+0x11d/0x3b0
 ? sched_balance_domains+0x29f/0xb00
 ? __pfx_virtio_pmem_host_ack+0x10/0x10
 ? _raw_spin_lock_irqsave+0x98/0x100
 ? __pfx__raw_spin_lock_irqsave+0x10/0x10
 vring_interrupt+0x1c9/0x5e0
 ? __pfx_vp_interrupt+0x10/0x10
 vp_vring_interrupt+0x87/0x100
 ? __pfx_vp_interrupt+0x10/0x10
 __handle_irq_event_percpu+0x17f/0x550
 ? __pfx__raw_spin_lock+0x10/0x10
 handle_irq_event+0xab/0x1c0
 handle_fasteoi_irq+0x276/0xae0
 __common_interrupt+0x65/0x130
 common_interrupt+0x78/0xa0
 </IRQ>

virtio_pmem_host_ack() wakes a request that has already been freed by the
submitter.

This happens when the request token is still reachable via the virtqueue,
but virtio_pmem_flush() returns and frees it.

Fix the token lifetime by refcounting struct virtio_pmem_request.
virtio_pmem_flush() holds a submitter reference, and the virtqueue holds an
extra reference once the request is queued. The completion path drops the
virtqueue reference, and the submitter drops its reference before
returning.

Fixes: 6e84200c0a29 ("virtio-pmem: Add virtio pmem driver")
Cc: stable@vger.kernel.org
Signed-off-by: Li Chen <me@linux.beauty>
---
v2->v3:
- Add raw KASAN report to the patch description.

 drivers/nvdimm/nd_virtio.c   | 34 +++++++++++++++++++++++++++++-----
 drivers/nvdimm/virtio_pmem.h |  2 ++
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c
index ada0c679cf2e..d0bf213d8caf 100644
--- a/drivers/nvdimm/nd_virtio.c
+++ b/drivers/nvdimm/nd_virtio.c
@@ -9,6 +9,14 @@
 #include "virtio_pmem.h"
 #include "nd.h"
=20
+static void virtio_pmem_req_release(struct kref *kref)
+{
+	struct virtio_pmem_request *req;
+
+	req =3D container_of(kref, struct virtio_pmem_request, kref);
+	kfree(req);
+}
+
 static void virtio_pmem_wake_one_waiter(struct virtio_pmem *vpmem)
 {
 	struct virtio_pmem_request *req_buf;
@@ -36,6 +44,7 @@ void virtio_pmem_host_ack(struct virtqueue *vq)
 		virtio_pmem_wake_one_waiter(vpmem);
 		WRITE_ONCE(req_data->done, true);
 		wake_up(&req_data->host_acked);
+		kref_put(&req_data->kref, virtio_pmem_req_release);
 	}
 	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
 }
@@ -66,6 +75,7 @@ static int virtio_pmem_flush(struct nd_region *nd_region)
 	if (!req_data)
 		return -ENOMEM;
=20
+	kref_init(&req_data->kref);
 	WRITE_ONCE(req_data->done, false);
 	init_waitqueue_head(&req_data->host_acked);
 	init_waitqueue_head(&req_data->wq_buf);
@@ -83,10 +93,23 @@ static int virtio_pmem_flush(struct nd_region *nd_regio=
n)
 	  * to req_list and wait for host_ack to wake us up when free
 	  * slots are available.
 	  */
-	while ((err =3D virtqueue_add_sgs(vpmem->req_vq, sgs, 1, 1, req_data,
-					GFP_ATOMIC)) =3D=3D -ENOSPC) {
-
-		dev_info(&vdev->dev, "failed to send command to virtio pmem device, no f=
ree slots in the virtqueue\n");
+	for (;;) {
+		err =3D virtqueue_add_sgs(vpmem->req_vq, sgs, 1, 1, req_data,
+					GFP_ATOMIC);
+		if (!err) {
+			/*
+			 * Take the virtqueue reference while @pmem_lock is
+			 * held so completion cannot run concurrently.
+			 */
+			kref_get(&req_data->kref);
+			break;
+		}
+
+		if (err !=3D -ENOSPC)
+			break;
+
+		dev_info_ratelimited(&vdev->dev,
+				     "failed to send command to virtio pmem device, no free slots in t=
he virtqueue\n");
 		WRITE_ONCE(req_data->wq_buf_avail, false);
 		list_add_tail(&req_data->list, &vpmem->req_list);
 		spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
@@ -95,6 +118,7 @@ static int virtio_pmem_flush(struct nd_region *nd_region)
 		wait_event(req_data->wq_buf, READ_ONCE(req_data->wq_buf_avail));
 		spin_lock_irqsave(&vpmem->pmem_lock, flags);
 	}
+
 	err1 =3D virtqueue_kick(vpmem->req_vq);
 	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
 	/*
@@ -110,7 +134,7 @@ static int virtio_pmem_flush(struct nd_region *nd_regio=
n)
 		err =3D le32_to_cpu(req_data->resp.ret);
 	}
=20
-	kfree(req_data);
+	kref_put(&req_data->kref, virtio_pmem_req_release);
 	return err;
 };
=20
diff --git a/drivers/nvdimm/virtio_pmem.h b/drivers/nvdimm/virtio_pmem.h
index f72cf17f9518..1017e498c9b4 100644
--- a/drivers/nvdimm/virtio_pmem.h
+++ b/drivers/nvdimm/virtio_pmem.h
@@ -12,11 +12,13 @@
=20
 #include <linux/module.h>
 #include <uapi/linux/virtio_pmem.h>
+#include <linux/kref.h>
 #include <linux/libnvdimm.h>
 #include <linux/mutex.h>
 #include <linux/spinlock.h>
=20
 struct virtio_pmem_request {
+	struct kref kref;
 	struct virtio_pmem_req req;
 	struct virtio_pmem_resp resp;
=20
--=20
2.52.0
From nobody Tue Apr  7 14:04:29 2026
Received: from sender4-op-o15.zoho.com (sender4-op-o15.zoho.com
 [136.143.188.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65B88385531
	for <linux-kernel@vger.kernel.org>; Thu, 26 Feb 2026 02:58:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=136.143.188.15
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772074683; cv=pass;
 b=ptTmolQuB+XhsvNbOFhVeIBPS/1lcgdA0PHtlW/JJ+KRj8+/AHagPR0cDP29z5Xs+X3FJBNUP6AAcbVqyhVgsqyL2yqr2Y0OvF6QlpeDByuf9tUvv2j6Q6RL6wuiqY9U2GeefnUtEzXlXjc5vS4EkjEhJ8mvpDKVf5hBxf8aMtg=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772074683; c=relaxed/simple;
	bh=elU91PbJP9nNAoNweoVHyYXsTEP00Q5mA9Ti6lDe5vI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=EY25PaBENH/IzDXhEPq1MxcXNi1TPPdGnuQeOumzjQTA8Kmw2Mh77Jl15V7Skq7Ite4+TzBTqb9jwPxcypHMuk971NjZ7CCImkH7HbHkCd+lmv1YfM/2hJY9eIz4KbJtfRx54D8DwJBilhFuxaJi8qMNTNDiPI2LmmUS0Xx5/Sg=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty;
 spf=pass smtp.mailfrom=linux.beauty;
 dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b=QQ9s+NWz; arc=pass smtp.client-ip=136.143.188.15
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b="QQ9s+NWz"
ARC-Seal: i=1; a=rsa-sha256; t=1772074663; cv=none;
	d=zohomail.com; s=zohoarc;
	b=md8Qb9eIwjwS1FMGUHCYEfYYOdDnMSnX+pttptP8BO+qk0SBr/QcBb7njY//oW5cr5aVV+01vpJlrNIVpbeuB6YBasuMk+Gyg5vR250SKsbBaokuT6j62v84Wlw/EmJSfzg9p4Z5IrpFLFdz6DiHJ7obRNB4jp7b9oIXZeXjLMw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772074663;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=dmfPIu9iVjuDRJWpKWNNYGGhOCMNg5d6TcsUNer2OC0=;
	b=f6Ob0hdQCMZSje+hBI/iDQ1iF+jWbYQGJOzX8yUdAN7Te6yKvC4PMd+22ELlNLIisDjiV74XDqs9yllCB/uMI0q2+ImqyeonfvuEkQi1ROWM/We34kwUIUuFEJrIRWS0CWx++r0aHEf30xjibEPKiIY5dtSBmcUI4PQ4k3nhB4o=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=linux.beauty;
	spf=pass  smtp.mailfrom=me@linux.beauty;
	dmarc=pass header.from=<me@linux.beauty>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1772074663;
	s=zmail; d=linux.beauty; i=me@linux.beauty;
	h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
	bh=dmfPIu9iVjuDRJWpKWNNYGGhOCMNg5d6TcsUNer2OC0=;
	b=QQ9s+NWzOGOl/nPI47adj2IultgtVL/ewwmVxqKWMzXh5ixD2Vb+6eV1rtJhXGkh
	AY36U7nAw1i4rNWhDPv73l95FdGBEK1PvyGIw4/iKDUeOCxmyDvg90W6j2lUG7JuS55
	zfkzZAKZxKhUkr/IOr3nO2M0wHa96AlRABbQNYtM=
Received: by mx.zohomail.com with SMTPS id 1772074662694965.4303695951443;
	Wed, 25 Feb 2026 18:57:42 -0800 (PST)
From: Li Chen <me@linux.beauty>
To: Pankaj Gupta <pankaj.gupta.linux@gmail.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Vishal Verma <vishal.l.verma@intel.com>,
	Dave Jiang <dave.jiang@intel.com>,
	Ira Weiny <ira.weiny@intel.com>,
	virtualization@lists.linux.dev,
	nvdimm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: Li Chen <me@linux.beauty>
Subject: [PATCH v3 4/5] nvdimm: virtio_pmem: converge broken virtqueue to -EIO
Date: Thu, 26 Feb 2026 10:57:09 +0800
Message-ID: <20260226025712.2236279-5-me@linux.beauty>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260226025712.2236279-1-me@linux.beauty>
References: <20260226025712.2236279-1-me@linux.beauty>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset="utf-8"

dmesg reports virtqueue failure and device reset:
virtio_pmem virtio2: failed to send command to
virtio pmem device, no free slots in the virtqueue
virtio_pmem virtio2: virtio pmem device
needs a reset

virtio_pmem_flush() waits for either a free virtqueue descriptor (-ENOSPC)
or a host completion. If the request virtqueue becomes broken (e.g.
virtqueue_kick() notify failure), those waiters may never make progress.

Track a device-level broken state and converge all error paths to -EIO.
Fail fast for new requests, wake all -ENOSPC waiters, and drain/detach
outstanding request tokens to complete them with an error.

Closes: https://lore.kernel.org/oe-kbuild-all/202512250116.ewtzlD0g-lkp@int=
el.com/
Signed-off-by: Li Chen <me@linux.beauty>
---
v2->v3:
- Add raw dmesg excerpt to the patch description.
- Fold the CONFIG_VIRTIO_PMEM=3Dm export fix into this patch.

 drivers/nvdimm/nd_virtio.c   | 76 +++++++++++++++++++++++++++++++++---
 drivers/nvdimm/virtio_pmem.c |  7 ++++
 drivers/nvdimm/virtio_pmem.h |  4 ++
 3 files changed, 81 insertions(+), 6 deletions(-)

diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c
index d0bf213d8caf..7a62aa7ce254 100644
--- a/drivers/nvdimm/nd_virtio.c
+++ b/drivers/nvdimm/nd_virtio.c
@@ -17,6 +17,18 @@ static void virtio_pmem_req_release(struct kref *kref)
 	kfree(req);
 }
=20
+static void virtio_pmem_signal_done(struct virtio_pmem_request *req)
+{
+	WRITE_ONCE(req->done, true);
+	wake_up(&req->host_acked);
+}
+
+static void virtio_pmem_complete_err(struct virtio_pmem_request *req)
+{
+	req->resp.ret =3D cpu_to_le32(1);
+	virtio_pmem_signal_done(req);
+}
+
 static void virtio_pmem_wake_one_waiter(struct virtio_pmem *vpmem)
 {
 	struct virtio_pmem_request *req_buf;
@@ -31,6 +43,41 @@ static void virtio_pmem_wake_one_waiter(struct virtio_pm=
em *vpmem)
 	wake_up(&req_buf->wq_buf);
 }
=20
+static void virtio_pmem_wake_all_waiters(struct virtio_pmem *vpmem)
+{
+	struct virtio_pmem_request *req, *tmp;
+
+	list_for_each_entry_safe(req, tmp, &vpmem->req_list, list) {
+		WRITE_ONCE(req->wq_buf_avail, true);
+		wake_up(&req->wq_buf);
+		list_del_init(&req->list);
+	}
+}
+
+void virtio_pmem_mark_broken_and_drain(struct virtio_pmem *vpmem)
+{
+	struct virtio_pmem_request *req;
+	unsigned int len;
+
+	if (READ_ONCE(vpmem->broken))
+		return;
+
+	WRITE_ONCE(vpmem->broken, true);
+	dev_err_once(&vpmem->vdev->dev, "virtqueue is broken\n");
+	virtio_pmem_wake_all_waiters(vpmem);
+
+	while ((req =3D virtqueue_get_buf(vpmem->req_vq, &len)) !=3D NULL) {
+		virtio_pmem_complete_err(req);
+		kref_put(&req->kref, virtio_pmem_req_release);
+	}
+
+	while ((req =3D virtqueue_detach_unused_buf(vpmem->req_vq)) !=3D NULL) {
+		virtio_pmem_complete_err(req);
+		kref_put(&req->kref, virtio_pmem_req_release);
+	}
+}
+EXPORT_SYMBOL_GPL(virtio_pmem_mark_broken_and_drain);
+
  /* The interrupt handler */
 void virtio_pmem_host_ack(struct virtqueue *vq)
 {
@@ -42,8 +89,7 @@ void virtio_pmem_host_ack(struct virtqueue *vq)
 	spin_lock_irqsave(&vpmem->pmem_lock, flags);
 	while ((req_data =3D virtqueue_get_buf(vq, &len)) !=3D NULL) {
 		virtio_pmem_wake_one_waiter(vpmem);
-		WRITE_ONCE(req_data->done, true);
-		wake_up(&req_data->host_acked);
+		virtio_pmem_signal_done(req_data);
 		kref_put(&req_data->kref, virtio_pmem_req_release);
 	}
 	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
@@ -71,6 +117,9 @@ static int virtio_pmem_flush(struct nd_region *nd_region)
 		return -EIO;
 	}
=20
+	if (READ_ONCE(vpmem->broken))
+		return -EIO;
+
 	req_data =3D kmalloc(sizeof(*req_data), GFP_KERNEL);
 	if (!req_data)
 		return -ENOMEM;
@@ -115,22 +164,37 @@ static int virtio_pmem_flush(struct nd_region *nd_reg=
ion)
 		spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
=20
 		/* A host response results in "host_ack" getting called */
-		wait_event(req_data->wq_buf, READ_ONCE(req_data->wq_buf_avail));
+		wait_event(req_data->wq_buf,
+			   READ_ONCE(req_data->wq_buf_avail) ||
+			   READ_ONCE(vpmem->broken));
 		spin_lock_irqsave(&vpmem->pmem_lock, flags);
+
+		if (READ_ONCE(vpmem->broken))
+			break;
 	}
=20
-	err1 =3D virtqueue_kick(vpmem->req_vq);
+	if (err =3D=3D -EIO || virtqueue_is_broken(vpmem->req_vq))
+		virtio_pmem_mark_broken_and_drain(vpmem);
+
+	err1 =3D true;
+	if (!err && !READ_ONCE(vpmem->broken)) {
+		err1 =3D virtqueue_kick(vpmem->req_vq);
+		if (!err1)
+			virtio_pmem_mark_broken_and_drain(vpmem);
+	}
 	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
 	/*
 	 * virtqueue_add_sgs failed with error different than -ENOSPC, we can't
 	 * do anything about that.
 	 */
-	if (err || !err1) {
+	if (READ_ONCE(vpmem->broken) || err || !err1) {
 		dev_info(&vdev->dev, "failed to send command to virtio pmem device\n");
 		err =3D -EIO;
 	} else {
 		/* A host response results in "host_ack" getting called */
-		wait_event(req_data->host_acked, READ_ONCE(req_data->done));
+		wait_event(req_data->host_acked,
+			   READ_ONCE(req_data->done) ||
+			   READ_ONCE(vpmem->broken));
 		err =3D le32_to_cpu(req_data->resp.ret);
 	}
=20
diff --git a/drivers/nvdimm/virtio_pmem.c b/drivers/nvdimm/virtio_pmem.c
index 77b196661905..c5caf11a479a 100644
--- a/drivers/nvdimm/virtio_pmem.c
+++ b/drivers/nvdimm/virtio_pmem.c
@@ -25,6 +25,7 @@ static int init_vq(struct virtio_pmem *vpmem)
=20
 	spin_lock_init(&vpmem->pmem_lock);
 	INIT_LIST_HEAD(&vpmem->req_list);
+	WRITE_ONCE(vpmem->broken, false);
=20
 	return 0;
 };
@@ -138,6 +139,12 @@ static int virtio_pmem_probe(struct virtio_device *vde=
v)
 static void virtio_pmem_remove(struct virtio_device *vdev)
 {
 	struct nvdimm_bus *nvdimm_bus =3D dev_get_drvdata(&vdev->dev);
+	struct virtio_pmem *vpmem =3D vdev->priv;
+	unsigned long flags;
+
+	spin_lock_irqsave(&vpmem->pmem_lock, flags);
+	virtio_pmem_mark_broken_and_drain(vpmem);
+	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
=20
 	nvdimm_bus_unregister(nvdimm_bus);
 	vdev->config->del_vqs(vdev);
diff --git a/drivers/nvdimm/virtio_pmem.h b/drivers/nvdimm/virtio_pmem.h
index 1017e498c9b4..e1a46abb9483 100644
--- a/drivers/nvdimm/virtio_pmem.h
+++ b/drivers/nvdimm/virtio_pmem.h
@@ -48,6 +48,9 @@ struct virtio_pmem {
 	/* List to store deferred work if virtqueue is full */
 	struct list_head req_list;
=20
+	/* Fail fast and wake waiters if the request virtqueue is broken. */
+	bool broken;
+
 	/* Synchronize virtqueue data */
 	spinlock_t pmem_lock;
=20
@@ -57,5 +60,6 @@ struct virtio_pmem {
 };
=20
 void virtio_pmem_host_ack(struct virtqueue *vq);
+void virtio_pmem_mark_broken_and_drain(struct virtio_pmem *vpmem);
 int async_pmem_flush(struct nd_region *nd_region, struct bio *bio);
 #endif
--=20
2.52.0
From nobody Tue Apr  7 14:04:29 2026
Received: from sender4-op-o15.zoho.com (sender4-op-o15.zoho.com
 [136.143.188.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C9813815F4
	for <linux-kernel@vger.kernel.org>; Thu, 26 Feb 2026 02:58:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=136.143.188.15
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772074689; cv=pass;
 b=XSi6FxzzN3jaTD/bWGdAgGxzFSxwrFAeCD+2ILaVqYVKeG0tKOjYG81ajrNcqoe/2Yoi0IrtgwrdPDglvfVcCJ3ke1s0RXwt6ojdo6Xr/0DYaioloYH4X72PkpjxxXx6v3VikX1xWHvllzpE/fu9HT+QQ37H7Maod87lbNZtdts=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772074689; c=relaxed/simple;
	bh=eVpgaiBDEYmba0hqSGqHQNqluD5rnt1oRmsHZ330I00=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=GUr+kg5s+q3b6wnIjtcR+DAX4kBx7V5PXqFH4XW05UXAlrSM6moWvjEOzYQdjEzW2GPDlNlXpFy3mF+hGDWCmA0qBs9ImcLsz6XbPgtxvjzheuamMjkYeVg8Dlkrh1TicvqblxR64Iav9cv/FQPRqeKoD334xpnLrbSsoDmC6i4=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty;
 spf=pass smtp.mailfrom=linux.beauty;
 dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b=EuzQAdEW; arc=pass smtp.client-ip=136.143.188.15
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.beauty
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty
 header.b="EuzQAdEW"
ARC-Seal: i=1; a=rsa-sha256; t=1772074667; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QWIL+eIQjcosYxbebQaCHtCc8qCSVvBPDOqwJQYq30OV6oucvIiPxYLbus7+kMF9S0Tw64Cz5+ffZxkHeKNFM5IbACNi/sxKa0Hnxa/Qz3qJrdwGtTefStIHuyFfcGwDVTvKFYRBsmQgWQxqor2P4zDlBWu974ULWluzx2zI5rQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772074667;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=oFwoQ+E7tMKE0RtYZZOdoKWdlkJ/ai0zXONzCJDDN3w=;
	b=gP+j7lr/Lu4+MXNAXyYVEnCX6At6hpOY88ga8QtQUkdcmafD97oB/0wgdUKZgfgm1Y72DYzzVWqBHn6j2BE8lf6zq8LJjr17n+EmeNGUPfoMXdKq662/tFEOYFpJUtMKh0f9mKsFX/p+NI0sYUsGUwiVvihEPKWRP9qi6gcwXAI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=linux.beauty;
	spf=pass  smtp.mailfrom=me@linux.beauty;
	dmarc=pass header.from=<me@linux.beauty>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1772074667;
	s=zmail; d=linux.beauty; i=me@linux.beauty;
	h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
	bh=oFwoQ+E7tMKE0RtYZZOdoKWdlkJ/ai0zXONzCJDDN3w=;
	b=EuzQAdEWmvz5IK3WEoAMl8JaNB/8pGwe76h6EPlDK+6CSu3wzvgw6hz0e18Te/av
	dXjeHAX+KCJt1UyayYiGa/xVaeUVTypJgw5TQ4t1bOHdFwub7rdHjH5z4SJNXgkEF3b
	aCIoHF+F8WLBGMn1mrfYNd7u94Py+OTEA2sgHTtg=
Received: by mx.zohomail.com with SMTPS id 1772074666061797.0908931346248;
	Wed, 25 Feb 2026 18:57:46 -0800 (PST)
From: Li Chen <me@linux.beauty>
To: Pankaj Gupta <pankaj.gupta.linux@gmail.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Vishal Verma <vishal.l.verma@intel.com>,
	Dave Jiang <dave.jiang@intel.com>,
	Ira Weiny <ira.weiny@intel.com>,
	virtualization@lists.linux.dev,
	nvdimm@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: Li Chen <me@linux.beauty>
Subject: [PATCH v3 5/5] nvdimm: virtio_pmem: drain requests in freeze
Date: Thu, 26 Feb 2026 10:57:10 +0800
Message-ID: <20260226025712.2236279-6-me@linux.beauty>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260226025712.2236279-1-me@linux.beauty>
References: <20260226025712.2236279-1-me@linux.beauty>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset="utf-8"

virtio_pmem_freeze() deletes virtqueues and resets the device without
waking threads waiting for a virtqueue descriptor or a host completion.

Mark the request virtqueue broken and drain outstanding requests under
pmem_lock before teardown so waiters can make progress and return -EIO.

Signed-off-by: Li Chen <me@linux.beauty>
---
v2->v3:
- No change.

 drivers/nvdimm/virtio_pmem.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/nvdimm/virtio_pmem.c b/drivers/nvdimm/virtio_pmem.c
index c5caf11a479a..663a60686fbd 100644
--- a/drivers/nvdimm/virtio_pmem.c
+++ b/drivers/nvdimm/virtio_pmem.c
@@ -153,6 +153,13 @@ static void virtio_pmem_remove(struct virtio_device *v=
dev)
=20
 static int virtio_pmem_freeze(struct virtio_device *vdev)
 {
+	struct virtio_pmem *vpmem =3D vdev->priv;
+	unsigned long flags;
+
+	spin_lock_irqsave(&vpmem->pmem_lock, flags);
+	virtio_pmem_mark_broken_and_drain(vpmem);
+	spin_unlock_irqrestore(&vpmem->pmem_lock, flags);
+
 	vdev->config->del_vqs(vdev);
 	virtio_reset_device(vdev);
=20
--=20
2.52.0