[PATCH] block: fully initialize queue in blk_mq_init_allocated_queue

From: Sergey Senozhatsky
Date: Fri Mar 13 2015 - 05:30:42 EST

Next message: Vinod Koul: "Re: [PATCH v3 0/2] dma: at_hdmac: Fix residue calculation and add mem to"
Previous message: Maxime Ripard: "Re: [PATCH resend v4] phy: Add driver to support individual USB PHYs on sun9i"
Next in thread: Mike Snitzer: "Re: block: fully initialize queue in blk_mq_init_allocated_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Commit c9e8c91f8a279b87eb0d94b037504ea9fc1bef7c
Author: Mike Snitzer <snitzer@xxxxxxxxxx>
Date: Tue Mar 10 15:54:41 2015 -0400

blk-mq: fix use of incorrect goto label in blk_mq_init_queue error path

for some reason has moved queue allocation 'q = blk_alloc_queue_node()'
after 'percpu_ref_init(&q->mq_usage_counter...)', so we are doing percpu
init on something that is not a request_queue.

Further commit 716452cd27b145d611e4399e7cc35df6c943686e
Author: Mike Snitzer <snitzer@xxxxxxxxxx>
Date: Tue Mar 10 17:20:20 2015 -0400

blk-mq: add blk_mq_init_allocated_queue and export

has introduced abother issue.
In blk_mq_init_queue() we allocate new request_queue:

uninit_q = blk_alloc_queue_node(GFP_KERNEL, set->numa_node);
if (!uninit_q)
return ERR_PTR(-ENOMEM);

and pass `uninit_q' as a 'request_queue *q' parameter to
blk_mq_init_allocated_queue():

q = blk_mq_init_allocated_queue(set, uninit_q);

blk_mq_init_allocated_queue(), however, firstly use passed `uninit_q' to init
its percpu, but then it allocates a new request_queue and returns it back,
not being properly initialized:

blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, struct request_queue *q)
[..]
if (percpu_ref_init(&q->mq_usage_counter, blk_mq_usage_counter_release,
PERCPU_REF_INIT_ATOMIC, GFP_KERNEL))
goto err_hctxs;

q = blk_alloc_queue_node(GFP_KERNEL, set->numa_node);
if (!q)
goto err_hctxs;

[..]
return q;

Which eventually leads to different problems, including a NULL pointer
dereference.

Remove blk_alloc_queue_node() from blk_mq_init_allocated_queue() and use
supplied request_queue.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@xxxxxxxxx>
---
block/blk-mq.c | 4 ----
1 file changed, 4 deletions(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index b838dfc..59fa239 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1955,10 +1955,6 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
PERCPU_REF_INIT_ATOMIC, GFP_KERNEL))
goto err_hctxs;

- q = blk_alloc_queue_node(GFP_KERNEL, set->numa_node);
- if (!q)
- goto err_hctxs;
-
setup_timer(&q->timeout, blk_mq_rq_timer, (unsigned long) q);
blk_queue_rq_timeout(q, 30000);

--
2.3.2.223.g7a9409c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vinod Koul: "Re: [PATCH v3 0/2] dma: at_hdmac: Fix residue calculation and add mem to"
Previous message: Maxime Ripard: "Re: [PATCH resend v4] phy: Add driver to support individual USB PHYs on sun9i"
Next in thread: Mike Snitzer: "Re: block: fully initialize queue in blk_mq_init_allocated_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]