| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Dec 2013 17:27:57 +0800
From: Ming Lei <tom.leiming@...il.com>
To: linux-kernel@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Ming Lei <tom.leiming@...il.com>, Jens Axboe <axboe@...nel.dk>
Subject: [PATCH] block: fix mq request allocation
blk_mq_alloc_request_pinned() may return NULL request in case of
!__GFP_WAIT, so cause its callers to derefence NULL pointer for
releasing current context.
This patch introduces two flags to address the issue.
Cc: Jens Axboe <axboe@...nel.dk>
Signed-off-by: Ming Lei <tom.leiming@...il.com>
---
block/blk-mq.c | 27 ++++++++++++++++-----------
block/blk-mq.h | 3 +++
2 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index fb9ffdb..6875736 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -188,26 +188,32 @@ static struct request *__blk_mq_alloc_request(struct blk_mq_hw_ctx *hctx,
static struct request *blk_mq_alloc_request_pinned(struct request_queue *q,
int rw, gfp_t gfp,
- bool reserved)
+ unsigned int flags)
{
struct request *rq;
+ struct blk_mq_ctx *ctx;
+ struct blk_mq_hw_ctx *hctx;
do {
- struct blk_mq_ctx *ctx = blk_mq_get_ctx(q);
- struct blk_mq_hw_ctx *hctx = q->mq_ops->map_queue(q, ctx->cpu);
+ ctx = blk_mq_get_ctx(q);
+ hctx = q->mq_ops->map_queue(q, ctx->cpu);
- rq = __blk_mq_alloc_request(hctx, gfp & ~__GFP_WAIT, reserved);
+ rq = __blk_mq_alloc_request(hctx, gfp & ~__GFP_WAIT,
+ !!(flags & MQ_ALLOC_RESERVED));
if (rq) {
blk_mq_rq_ctx_init(q, ctx, rq, rw);
- break;
+ goto exit;
} else if (!(gfp & __GFP_WAIT))
- break;
+ goto exit;
blk_mq_put_ctx(ctx);
__blk_mq_run_hw_queue(hctx);
blk_mq_wait_for_tags(hctx->tags);
} while (1);
+exit:
+ if (!(flags & MQ_ALLOC_HOLD_CTX))
+ blk_mq_put_ctx(ctx);
return rq;
}
@@ -219,8 +225,8 @@ struct request *blk_mq_alloc_request(struct request_queue *q, int rw,
if (blk_mq_queue_enter(q))
return NULL;
- rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved);
- blk_mq_put_ctx(rq->mq_ctx);
+ rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved ?
+ MQ_ALLOC_RESERVED : 0);
return rq;
}
@@ -232,8 +238,7 @@ struct request *blk_mq_alloc_reserved_request(struct request_queue *q, int rw,
if (blk_mq_queue_enter(q))
return NULL;
- rq = blk_mq_alloc_request_pinned(q, rw, gfp, true);
- blk_mq_put_ctx(rq->mq_ctx);
+ rq = blk_mq_alloc_request_pinned(q, rw, gfp, MQ_ALLOC_RESERVED);
return rq;
}
EXPORT_SYMBOL(blk_mq_alloc_reserved_request);
@@ -890,7 +895,7 @@ static void blk_mq_make_request(struct request_queue *q, struct bio *bio)
blk_mq_put_ctx(ctx);
trace_block_sleeprq(q, bio, rw);
rq = blk_mq_alloc_request_pinned(q, rw, __GFP_WAIT|GFP_ATOMIC,
- false);
+ MQ_ALLOC_HOLD_CTX);
ctx = rq->mq_ctx;
hctx = q->mq_ops->map_queue(q, ctx->cpu);
}
diff --git a/block/blk-mq.h b/block/blk-mq.h
index 5761eed..998911e 100644
--- a/block/blk-mq.h
+++ b/block/blk-mq.h
@@ -22,6 +22,9 @@ struct blk_mq_ctx {
struct kobject kobj;
};
+#define MQ_ALLOC_RESERVED (1U << 0)
+#define MQ_ALLOC_HOLD_CTX (1U << 1)
+
void __blk_mq_end_io(struct request *rq, int error);
void blk_mq_complete_request(struct request *rq, int error);
void blk_mq_run_request(struct request *rq, bool run_queue, bool async);
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists