lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 13 Mar 2015 18:30:50 +0900
From:	Sergey Senozhatsky <sergey.senozhatsky@...il.com>
To:	Mike Snitzer <snitzer@...hat.com>,
	Ming Lei <ming.lei@...onical.com>
Cc:	Jens Axboe <axboe@...nel.dk>, linux-kernel@...r.kernel.org,
	Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>,
	Sergey Senozhatsky <sergey.senozhatsky@...il.com>
Subject: [PATCH] block: fully initialize queue in blk_mq_init_allocated_queue

Commit c9e8c91f8a279b87eb0d94b037504ea9fc1bef7c
 Author: Mike Snitzer <snitzer@...hat.com>
 Date:   Tue Mar 10 15:54:41 2015 -0400

 blk-mq: fix use of incorrect goto label in blk_mq_init_queue error path

for some reason has moved queue allocation 'q = blk_alloc_queue_node()'
after 'percpu_ref_init(&q->mq_usage_counter...)', so we are doing percpu
init on something that is not a request_queue.

Further commit 716452cd27b145d611e4399e7cc35df6c943686e
 Author: Mike Snitzer <snitzer@...hat.com>
 Date:   Tue Mar 10 17:20:20 2015 -0400

 blk-mq: add blk_mq_init_allocated_queue and export

has introduced abother issue.
In blk_mq_init_queue() we allocate new request_queue:

       uninit_q = blk_alloc_queue_node(GFP_KERNEL, set->numa_node);
       if (!uninit_q)
               return ERR_PTR(-ENOMEM);

and pass `uninit_q' as a 'request_queue *q' parameter to
blk_mq_init_allocated_queue():

       q = blk_mq_init_allocated_queue(set, uninit_q);

blk_mq_init_allocated_queue(), however, firstly use passed `uninit_q' to init
its percpu, but then it allocates a new request_queue and returns it back,
not being properly initialized:

blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, struct request_queue *q)
[..]
       if (percpu_ref_init(&q->mq_usage_counter, blk_mq_usage_counter_release,
                            PERCPU_REF_INIT_ATOMIC, GFP_KERNEL))
               goto err_hctxs;

       q = blk_alloc_queue_node(GFP_KERNEL, set->numa_node);
       if (!q)
               goto err_hctxs;

[..]
       return q;

Which eventually leads to different problems, including a NULL pointer
dereference.

Remove blk_alloc_queue_node() from blk_mq_init_allocated_queue() and use
supplied request_queue.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@...il.com>
---
 block/blk-mq.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index b838dfc..59fa239 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1955,10 +1955,6 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
 			    PERCPU_REF_INIT_ATOMIC, GFP_KERNEL))
 		goto err_hctxs;
 
-	q = blk_alloc_queue_node(GFP_KERNEL, set->numa_node);
-	if (!q)
-		goto err_hctxs;
-
 	setup_timer(&q->timeout, blk_mq_rq_timer, (unsigned long) q);
 	blk_queue_rq_timeout(q, 30000);
 
-- 
2.3.2.223.g7a9409c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ