diff options
| author | Ming Lei <ming.lei@redhat.com> | 2019-04-29 21:52:27 -0400 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2019-05-04 09:24:08 -0400 |
| commit | 2f8f1336a48bd5186de3476da0a3e2ec06d0533a (patch) | |
| tree | 1bc1ee8510442e16f00ba1cf82ebfb0dfb926017 /include/linux | |
| parent | 7c6c5b7c9186e3fb5b10afb8e5f710ae661144c6 (diff) | |
blk-mq: always free hctx after request queue is freed
In normal queue cleanup path, hctx is released after request queue
is freed, see blk_mq_release().
However, in __blk_mq_update_nr_hw_queues(), hctx may be freed because
of hw queues shrinking. This way is easy to cause use-after-free,
because: one implicit rule is that it is safe to call almost all block
layer APIs if the request queue is alive; and one hctx may be retrieved
by one API, then the hctx can be freed by blk_mq_update_nr_hw_queues();
finally use-after-free is triggered.
Fixes this issue by always freeing hctx after releasing request queue.
If some hctxs are removed in blk_mq_update_nr_hw_queues(), introduce
a per-queue list to hold them, then try to resuse these hctxs if numa
node is matched.
Cc: Dongli Zhang <dongli.zhang@oracle.com>
Cc: James Smart <james.smart@broadcom.com>
Cc: Bart Van Assche <bart.vanassche@wdc.com>
Cc: linux-scsi@vger.kernel.org,
Cc: Martin K . Petersen <martin.petersen@oracle.com>,
Cc: Christoph Hellwig <hch@lst.de>,
Cc: James E . J . Bottomley <jejb@linux.vnet.ibm.com>,
Reviewed-by: Hannes Reinecke <hare@suse.com>
Tested-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/blk-mq.h | 2 | ||||
| -rw-r--r-- | include/linux/blkdev.h | 7 |
2 files changed, 9 insertions, 0 deletions
diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h index db29928de467..15d1aa53d96c 100644 --- a/include/linux/blk-mq.h +++ b/include/linux/blk-mq.h | |||
| @@ -70,6 +70,8 @@ struct blk_mq_hw_ctx { | |||
| 70 | struct dentry *sched_debugfs_dir; | 70 | struct dentry *sched_debugfs_dir; |
| 71 | #endif | 71 | #endif |
| 72 | 72 | ||
| 73 | struct list_head hctx_list; | ||
| 74 | |||
| 73 | /* Must be the last member - see also blk_mq_hw_ctx_size(). */ | 75 | /* Must be the last member - see also blk_mq_hw_ctx_size(). */ |
| 74 | struct srcu_struct srcu[0]; | 76 | struct srcu_struct srcu[0]; |
| 75 | }; | 77 | }; |
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index bd3e3f09bfa0..1aafeb923e7b 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h | |||
| @@ -535,6 +535,13 @@ struct request_queue { | |||
| 535 | 535 | ||
| 536 | struct mutex sysfs_lock; | 536 | struct mutex sysfs_lock; |
| 537 | 537 | ||
| 538 | /* | ||
| 539 | * for reusing dead hctx instance in case of updating | ||
| 540 | * nr_hw_queues | ||
| 541 | */ | ||
| 542 | struct list_head unused_hctx_list; | ||
| 543 | spinlock_t unused_hctx_lock; | ||
| 544 | |||
| 538 | atomic_t mq_freeze_depth; | 545 | atomic_t mq_freeze_depth; |
| 539 | 546 | ||
| 540 | #if defined(CONFIG_BLK_DEV_BSG) | 547 | #if defined(CONFIG_BLK_DEV_BSG) |