elevator: Fix a race in elevator switching

commit d50235b7bc3ee0a0427984d763ea7534149531b4 upstream. There's a race between elevator switching and normal io operation. Because the allocation of struct elevator_queue and struct elevator_data don't in a atomic operation.So there are have chance to use NULL ->elevator_data. For example: Thread A: Thread B blk_queu_bio elevator_switch spin_lock_irq(q->queue_block) elevator_alloc elv_merge elevator_init_fn Because call elevator_alloc, it can't hold queue_lock and the ->elevator_data is NULL.So at the same time, threadA call elv_merge and nedd some info of elevator_data.So the crash happened. Move the elevator_alloc into func elevator_init_fn, it make the operations in a atomic operation. Using the follow method can easy reproduce this bug 1:dd if=/dev/sdb of=/dev/null 2:while true;do echo noop > scheduler;echo deadline > scheduler;done The test method also use this method. Signed-off-by: Jianpeng Ma <majianpeng@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Cc: Jonghwan Choi <jhbird.choi@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jianpeng Ma <majianpeng@gmail.com> 2013-07-03 07:25:24 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-08-20 11:43:03 -0400
commit: a6ad83fce072869921cef7c6f4e86bd91639dc34 (patch)
tree: 4530efd7361b1a8e95229a84ccb2229e1035aba1 /block/noop-iosched.c
parent: dead45bd0527751cc9e71c0547d8f19f498441ed (diff)
1 files changed, 14 insertions, 3 deletions
diff --git a/block/noop-iosched.c b/block/noop-iosched.c
index 5d1bf70e33d5..3de89d4690f3 100644
--- a/block/noop-iosched.c
+++ b/block/noop-iosched.c
@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct request *rq)
        return list_entry(rq->queuelist.next, struct request, queuelist);
 }
-static int noop_init_queue(struct request_queue *q)
+static int noop_init_queue(struct request_queue *q, struct elevator_type *e)
 {
        struct noop_data *nd;
+        struct elevator_queue *eq;
+        eq = elevator_alloc(q, e);
+        if (!eq)
+                return -ENOMEM;
        nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);
-        if (!nd)
+        if (!nd) {
+                kobject_put(&eq->kobj);
                return -ENOMEM;
+        }
+        eq->elevator_data = nd;
        INIT_LIST_HEAD(&nd->queue);
-        q->elevator->elevator_data = nd;
+        spin_lock_irq(q->queue_lock);
+        q->elevator = eq;
+        spin_unlock_irq(q->queue_lock);
        return 0;
 }
author	Jianpeng Ma <majianpeng@gmail.com>	2013-07-03 07:25:24 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-08-20 11:43:03 -0400
commit	a6ad83fce072869921cef7c6f4e86bd91639dc34 (patch)
tree	4530efd7361b1a8e95229a84ccb2229e1035aba1 /block/noop-iosched.c
parent	dead45bd0527751cc9e71c0547d8f19f498441ed (diff)

diff --git a/block/noop-iosched.c b/block/noop-iosched.c index 5d1bf70e33d5..3de89d4690f3 100644 --- a/block/noop-iosched.c +++ b/block/noop-iosched.c
@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue q, struct request rq)
59	return list_entry(rq->queuelist.next, struct request, queuelist);	59	return list_entry(rq->queuelist.next, struct request, queuelist);
60	}	60	}
61		61
62	static int noop_init_queue(struct request_queue *q)	62	static int noop_init_queue(struct request_queue q, struct elevator_type e)
63	{	63	{
64	struct noop_data *nd;	64	struct noop_data *nd;
		65	struct elevator_queue *eq;
		66
		67	eq = elevator_alloc(q, e);
		68	if (!eq)
		69	return -ENOMEM;
65		70
66	nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);	71	nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);
67	if (!nd)	72	if (!nd) {
		73	kobject_put(&eq->kobj);
68	return -ENOMEM;	74	return -ENOMEM;
		75	}
		76	eq->elevator_data = nd;
69		77
70	INIT_LIST_HEAD(&nd->queue);	78	INIT_LIST_HEAD(&nd->queue);
71	q->elevator->elevator_data = nd;	79
		80	spin_lock_irq(q->queue_lock);
		81	q->elevator = eq;
		82	spin_unlock_irq(q->queue_lock);
72	return 0;	83	return 0;
73	}	84	}
74		85