diff options
| author | Ming Lei <ming.lei@canonical.com> | 2015-01-19 22:00:56 -0500 |
|---|---|---|
| committer | Jens Axboe <axboe@fb.com> | 2015-01-20 11:28:33 -0500 |
| commit | 76d697d10769048e5721510100bf3a9413a56385 (patch) | |
| tree | e7d78afb91e9f7ff47f7e1e558f762908c50f49e /block/blk-mq-sysfs.c | |
| parent | 6222d1721dd7d533b43747642419a8ff78ad6f99 (diff) | |
blk-mq: fix hctx/ctx kobject use-after-free
The kobject memory shouldn't have been freed before the kobject
is released because driver core can access it freely before its
release.
This patch frees hctx in its release callback. For ctx, they
share one single per-cpu variable which is associated with
the request queue, so free ctx in q->mq_kobj's release handler.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(fix ctx kobjects)
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'block/blk-mq-sysfs.c')
| -rw-r--r-- | block/blk-mq-sysfs.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c index 1630a20d5dcf..6774a0e69867 100644 --- a/block/blk-mq-sysfs.c +++ b/block/blk-mq-sysfs.c | |||
| @@ -15,6 +15,26 @@ | |||
| 15 | 15 | ||
| 16 | static void blk_mq_sysfs_release(struct kobject *kobj) | 16 | static void blk_mq_sysfs_release(struct kobject *kobj) |
| 17 | { | 17 | { |
| 18 | struct request_queue *q; | ||
| 19 | |||
| 20 | q = container_of(kobj, struct request_queue, mq_kobj); | ||
| 21 | free_percpu(q->queue_ctx); | ||
| 22 | } | ||
| 23 | |||
| 24 | static void blk_mq_ctx_release(struct kobject *kobj) | ||
| 25 | { | ||
| 26 | struct blk_mq_ctx *ctx; | ||
| 27 | |||
| 28 | ctx = container_of(kobj, struct blk_mq_ctx, kobj); | ||
| 29 | kobject_put(&ctx->queue->mq_kobj); | ||
| 30 | } | ||
| 31 | |||
| 32 | static void blk_mq_hctx_release(struct kobject *kobj) | ||
| 33 | { | ||
| 34 | struct blk_mq_hw_ctx *hctx; | ||
| 35 | |||
| 36 | hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj); | ||
| 37 | kfree(hctx); | ||
| 18 | } | 38 | } |
| 19 | 39 | ||
| 20 | struct blk_mq_ctx_sysfs_entry { | 40 | struct blk_mq_ctx_sysfs_entry { |
| @@ -318,13 +338,13 @@ static struct kobj_type blk_mq_ktype = { | |||
| 318 | static struct kobj_type blk_mq_ctx_ktype = { | 338 | static struct kobj_type blk_mq_ctx_ktype = { |
| 319 | .sysfs_ops = &blk_mq_sysfs_ops, | 339 | .sysfs_ops = &blk_mq_sysfs_ops, |
| 320 | .default_attrs = default_ctx_attrs, | 340 | .default_attrs = default_ctx_attrs, |
| 321 | .release = blk_mq_sysfs_release, | 341 | .release = blk_mq_ctx_release, |
| 322 | }; | 342 | }; |
| 323 | 343 | ||
| 324 | static struct kobj_type blk_mq_hw_ktype = { | 344 | static struct kobj_type blk_mq_hw_ktype = { |
| 325 | .sysfs_ops = &blk_mq_hw_sysfs_ops, | 345 | .sysfs_ops = &blk_mq_hw_sysfs_ops, |
| 326 | .default_attrs = default_hw_ctx_attrs, | 346 | .default_attrs = default_hw_ctx_attrs, |
| 327 | .release = blk_mq_sysfs_release, | 347 | .release = blk_mq_hctx_release, |
| 328 | }; | 348 | }; |
| 329 | 349 | ||
| 330 | static void blk_mq_unregister_hctx(struct blk_mq_hw_ctx *hctx) | 350 | static void blk_mq_unregister_hctx(struct blk_mq_hw_ctx *hctx) |
| @@ -355,6 +375,7 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx) | |||
| 355 | return ret; | 375 | return ret; |
| 356 | 376 | ||
| 357 | hctx_for_each_ctx(hctx, ctx, i) { | 377 | hctx_for_each_ctx(hctx, ctx, i) { |
| 378 | kobject_get(&q->mq_kobj); | ||
| 358 | ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu); | 379 | ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu); |
| 359 | if (ret) | 380 | if (ret) |
| 360 | break; | 381 | break; |