Revert "blk-mq: fix hctx/ctx kobject use-after-free"

This reverts commit 76d697d10769048e5721510100bf3a9413a56385. The commit 76d697d10769048 causes general protection fault reported from Bart Van Assche: https://lkml.org/lkml/2015/1/28/334 Reported-by: Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Jens Axboe <axboe@fb.com>
author: Ming Lei <ming.lei@canonical.com> 2015-01-29 07:17:26 -0500
committer: Jens Axboe <axboe@fb.com> 2015-01-29 11:30:49 -0500
commit: 74170118b26e55b611de5210f47657118a03a0e1 (patch)
tree: d5dad5639822bf65524659dc7c26a6502a336418 /block
parent: c59c961ca511dc7ee2f4f7e9c224d16f5c76ca6e (diff)
2 files changed, 7 insertions, 24 deletions
diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
index 6774a0e69867..1630a20d5dcf 100644
--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -15,26 +15,6 @@
 static void blk_mq_sysfs_release(struct kobject *kobj)
 {
-        struct request_queue *q;
-        q = container_of(kobj, struct request_queue, mq_kobj);
-        free_percpu(q->queue_ctx);
-}
-static void blk_mq_ctx_release(struct kobject *kobj)
-{
-        struct blk_mq_ctx *ctx;
-        ctx = container_of(kobj, struct blk_mq_ctx, kobj);
-        kobject_put(&ctx->queue->mq_kobj);
-}
-static void blk_mq_hctx_release(struct kobject *kobj)
-{
-        struct blk_mq_hw_ctx *hctx;
-        hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj);
-        kfree(hctx);
 }
 struct blk_mq_ctx_sysfs_entry {
@@ -338,13 +318,13 @@ static struct kobj_type blk_mq_ktype = {
 static struct kobj_type blk_mq_ctx_ktype = {
        .sysfs_ops      = &blk_mq_sysfs_ops,
        .default_attrs  = default_ctx_attrs,
-        .release        = blk_mq_ctx_release,
+        .release        = blk_mq_sysfs_release,
 };
 static struct kobj_type blk_mq_hw_ktype = {
        .sysfs_ops      = &blk_mq_hw_sysfs_ops,
        .default_attrs  = default_hw_ctx_attrs,
-        .release        = blk_mq_hctx_release,
+        .release        = blk_mq_sysfs_release,
 };
 static void blk_mq_unregister_hctx(struct blk_mq_hw_ctx *hctx)
@@ -375,7 +355,6 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
                return ret;
        hctx_for_each_ctx(hctx, ctx, i) {
-                kobject_get(&q->mq_kobj);
                ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu);
                if (ret)
                        break;
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 9ee3b87c4498..2f95747c287e 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1641,8 +1641,10 @@ static void blk_mq_free_hw_queues(struct request_queue *q,
        struct blk_mq_hw_ctx *hctx;
        unsigned int i;
-        queue_for_each_hw_ctx(q, hctx, i)
+        queue_for_each_hw_ctx(q, hctx, i) {
                free_cpumask_var(hctx->cpumask);
+                kfree(hctx);
+        }
 }
 static int blk_mq_init_hctx(struct request_queue *q,
@@ -2000,9 +2002,11 @@ void blk_mq_free_queue(struct request_queue *q)
        percpu_ref_exit(&q->mq_usage_counter);
+        free_percpu(q->queue_ctx);
        kfree(q->queue_hw_ctx);
        kfree(q->mq_map);
+        q->queue_ctx = NULL;
        q->queue_hw_ctx = NULL;
        q->mq_map = NULL;
author	Ming Lei <ming.lei@canonical.com>	2015-01-29 07:17:26 -0500
committer	Jens Axboe <axboe@fb.com>	2015-01-29 11:30:49 -0500
commit	74170118b26e55b611de5210f47657118a03a0e1 (patch)
tree	d5dad5639822bf65524659dc7c26a6502a336418 /block
parent	c59c961ca511dc7ee2f4f7e9c224d16f5c76ca6e (diff)