[PATCH] elevator use after free

[PATCH] elevator use after free

[Anders Johansson]

[-- Attachment #1: Type: text/plain, Size: 168 bytes --]

Hi,

Attached is a patch for a crash we have seen where an elevator is used after 
it has been killed.

Reply with me in cc. please, I'm not subscribed

Thanks,

Anders

[-- Attachment #2: elevator-dont-use-dead-elv --]
[-- Type: text/plain, Size: 1373 bytes --]

If a device disappears, the elevator may in some cases be used
after free, similar to 0a58e077eb600d1efd7e54ad9926a75a39d7f8ae

Several crashes were seen with the trace

[<ffffffff80196657>] elv_drain_elevator+0x17/0x60
[<ffffffff80197009>] elv_insert+0x129/0x260
[<ffffffff80198323>] blk_insert_cloned_request+0x53/0x70
[<ffffffffa018c62f>] dm_dispatch_request+0x2f/0x60 [dm_mod]
[<ffffffffa014c0b0>] dispatch_queued_ios+0x110/0x150 [dm_multipath]
[<ffffffff800530b3>] run_workqueue+0xa3/0x1f0
[<ffffffff80053296>] worker_thread+0x96/0x110
[<ffffffff80056946>] kthread+0x96/0xa0
[<ffffffff80007f0a>] child_rip+0xa/0x20

This patch adds more tests to ensure a dead queue isn't used

Signed-off-by: Anders Johansson <ajohansson@suse.com>

diff -upr a/block/elevator.c b/block/elevator.c
--- a/block/elevator.c	2011-08-24 18:44:20.000000000 +0200
+++ b/block/elevator.c	2011-09-05 15:04:08.000000000 +0200
@@ -622,7 +622,7 @@ void elv_drain_elevator(struct request_q
  */
 void elv_quiesce_start(struct request_queue *q)
 {
-	if (!q->elevator)
+	if (!q->elevator || test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))
 		return;
 
 	queue_flag_set(QUEUE_FLAG_ELVSWITCH, q);
@@ -649,6 +649,9 @@ void elv_insert(struct request_qu
 {
 	trace_block_rq_insert(q, rq);
 
+	if(test_bit(QUEUE_FLAG_DEAD, &q->queue_flags))
+		return;
+
 	rq->q = q;
 
 	if (rq->cmd_flags & REQ_SOFTBARRIER) {