From: Christian Borntraeger <borntraeger@de.ibm.com>
To: tom.leiming@gmail.com, axboe@kernel.dk
Cc: David Hildenbrand <dahi@linux.vnet.ibm.com>,
kvm@vger.kernel.org, stable@vger.kernel.org,
rusty@rustcorp.com.au, virtualization@lists.linux-foundation.org,
mst@redhat.com, linux-kernel@vger.kernel.org,
ppinatti@linux.vnet.ibm.com
Subject: Re: [PATCH] blk-mq: Avoid race condition with uninitialized requests
Date: Mon, 22 Sep 2014 16:15:20 +0200 [thread overview]
Message-ID: <54202EF8.4080909@de.ibm.com> (raw)
In-Reply-To: <1411031071-40390-2-git-send-email-dahi@linux.vnet.ibm.com>
On 09/18/2014 11:04 AM, David Hildenbrand wrote:
> This patch should fix the bug reported in https://lkml.org/lkml/2014/9/11/249.
>
> We have to initialize at least the atomic_flags and the cmd_flags when
> allocating storage for the requests.
>
> Otherwise blk_mq_timeout_check() might dereference uninitialized pointers when
> racing with the creation of a request.
>
> Also move the reset of cmd_flags for the initializing code to the point where a
> request is freed. So we will never end up with pending flush request indicators
> that might trigger dereferences of invalid pointers in blk_mq_timeout_check().
>
> Cc: stable@vger.kernel.org
> Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Can you please add
Reported-by: Paulo De Rezende Pinatti <ppinatti@linux.vnet.ibm.com>
Tested-by: Paulo De Rezende Pinatti <ppinatti@linux.vnet.ibm.com>
as Paulo did the testing work?
We thing this patch is fine and should go upstream.
Christian
> ---
> block/blk-mq.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 383ea0c..eed6340 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -203,7 +203,6 @@ __blk_mq_alloc_request(struct blk_mq_alloc_data *data, int rw)
> if (tag != BLK_MQ_TAG_FAIL) {
> rq = data->hctx->tags->rqs[tag];
>
> - rq->cmd_flags = 0;
> if (blk_mq_tag_busy(data->hctx)) {
> rq->cmd_flags = REQ_MQ_INFLIGHT;
> atomic_inc(&data->hctx->nr_active);
> @@ -258,6 +257,7 @@ static void __blk_mq_free_request(struct blk_mq_hw_ctx *hctx,
>
> if (rq->cmd_flags & REQ_MQ_INFLIGHT)
> atomic_dec(&hctx->nr_active);
> + rq->cmd_flags = 0;
>
> clear_bit(REQ_ATOM_STARTED, &rq->atomic_flags);
> blk_mq_put_tag(hctx, tag, &ctx->last_tag);
> @@ -1404,6 +1404,8 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set,
> left -= to_do * rq_size;
> for (j = 0; j < to_do; j++) {
> tags->rqs[i] = p;
> + tags->rqs[i]->atomic_flags = 0;
> + tags->rqs[i]->cmd_flags = 0;
> if (set->ops->init_request) {
> if (set->ops->init_request(set->driver_data,
> tags->rqs[i], hctx_idx, i,
>
next prev parent reply other threads:[~2014-09-22 14:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-18 9:04 [PATCH] blk-mq: Avoid race condition with uninitialized requests David Hildenbrand
2014-09-18 9:04 ` David Hildenbrand
2014-09-18 9:04 ` David Hildenbrand
2014-09-18 9:04 ` David Hildenbrand
2014-09-19 12:41 ` Christian Borntraeger
2014-09-19 12:41 ` Christian Borntraeger
2014-09-22 14:15 ` Christian Borntraeger
2014-09-22 14:15 ` Christian Borntraeger [this message]
2014-09-22 14:17 ` Jens Axboe
2014-09-22 14:17 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54202EF8.4080909@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=axboe@kernel.dk \
--cc=dahi@linux.vnet.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=ppinatti@linux.vnet.ibm.com \
--cc=rusty@rustcorp.com.au \
--cc=stable@vger.kernel.org \
--cc=tom.leiming@gmail.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.