PATCH: dangling pointer when switching to noop elevator in obscure block drivers.

PATCH: dangling pointer when switching to noop elevator in obscure block drivers.

[Kevin Vigor]

Linux 2.6.35 introduced a test in the beginning of elevator_init(), like
so:

     if (unlikely(q->elevator))
         return 0;

So the following code sequence, which appears in two (obscure) block
drivers is now a serious error:

        elevator_exit(q);
        elevator_init(q, "noop");

The intent is to cleanup the default system elevator and replace it with
the noop elevator. Instead, elevator_exit() frees the existing elevator
object, but leaves q->elevator pointing to it; elevator_init() then
silently fails since q->elevator is non-NULL, and the queue is left with
the elevator pointer invalid, This leads to untold woe and segfaults
later.

The fix is trivial: zero the q->elevator pointer before calling
elevator_init(). Note that drivers/s390/block/dasd.c already follows
this pattern.

I do not have the hardware to actually test either of the two afflicted 
drivers, but I believe the fix to be sufficiently obvious. The following
patches are against the current version of Linus' tree.

Signed-off-by: Kevin Vigor <kevin@vigor.nu>

   Thanks, 
      Kevin Vigor


diff --git a/drivers/s390/char/tape_block.c b/drivers/s390/char/tape_block.c
index b7de025..a1028c9 100644
--- a/drivers/s390/char/tape_block.c
+++ b/drivers/s390/char/tape_block.c
@@ -218,6 +218,7 @@ tapeblock_setup_device(struct tape_device * device)
 		return -ENOMEM;
 
 	elevator_exit(blkdat->request_queue->elevator);
+	blkdat->request_queue->elevator = NULL;
 	rc = elevator_init(blkdat->request_queue, "noop");
 	if (rc)
 		goto cleanup_queue;


diff --git a/drivers/block/mg_disk.c b/drivers/block/mg_disk.c
index b82c5ce..c553404 100644
--- a/drivers/block/mg_disk.c
+++ b/drivers/block/mg_disk.c
@@ -975,6 +975,7 @@ static int mg_probe(struct platform_device *plat_dev)
 
 	/* mflash is random device, thanx for the noop */
 	elevator_exit(host->breq->elevator);
+	host->breq->elevator = NULL;
 	err = elevator_init(host->breq, "noop");
 	if (err) {
 		printk(KERN_ERR "%s:%d (elevator_init) fail\n",

Re: PATCH: dangling pointer when switching to noop elevator in obscure block drivers.

[Jens Axboe]

On 2010-08-20 23:25, Kevin Vigor wrote:
> Linux 2.6.35 introduced a test in the beginning of elevator_init(), like
> so:
> 
>      if (unlikely(q->elevator))
>          return 0;
> 
> So the following code sequence, which appears in two (obscure) block
> drivers is now a serious error:
> 
>         elevator_exit(q);
>         elevator_init(q, "noop");
> 
> The intent is to cleanup the default system elevator and replace it with
> the noop elevator. Instead, elevator_exit() frees the existing elevator
> object, but leaves q->elevator pointing to it; elevator_init() then
> silently fails since q->elevator is non-NULL, and the queue is left with
> the elevator pointer invalid, This leads to untold woe and segfaults
> later.
> 
> The fix is trivial: zero the q->elevator pointer before calling
> elevator_init(). Note that drivers/s390/block/dasd.c already follows
> this pattern.
> 
> I do not have the hardware to actually test either of the two afflicted 
> drivers, but I believe the fix to be sufficiently obvious. The following
> patches are against the current version of Linus' tree.

Thanks, this was also posted last week. I think the best course of
action is to provide an API for switching the scheduler, instead of
having drivers rely on doing it manually.

-- 
Jens Axboe