[PATCH] block: fix mq request allocation

[PATCH] block: fix mq request allocation

[Ming Lei]

blk_mq_alloc_request_pinned() may return NULL request in case of
!__GFP_WAIT, so cause its callers to derefence NULL pointer for
releasing current context.

This patch introduces two flags to address the issue.

Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
---
 block/blk-mq.c |   27 ++++++++++++++++-----------
 block/blk-mq.h |    3 +++
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index fb9ffdb..6875736 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -188,26 +188,32 @@ static struct request *__blk_mq_alloc_request(struct blk_mq_hw_ctx *hctx,
 
 static struct request *blk_mq_alloc_request_pinned(struct request_queue *q,
 						   int rw, gfp_t gfp,
-						   bool reserved)
+						   unsigned int flags)
 {
 	struct request *rq;
+	struct blk_mq_ctx *ctx;
+	struct blk_mq_hw_ctx *hctx;
 
 	do {
-		struct blk_mq_ctx *ctx = blk_mq_get_ctx(q);
-		struct blk_mq_hw_ctx *hctx = q->mq_ops->map_queue(q, ctx->cpu);
+		ctx = blk_mq_get_ctx(q);
+		hctx = q->mq_ops->map_queue(q, ctx->cpu);
 
-		rq = __blk_mq_alloc_request(hctx, gfp & ~__GFP_WAIT, reserved);
+		rq = __blk_mq_alloc_request(hctx, gfp & ~__GFP_WAIT,
+				!!(flags & MQ_ALLOC_RESERVED));
 		if (rq) {
 			blk_mq_rq_ctx_init(q, ctx, rq, rw);
-			break;
+			goto exit;
 		} else if (!(gfp & __GFP_WAIT))
-			break;
+			goto exit;
 
 		blk_mq_put_ctx(ctx);
 		__blk_mq_run_hw_queue(hctx);
 		blk_mq_wait_for_tags(hctx->tags);
 	} while (1);
 
+exit:
+	if (!(flags & MQ_ALLOC_HOLD_CTX))
+		blk_mq_put_ctx(ctx);
 	return rq;
 }
 
@@ -219,8 +225,8 @@ struct request *blk_mq_alloc_request(struct request_queue *q, int rw,
 	if (blk_mq_queue_enter(q))
 		return NULL;
 
-	rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved);
-	blk_mq_put_ctx(rq->mq_ctx);
+	rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved ?
+			MQ_ALLOC_RESERVED : 0);
 	return rq;
 }
 
@@ -232,8 +238,7 @@ struct request *blk_mq_alloc_reserved_request(struct request_queue *q, int rw,
 	if (blk_mq_queue_enter(q))
 		return NULL;
 
-	rq = blk_mq_alloc_request_pinned(q, rw, gfp, true);
-	blk_mq_put_ctx(rq->mq_ctx);
+	rq = blk_mq_alloc_request_pinned(q, rw, gfp, MQ_ALLOC_RESERVED);
 	return rq;
 }
 EXPORT_SYMBOL(blk_mq_alloc_reserved_request);
@@ -890,7 +895,7 @@ static void blk_mq_make_request(struct request_queue *q, struct bio *bio)
 		blk_mq_put_ctx(ctx);
 		trace_block_sleeprq(q, bio, rw);
 		rq = blk_mq_alloc_request_pinned(q, rw, __GFP_WAIT|GFP_ATOMIC,
-							false);
+							MQ_ALLOC_HOLD_CTX);
 		ctx = rq->mq_ctx;
 		hctx = q->mq_ops->map_queue(q, ctx->cpu);
 	}
diff --git a/block/blk-mq.h b/block/blk-mq.h
index 5761eed..998911e 100644
--- a/block/blk-mq.h
+++ b/block/blk-mq.h
@@ -22,6 +22,9 @@ struct blk_mq_ctx {
 	struct kobject		kobj;
 };
 
+#define MQ_ALLOC_RESERVED	(1U << 0)
+#define MQ_ALLOC_HOLD_CTX	(1U << 1)
+
 void __blk_mq_end_io(struct request *rq, int error);
 void blk_mq_complete_request(struct request *rq, int error);
 void blk_mq_run_request(struct request *rq, bool run_queue, bool async);
-- 
1.7.9.5

Re: [PATCH] block: fix mq request allocation

[Jeff Moyer]

Ming Lei <tom.leiming@gmail.com> writes:

> blk_mq_alloc_request_pinned() may return NULL request in case of
> !__GFP_WAIT, so cause its callers to derefence NULL pointer for
> releasing current context.
>
> This patch introduces two flags to address the issue.

Hi, Ming,


Good catch, but your patch seems overly complicated.  How about
something like the following (compile-tested only), instead?  Note that
I did not touch blk_make_request, as the put_ctx there seems to
correlate to a get_ctx earlier in the function (not a leaked reference
from __blk_mq_alloc_request).

-Jeff

p.s. Jens, every time I see GFP_ATOMIC|__GFP_WAIT, my head explodes.  Just sayin'.

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>


diff --git a/block/blk-mq.c b/block/blk-mq.c
index cdc629c..70fd6f9 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -202,10 +202,12 @@ static struct request *blk_mq_alloc_request_pinned(struct request_queue *q,
 		if (rq) {
 			blk_mq_rq_ctx_init(q, ctx, rq, rw);
 			break;
-		} else if (!(gfp & __GFP_WAIT))
-			break;
+		}
 
 		blk_mq_put_ctx(ctx);
+		if (!(gfp & __GFP_WAIT))
+			break;
+
 		__blk_mq_run_hw_queue(hctx);
 		blk_mq_wait_for_tags(hctx->tags);
 	} while (1);
@@ -222,7 +224,8 @@ struct request *blk_mq_alloc_request(struct request_queue *q, int rw,
 		return NULL;
 
 	rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved);
-	blk_mq_put_ctx(rq->mq_ctx);
+	if (rq)
+		blk_mq_put_ctx(rq->mq_ctx);
 	return rq;
 }
 
@@ -235,7 +238,8 @@ struct request *blk_mq_alloc_reserved_request(struct request_queue *q, int rw,
 		return NULL;
 
 	rq = blk_mq_alloc_request_pinned(q, rw, gfp, true);
-	blk_mq_put_ctx(rq->mq_ctx);
+	if (rq)
+		blk_mq_put_ctx(rq->mq_ctx);
 	return rq;
 }
 EXPORT_SYMBOL(blk_mq_alloc_reserved_request);

Re: [PATCH] block: fix mq request allocation

[Jens Axboe]

On 12/02/2013 08:20 AM, Jeff Moyer wrote:
> Ming Lei <tom.leiming@gmail.com> writes:
> 
>> blk_mq_alloc_request_pinned() may return NULL request in case of
>> !__GFP_WAIT, so cause its callers to derefence NULL pointer for
>> releasing current context.
>>
>> This patch introduces two flags to address the issue.
> 
> Hi, Ming,
> 
> 
> Good catch, but your patch seems overly complicated.  How about
> something like the following (compile-tested only), instead?  Note that
> I did not touch blk_make_request, as the put_ctx there seems to
> correlate to a get_ctx earlier in the function (not a leaked reference
> from __blk_mq_alloc_request).

I would tend to agree, it's overly complicated. The bug is real, however.

> p.s. Jens, every time I see GFP_ATOMIC|__GFP_WAIT, my head explodes.  Just sayin'.

It's perfectly fine :-)

-- 
Jens Axboe

Re: [PATCH] block: fix mq request allocation

[Jeff Moyer]

Jens Axboe <axboe@kernel.dk> writes:

> On 12/02/2013 08:20 AM, Jeff Moyer wrote:
>> Ming Lei <tom.leiming@gmail.com> writes:
>> 
>>> blk_mq_alloc_request_pinned() may return NULL request in case of
>>> !__GFP_WAIT, so cause its callers to derefence NULL pointer for
>>> releasing current context.
>>>
>>> This patch introduces two flags to address the issue.
>> 
>> Hi, Ming,
>> 
>> 
>> Good catch, but your patch seems overly complicated.  How about
>> something like the following (compile-tested only), instead?  Note that
>> I did not touch blk_make_request, as the put_ctx there seems to
>> correlate to a get_ctx earlier in the function (not a leaked reference
>> from __blk_mq_alloc_request).
>
> I would tend to agree, it's overly complicated. The bug is real, however.

Hmm, did I make it sound as though I thought it wasn't a bug?  Your
response leaves me wondering whether my patch made it to your inbox.

>> p.s. Jens, every time I see GFP_ATOMIC|__GFP_WAIT, my head explodes.  Just sayin'.
>
> It's perfectly fine :-)

Sure, it's not *your* head!  ;-)

-Jeff

Re: [PATCH] block: fix mq request allocation

[Ming Lei]

Hi Jeff,

On Mon, Dec 2, 2013 at 11:20 PM, Jeff Moyer <jmoyer@redhat.com> wrote:
> Ming Lei <tom.leiming@gmail.com> writes:
>
>> blk_mq_alloc_request_pinned() may return NULL request in case of
>> !__GFP_WAIT, so cause its callers to derefence NULL pointer for
>> releasing current context.
>>
>> This patch introduces two flags to address the issue.
>
> Hi, Ming,
>
>
> Good catch, but your patch seems overly complicated.  How about
> something like the following (compile-tested only), instead?  Note that

Looks your patch is better and simpler, :-)


> I did not touch blk_make_request, as the put_ctx there seems to
> correlate to a get_ctx earlier in the function (not a leaked reference
> from __blk_mq_alloc_request).
>
> -Jeff
>
> p.s. Jens, every time I see GFP_ATOMIC|__GFP_WAIT, my head explodes.  Just sayin'.
>
> Signed-off-by: Jeff Moyer <jmoyer@redhat.com>

Reported-by: Ming Lei <tom.leiming@gmail.com>

>
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index cdc629c..70fd6f9 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -202,10 +202,12 @@ static struct request *blk_mq_alloc_request_pinned(struct request_queue *q,
>                 if (rq) {
>                         blk_mq_rq_ctx_init(q, ctx, rq, rw);
>                         break;
> -               } else if (!(gfp & __GFP_WAIT))
> -                       break;
> +               }
>
>                 blk_mq_put_ctx(ctx);
> +               if (!(gfp & __GFP_WAIT))
> +                       break;
> +
>                 __blk_mq_run_hw_queue(hctx);
>                 blk_mq_wait_for_tags(hctx->tags);
>         } while (1);
> @@ -222,7 +224,8 @@ struct request *blk_mq_alloc_request(struct request_queue *q, int rw,
>                 return NULL;
>
>         rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved);
> -       blk_mq_put_ctx(rq->mq_ctx);
> +       if (rq)
> +               blk_mq_put_ctx(rq->mq_ctx);
>         return rq;
>  }
>
> @@ -235,7 +238,8 @@ struct request *blk_mq_alloc_reserved_request(struct request_queue *q, int rw,
>                 return NULL;
>
>         rq = blk_mq_alloc_request_pinned(q, rw, gfp, true);
> -       blk_mq_put_ctx(rq->mq_ctx);
> +       if (rq)
> +               blk_mq_put_ctx(rq->mq_ctx);
>         return rq;
>  }
>  EXPORT_SYMBOL(blk_mq_alloc_reserved_request);


Thanks,
-- 
Ming Lei