diff options
author | Ming Lei <ming.lei@canonical.com> | 2015-01-29 20:17:26 +0800 |
---|---|---|
committer | Jens Axboe <axboe@fb.com> | 2015-01-29 08:30:49 -0800 |
commit | 74170118b26e55b611de5210f47657118a03a0e1 (patch) | |
tree | d5dad5639822bf65524659dc7c26a6502a336418 | |
parent | c59c961ca511dc7ee2f4f7e9c224d16f5c76ca6e (diff) | |
download | linux-74170118b26e55b611de5210f47657118a03a0e1.tar.bz2 |
Revert "blk-mq: fix hctx/ctx kobject use-after-free"
This reverts commit 76d697d10769048e5721510100bf3a9413a56385.
The commit 76d697d10769048 causes general protection fault
reported from Bart Van Assche:
https://lkml.org/lkml/2015/1/28/334
Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
-rw-r--r-- | block/blk-mq-sysfs.c | 25 | ||||
-rw-r--r-- | block/blk-mq.c | 6 |
2 files changed, 7 insertions, 24 deletions
diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c index 6774a0e69867..1630a20d5dcf 100644 --- a/block/blk-mq-sysfs.c +++ b/block/blk-mq-sysfs.c @@ -15,26 +15,6 @@ static void blk_mq_sysfs_release(struct kobject *kobj) { - struct request_queue *q; - - q = container_of(kobj, struct request_queue, mq_kobj); - free_percpu(q->queue_ctx); -} - -static void blk_mq_ctx_release(struct kobject *kobj) -{ - struct blk_mq_ctx *ctx; - - ctx = container_of(kobj, struct blk_mq_ctx, kobj); - kobject_put(&ctx->queue->mq_kobj); -} - -static void blk_mq_hctx_release(struct kobject *kobj) -{ - struct blk_mq_hw_ctx *hctx; - - hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj); - kfree(hctx); } struct blk_mq_ctx_sysfs_entry { @@ -338,13 +318,13 @@ static struct kobj_type blk_mq_ktype = { static struct kobj_type blk_mq_ctx_ktype = { .sysfs_ops = &blk_mq_sysfs_ops, .default_attrs = default_ctx_attrs, - .release = blk_mq_ctx_release, + .release = blk_mq_sysfs_release, }; static struct kobj_type blk_mq_hw_ktype = { .sysfs_ops = &blk_mq_hw_sysfs_ops, .default_attrs = default_hw_ctx_attrs, - .release = blk_mq_hctx_release, + .release = blk_mq_sysfs_release, }; static void blk_mq_unregister_hctx(struct blk_mq_hw_ctx *hctx) @@ -375,7 +355,6 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx) return ret; hctx_for_each_ctx(hctx, ctx, i) { - kobject_get(&q->mq_kobj); ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu); if (ret) break; diff --git a/block/blk-mq.c b/block/blk-mq.c index 9ee3b87c4498..2f95747c287e 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -1641,8 +1641,10 @@ static void blk_mq_free_hw_queues(struct request_queue *q, struct blk_mq_hw_ctx *hctx; unsigned int i; - queue_for_each_hw_ctx(q, hctx, i) + queue_for_each_hw_ctx(q, hctx, i) { free_cpumask_var(hctx->cpumask); + kfree(hctx); + } } static int blk_mq_init_hctx(struct request_queue *q, @@ -2000,9 +2002,11 @@ void blk_mq_free_queue(struct request_queue *q) percpu_ref_exit(&q->mq_usage_counter); + free_percpu(q->queue_ctx); kfree(q->queue_hw_ctx); kfree(q->mq_map); + q->queue_ctx = NULL; q->queue_hw_ctx = NULL; q->mq_map = NULL; |