[PATCH 5/6] blk-mq: fix race between updating nr_hw_queues and switching io sched

[PATCH 0/6] blk-mq: fix race related with device deletion/reset/switching sched · Ming Lei <hidden> · 2017-12-12
[PATCH 1/6] blk-mq: quiesce queue before freeing queue · Ming Lei <hidden> · 2017-12-12
[PATCH 2/6] blk-mq: support concurrent blk_mq_quiesce_queue() · Ming Lei <hidden> · 2017-12-12
[PATCH 3/6] blk-mq: quiesce queue during switching io sched and updating nr_requests · Ming Lei <hidden> · 2017-12-12
[PATCH 4/6] blk-mq: avoid to map CPU into stale hw queue · Ming Lei <hidden> · 2017-12-12
Re: [PATCH 4/6] blk-mq: avoid to map CPU into stale hw queue · Christoph Hellwig <hch@lst.de> · 2017-12-12
Re: [PATCH 4/6] blk-mq: avoid to map CPU into stale hw queue · Ming Lei <hidden> · 2017-12-12
[PATCH 5/6] blk-mq: fix race between updating nr_hw_queues and switching io sched · Ming Lei <hidden> · 2017-12-12
[PATCH 6/6] nvme: remove .init_request callback · Ming Lei <hidden> · 2017-12-12
Re: [PATCH 6/6] nvme: remove .init_request callback · Christoph Hellwig <hch@lst.de> · 2017-12-12
Re: [PATCH 6/6] nvme: remove .init_request callback · Ming Lei <hidden> · 2017-12-12
Re: [PATCH 6/6] nvme: remove .init_request callback · Ming Lei <hidden> · 2017-12-13

STALE3118d

Revisions (2)

2017-12-12 v1 current
2017-12-14 v2 [diff vs current]

From: Ming Lei <hidden>
Date: 2017-12-12 11:04:07
Also in: linux-nvme
Subsystem: block layer, the rest · Maintainers: Jens Axboe, Linus Torvalds

In both elevator_switch_mq() and blk_mq_update_nr_hw_queues(), sched tags
can be allocated, and q->nr_hw_queue is used, and race is inevitable, for
example: blk_mq_init_sched() may trigger use-after-free on hctx, which is
freed in blk_mq_realloc_hw_ctxs() when nr_hw_queues is decreased.

This patch fixes the race be holding q->sysfs_lock.

Reported-by: Yi Zhang <redacted>
Signed-off-by: Ming Lei <redacted>
---
 block/blk-mq.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 85954a0b4394..4e97c40e7a0f 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c

@@ -2418,6 +2418,9 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
 	struct blk_mq_hw_ctx **hctxs = q->queue_hw_ctx;
 
 	blk_mq_sysfs_unregister(q);
+
+	/* protect against switching io scheduler  */
+	mutex_lock(&q->sysfs_lock);
 	for (i = 0; i < set->nr_hw_queues; i++) {
 		int node;

@@ -2462,6 +2465,7 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
 		}
 	}
 	q->nr_hw_queues = i;
+	mutex_unlock(&q->sysfs_lock);
 	blk_mq_sysfs_register(q);
 }

-- 
2.9.5

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help