Revert "blk-mq: fix hctx/ctx kobject use-after-free"
authorMing Lei <ming.lei@canonical.com>
Thu, 29 Jan 2015 12:17:26 +0000 (20:17 +0800)
committerJens Axboe <axboe@fb.com>
Thu, 29 Jan 2015 16:30:49 +0000 (08:30 -0800)
This reverts commit 76d697d10769048e5721510100bf3a9413a56385.

The commit 76d697d10769048 causes general protection fault
reported from Bart Van Assche:

https://lkml.org/lkml/2015/1/28/334

Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
block/blk-mq-sysfs.c
block/blk-mq.c

index 6774a0e698675927be5c78dc34b0087d873b5ebe..1630a20d5dcfa550ebe9c8815927d51b70bd9d56 100644 (file)
 
 static void blk_mq_sysfs_release(struct kobject *kobj)
 {
-       struct request_queue *q;
-
-       q = container_of(kobj, struct request_queue, mq_kobj);
-       free_percpu(q->queue_ctx);
-}
-
-static void blk_mq_ctx_release(struct kobject *kobj)
-{
-       struct blk_mq_ctx *ctx;
-
-       ctx = container_of(kobj, struct blk_mq_ctx, kobj);
-       kobject_put(&ctx->queue->mq_kobj);
-}
-
-static void blk_mq_hctx_release(struct kobject *kobj)
-{
-       struct blk_mq_hw_ctx *hctx;
-
-       hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj);
-       kfree(hctx);
 }
 
 struct blk_mq_ctx_sysfs_entry {
@@ -338,13 +318,13 @@ static struct kobj_type blk_mq_ktype = {
 static struct kobj_type blk_mq_ctx_ktype = {
        .sysfs_ops      = &blk_mq_sysfs_ops,
        .default_attrs  = default_ctx_attrs,
-       .release        = blk_mq_ctx_release,
+       .release        = blk_mq_sysfs_release,
 };
 
 static struct kobj_type blk_mq_hw_ktype = {
        .sysfs_ops      = &blk_mq_hw_sysfs_ops,
        .default_attrs  = default_hw_ctx_attrs,
-       .release        = blk_mq_hctx_release,
+       .release        = blk_mq_sysfs_release,
 };
 
 static void blk_mq_unregister_hctx(struct blk_mq_hw_ctx *hctx)
@@ -375,7 +355,6 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
                return ret;
 
        hctx_for_each_ctx(hctx, ctx, i) {
-               kobject_get(&q->mq_kobj);
                ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu);
                if (ret)
                        break;
index 9ee3b87c44984d336dbd4c82572fd3a4c3d35e90..2f95747c287eac350b45cc272fcd3d6e9c43ee09 100644 (file)
@@ -1641,8 +1641,10 @@ static void blk_mq_free_hw_queues(struct request_queue *q,
        struct blk_mq_hw_ctx *hctx;
        unsigned int i;
 
-       queue_for_each_hw_ctx(q, hctx, i)
+       queue_for_each_hw_ctx(q, hctx, i) {
                free_cpumask_var(hctx->cpumask);
+               kfree(hctx);
+       }
 }
 
 static int blk_mq_init_hctx(struct request_queue *q,
@@ -2000,9 +2002,11 @@ void blk_mq_free_queue(struct request_queue *q)
 
        percpu_ref_exit(&q->mq_usage_counter);
 
+       free_percpu(q->queue_ctx);
        kfree(q->queue_hw_ctx);
        kfree(q->mq_map);
 
+       q->queue_ctx = NULL;
        q->queue_hw_ctx = NULL;
        q->mq_map = NULL;