From 2c575026fae6e63771bd2a4c1d407214a8096a89 Mon Sep 17 00:00:00 2001 From: Hong Zhiguo Date: Wed, 20 Nov 2013 10:35:05 -0700 Subject: Update of blkg_stat and blkg_rwstat may happen in bh context. While u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This is not enough to avoid preemption by bh and may read strange 64 bit value. Signed-off-by: Hong Zhiguo Acked-by: Tejun Heo Cc: stable@kernel.org Signed-off-by: Jens Axboe --- block/blk-cgroup.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'block') diff --git a/block/blk-cgroup.h b/block/blk-cgroup.h index 1610b22edf09..86154eab9523 100644 --- a/block/blk-cgroup.h +++ b/block/blk-cgroup.h @@ -435,9 +435,9 @@ static inline uint64_t blkg_stat_read(struct blkg_stat *stat) uint64_t v; do { - start = u64_stats_fetch_begin(&stat->syncp); + start = u64_stats_fetch_begin_bh(&stat->syncp); v = stat->cnt; - } while (u64_stats_fetch_retry(&stat->syncp, start)); + } while (u64_stats_fetch_retry_bh(&stat->syncp, start)); return v; } @@ -508,9 +508,9 @@ static inline struct blkg_rwstat blkg_rwstat_read(struct blkg_rwstat *rwstat) struct blkg_rwstat tmp; do { - start = u64_stats_fetch_begin(&rwstat->syncp); + start = u64_stats_fetch_begin_bh(&rwstat->syncp); tmp = *rwstat; - } while (u64_stats_fetch_retry(&rwstat->syncp, start)); + } while (u64_stats_fetch_retry_bh(&rwstat->syncp, start)); return tmp; } -- cgit v1.2.3 From c170bbb45febc03ac4d34ba2b8bb55e06104b7e7 Mon Sep 17 00:00:00 2001 From: Kent Overstreet Date: Sun, 24 Nov 2013 16:32:22 -0700 Subject: block: submit_bio_wait() conversions It was being open coded in a few places. Signed-off-by: Kent Overstreet Cc: Jens Axboe Cc: Joern Engel Cc: Prasad Joshi Cc: Neil Brown Cc: Chris Mason Acked-by: NeilBrown Signed-off-by: Jens Axboe --- block/blk-flush.c | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) (limited to 'block') diff --git a/block/blk-flush.c b/block/blk-flush.c index 331e627301ea..fb6f3c0ffa49 100644 --- a/block/blk-flush.c +++ b/block/blk-flush.c @@ -502,15 +502,6 @@ void blk_abort_flushes(struct request_queue *q) } } -static void bio_end_flush(struct bio *bio, int err) -{ - if (err) - clear_bit(BIO_UPTODATE, &bio->bi_flags); - if (bio->bi_private) - complete(bio->bi_private); - bio_put(bio); -} - /** * blkdev_issue_flush - queue a flush * @bdev: blockdev to issue flush for @@ -526,7 +517,6 @@ static void bio_end_flush(struct bio *bio, int err) int blkdev_issue_flush(struct block_device *bdev, gfp_t gfp_mask, sector_t *error_sector) { - DECLARE_COMPLETION_ONSTACK(wait); struct request_queue *q; struct bio *bio; int ret = 0; @@ -548,13 +538,9 @@ int blkdev_issue_flush(struct block_device *bdev, gfp_t gfp_mask, return -ENXIO; bio = bio_alloc(gfp_mask, 0); - bio->bi_end_io = bio_end_flush; bio->bi_bdev = bdev; - bio->bi_private = &wait; - bio_get(bio); - submit_bio(WRITE_FLUSH, bio); - wait_for_completion_io(&wait); + ret = submit_bio_wait(WRITE_FLUSH, bio); /* * The driver must store the error location in ->bi_sector, if @@ -564,9 +550,6 @@ int blkdev_issue_flush(struct block_device *bdev, gfp_t gfp_mask, if (error_sector) *error_sector = bio->bi_sector; - if (!bio_flagged(bio, BIO_UPTODATE)) - ret = -EIO; - bio_put(bio); return ret; } -- cgit v1.2.3 From 959a35f13eb785f982d79b1aaa75872d05c821da Mon Sep 17 00:00:00 2001 From: Jeff Moyer Date: Tue, 3 Dec 2013 14:23:00 -0700 Subject: blk-mq: fix dereference of rq->mq_ctx if allocation fails If __GFP_WAIT isn't set and we fail allocating, when we go to drop the reference on the ctx, we will attempt to dereference the NULL rq. Fix that. Signed-off-by: Jeff Moyer Signed-off-by: Jens Axboe --- block/blk-mq.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'block') diff --git a/block/blk-mq.c b/block/blk-mq.c index cdc629cf075b..70fd6f996600 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -202,10 +202,12 @@ static struct request *blk_mq_alloc_request_pinned(struct request_queue *q, if (rq) { blk_mq_rq_ctx_init(q, ctx, rq, rw); break; - } else if (!(gfp & __GFP_WAIT)) - break; + } blk_mq_put_ctx(ctx); + if (!(gfp & __GFP_WAIT)) + break; + __blk_mq_run_hw_queue(hctx); blk_mq_wait_for_tags(hctx->tags); } while (1); @@ -222,7 +224,8 @@ struct request *blk_mq_alloc_request(struct request_queue *q, int rw, return NULL; rq = blk_mq_alloc_request_pinned(q, rw, gfp, reserved); - blk_mq_put_ctx(rq->mq_ctx); + if (rq) + blk_mq_put_ctx(rq->mq_ctx); return rq; } @@ -235,7 +238,8 @@ struct request *blk_mq_alloc_reserved_request(struct request_queue *q, int rw, return NULL; rq = blk_mq_alloc_request_pinned(q, rw, gfp, true); - blk_mq_put_ctx(rq->mq_ctx); + if (rq) + blk_mq_put_ctx(rq->mq_ctx); return rq; } EXPORT_SYMBOL(blk_mq_alloc_reserved_request); -- cgit v1.2.3 From 0d11e6aca396e679c07b2dd6af5dc8b7f041fbbd Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Thu, 5 Dec 2013 10:50:39 -0700 Subject: blk-mq: fix use-after-free of request If accounting is on, we will do the IO completion accounting after we have freed the request. Fix that by moving it sooner instead. Signed-off-by: Jens Axboe --- block/blk-mq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'block') diff --git a/block/blk-mq.c b/block/blk-mq.c index 70fd6f996600..c79126e11030 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -312,12 +312,12 @@ void blk_mq_complete_request(struct request *rq, int error) blk_account_io_completion(rq, bytes); + blk_account_io_done(rq); + if (rq->end_io) rq->end_io(rq, error); else blk_mq_free_request(rq); - - blk_account_io_done(rq); } void __blk_mq_end_io(struct request *rq, int error) -- cgit v1.2.3