linux/block
Tejun Heo 523e1d399c block: make gendisk hold a reference to its queue
The following command sequence triggers an oops.

# mount /dev/sdb1 /mnt
# echo 1 > /sys/class/scsi_device/0\:0\:1\:0/device/delete
# umount /mnt

 general protection fault: 0000 [#1] PREEMPT SMP
 CPU 2
 Modules linked in:

 Pid: 791, comm: umount Not tainted 3.1.0-rc3-work+ #8 Bochs Bochs
 RIP: 0010:[<ffffffff810d0879>]  [<ffffffff810d0879>] __lock_acquire+0x389/0x1d60
...
 Call Trace:
  [<ffffffff810d2845>] lock_acquire+0x95/0x140
  [<ffffffff81aed87b>] _raw_spin_lock+0x3b/0x50
  [<ffffffff811573bc>] bdi_lock_two+0x5c/0x70
  [<ffffffff811c2f6c>] bdev_inode_switch_bdi+0x4c/0xf0
  [<ffffffff811c3fcb>] __blkdev_put+0x11b/0x1d0
  [<ffffffff811c4010>] __blkdev_put+0x160/0x1d0
  [<ffffffff811c40df>] blkdev_put+0x5f/0x190
  [<ffffffff8118f18d>] kill_block_super+0x4d/0x80
  [<ffffffff8118f4a5>] deactivate_locked_super+0x45/0x70
  [<ffffffff8119003a>] deactivate_super+0x4a/0x70
  [<ffffffff811ac4ad>] mntput_no_expire+0xed/0x130
  [<ffffffff811acf2e>] sys_umount+0x7e/0x3a0
  [<ffffffff81aeeeab>] system_call_fastpath+0x16/0x1b

This is because bdev holds on to disk but disk doesn't pin the
associated queue.  If a SCSI device is removed while the device is
still open, the sdev puts the base reference to the queue on release.
When the bdev is finally released, the associated queue is already
gone along with the bdi and bdev_inode_switch_bdi() ends up
dereferencing already freed bdi.

Even if it were not for this bug, disk not holding onto the associated
queue is very unusual and error-prone.

Fix it by making add_disk() take an extra reference to its queue and
put it on disk_release() and ensuring that disk and its fops owner are
put in that order after all accesses to the disk and queue are
complete.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2011-10-19 14:31:07 +02:00
..
blk-cgroup.c blk-cgroup: be able to remove the record of unplugged device 2011-09-21 10:22:10 +02:00
blk-cgroup.h cfq-iosched: Make IO merge related stats per cpu 2011-05-23 10:02:19 +02:00
blk-core.c Merge branch 'v3.1-rc10' into for-3.2/core 2011-10-19 14:30:42 +02:00
blk-exec.c [SCSI] fix crash in scsi_dispatch_cmd() 2011-07-21 14:21:18 -07:00
blk-flush.c block: fix flush machinery for stacking drivers with differring flush flags 2011-08-15 21:37:25 +02:00
blk-integrity.c dm: improve block integrity support 2011-04-05 23:52:43 +02:00
blk-ioc.c Merge branch 'for-linus' into for-3.1/core 2011-07-01 16:17:13 +02:00
blk-iopoll.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
blk-lib.c block: fix patch import error in max_discard_sectors check 2011-07-23 20:34:59 +02:00
blk-map.c block: check for proper length of iov entries earlier in blk_rq_map_user_iov() 2010-11-29 10:04:50 +01:00
blk-merge.c block: attempt to merge with existing requests on plug flush 2011-03-21 10:14:27 +01:00
blk-settings.c block: Fix discard topology stacking and reporting 2011-05-18 10:37:35 +02:00
blk-softirq.c block: Don't check QUEUE_FLAG_SAME_COMP in __blk_complete_request 2011-09-14 09:31:01 +02:00
blk-sysfs.c Merge branch 'v3.1-rc10' into for-3.2/core 2011-10-19 14:30:42 +02:00
blk-tag.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
blk-throttle.c blk-throttle: correctly determine sync bio 2011-08-01 10:31:06 +02:00
blk-timeout.c fault-injection: add ability to export fault_attr in arbitrary directory 2011-08-03 14:25:20 -10:00
blk.h block: fix flush machinery for stacking drivers with differring flush flags 2011-08-15 21:37:25 +02:00
bsg-lib.c bsg-lib: add module.h include 2011-08-02 10:43:35 +02:00
bsg.c bsg: fix address space warning from sparse 2011-06-20 13:27:45 +02:00
cfq-iosched.c block: separate priority boosting from REQ_META 2011-08-23 14:50:29 +02:00
cfq.h blk-cgroup: Add unaccounted time to timeslice_used. 2011-03-12 16:54:00 +01:00
compat_ioctl.c compat_ioctl: fix warning caused by qemu 2011-07-01 22:32:26 +02:00
deadline-iosched.c iosched: prevent aliased requests from starving other I/O 2011-06-02 21:19:05 +02:00
elevator.c elevator: use ELV_NAME_MAX instead of magic number 16 for chosen_elevator 2011-09-12 08:59:20 +02:00
genhd.c block: make gendisk hold a reference to its queue 2011-10-19 14:31:07 +02:00
ioctl.c block: fix refcounting in BLKBSZSET 2011-02-24 08:54:21 -08:00
Kconfig block: add bsg helper library 2011-07-31 22:05:09 +02:00
Kconfig.iosched blk-cgroup: config options re-arrangement 2010-04-26 19:27:56 +02:00
Makefile block: add bsg helper library 2011-07-31 22:05:09 +02:00
noop-iosched.c block: remove per-queue plugging 2011-03-10 08:52:07 +01:00
scsi_ioctl.c block: take care not to overflow when calculating total iov length 2010-11-10 14:40:42 +01:00