linux/block
Mike Snitzer 7982e90c3a block: fix q->flush_rq NULL pointer crash on dm-mpath flush
Commit 1874198 ("blk-mq: rework flush sequencing logic") switched
->flush_rq from being an embedded member of the request_queue structure
to being dynamically allocated in blk_init_queue_node().

Request-based DM multipath doesn't use blk_init_queue_node(), instead it
uses blk_alloc_queue_node() + blk_init_allocated_queue().  Because
commit 1874198 placed the dynamic allocation of ->flush_rq in
blk_init_queue_node() any flush issued to a dm-mpath device would crash
with a NULL pointer, e.g.:

BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff8125037e>] blk_rq_init+0x1e/0xb0
PGD bb3c7067 PUD bb01d067 PMD 0
Oops: 0002 [#1] SMP
...
CPU: 5 PID: 5028 Comm: dt Tainted: G        W  O 3.14.0-rc3.snitm+ #10
...
task: ffff88032fb270e0 ti: ffff880079564000 task.ti: ffff880079564000
RIP: 0010:[<ffffffff8125037e>]  [<ffffffff8125037e>] blk_rq_init+0x1e/0xb0
RSP: 0018:ffff880079565c98  EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000030
RDX: ffff880260c74048 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff880079565ca8 R08: ffff880260aa1e98 R09: 0000000000000001
R10: ffff88032fa78500 R11: 0000000000000246 R12: 0000000000000000
R13: ffff880260aa1de8 R14: 0000000000000650 R15: 0000000000000000
FS:  00007f8d36a2a700(0000) GS:ffff88033fca0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000079b36000 CR4: 00000000000007e0
Stack:
 0000000000000000 ffff880260c74048 ffff880079565cd8 ffffffff81257a47
 ffff880260aa1de8 ffff880260c74048 0000000000000001 0000000000000000
 ffff880079565d08 ffffffff81257c2d 0000000000000000 ffff880260aa1de8
Call Trace:
 [<ffffffff81257a47>] blk_flush_complete_seq+0x2d7/0x2e0
 [<ffffffff81257c2d>] blk_insert_flush+0x1dd/0x210
 [<ffffffff8124ec59>] __elv_add_request+0x1f9/0x320
 [<ffffffff81250681>] ? blk_account_io_start+0x111/0x190
 [<ffffffff81253a4b>] blk_queue_bio+0x25b/0x330
 [<ffffffffa0020bf5>] dm_request+0x35/0x40 [dm_mod]
 [<ffffffff812530c0>] generic_make_request+0xc0/0x100
 [<ffffffff81253173>] submit_bio+0x73/0x140
 [<ffffffff811becdd>] submit_bio_wait+0x5d/0x80
 [<ffffffff81257528>] blkdev_issue_flush+0x78/0xa0
 [<ffffffff811c1f6f>] blkdev_fsync+0x3f/0x60
 [<ffffffff811b7fde>] vfs_fsync_range+0x1e/0x20
 [<ffffffff811b7ffc>] vfs_fsync+0x1c/0x20
 [<ffffffff811b81f1>] do_fsync+0x41/0x80
 [<ffffffff8118874e>] ? SyS_lseek+0x7e/0x80
 [<ffffffff811b8260>] SyS_fsync+0x10/0x20
 [<ffffffff8154c2d2>] system_call_fastpath+0x16/0x1b

Fix this by moving the ->flush_rq allocation from blk_init_queue_node()
to blk_init_allocated_queue().  blk_init_queue_node() also calls
blk_init_allocated_queue() so this change is functionality equivalent
for all blk_init_queue_node() callers.

Reported-by: Hannes Reinecke <hare@suse.de>
Reported-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2014-03-08 17:20:01 -07:00
..
partitions block/partitions/efi.c: fix bound check 2013-11-21 16:42:27 -08:00
blk-cgroup.c Merge branch 'for-3.12/core' of git://git.kernel.dk/linux-block 2013-09-22 15:00:11 -07:00
blk-cgroup.h Update of blkg_stat and blkg_rwstat may happen in bh context. 2013-11-20 15:33:04 -07:00
blk-core.c block: fix q->flush_rq NULL pointer crash on dm-mpath flush 2014-03-08 17:20:01 -07:00
blk-exec.c blk-mq: merge blk_mq_insert_request and blk_mq_run_request 2014-02-21 08:58:48 -08:00
blk-flush.c blk-mq: merge blk_mq_insert_request and blk_mq_run_request 2014-02-21 08:58:48 -08:00
blk-integrity.c bio-integrity: Convert to bvec_iter 2013-11-23 22:33:50 -08:00
blk-ioc.c block: cleanup removing dependency on bootmem headers 2013-11-08 19:43:48 -07:00
blk-iopoll.c block: Replace __get_cpu_var uses 2013-11-08 08:59:58 -07:00
blk-lib.c block: add cond_resched() to potentially long running ioctl discard loop 2014-02-12 09:36:37 -07:00
blk-map.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
blk-merge.c block: Explicitly handle discard/write same segments 2014-02-07 13:54:08 -07:00
blk-mq-cpu.c rt,blk,mq: Make blk_mq_cpu_notify_lock a raw spinlock 2014-03-03 09:34:10 -07:00
blk-mq-cpumap.c blk-mq: new multi-queue block IO queueing mechanism 2013-10-25 11:56:00 +01:00
blk-mq-sysfs.c block: fix memory leaks on unplugging block device 2013-12-06 09:18:02 -07:00
blk-mq-tag.c Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2014-02-14 10:45:18 -08:00
blk-mq-tag.h blk-mq: new multi-queue block IO queueing mechanism 2013-10-25 11:56:00 +01:00
blk-mq.c blk-mq: add REQ_SYNC early 2014-03-07 08:15:28 -07:00
blk-mq.h blk-mq: merge blk_mq_insert_request and blk_mq_run_request 2014-02-21 08:58:48 -08:00
blk-settings.c bcache/md: Use raid stripe size 2014-01-08 13:05:09 -08:00
blk-softirq.c kernel: remove CONFIG_USE_GENERIC_SMP_HELPERS 2013-11-15 09:32:22 +09:00
blk-sysfs.c blk-mq: rework flush sequencing logic 2014-02-10 09:29:00 -07:00
blk-tag.c block: Reserve only one queue tag for sync IO if only 3 tags are available 2013-06-28 21:32:27 +02:00
blk-throttle.c Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block 2014-01-30 11:19:05 -08:00
blk-timeout.c blk-mq: rework I/O completions 2014-02-10 09:27:31 -07:00
blk.h block: __elv_next_request() shouldn't call into the elevator if bypassing 2014-01-30 12:57:25 -07:00
bsg-lib.c bsg: Remove unused function bsg_goose_queue() 2012-12-06 14:33:02 +01:00
bsg.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
cfq-iosched.c cgroup: replace cftype->read_seq_string() with cftype->seq_show() 2013-12-05 12:28:04 -05:00
cmdline-parser.c block: remove unrelated header files and export symbol 2014-01-21 20:18:26 -08:00
compat_ioctl.c kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2013-09-11 15:58:18 -07:00
deadline-iosched.c block: Convert kmalloc_node(...GFP_ZERO...) to kzalloc_node(...) 2013-09-11 13:22:03 -06:00
elevator.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
genhd.c block: Convert kmalloc_node(...GFP_ZERO...) to kzalloc_node(...) 2013-09-11 13:22:03 -06:00
ioctl.c block: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO 2013-11-08 09:05:31 -07:00
Kconfig block: change config option name for cmdline partition parsing 2013-09-30 14:31:02 -07:00
Kconfig.iosched blkcg: make CONFIG_BLK_CGROUP bool 2012-03-06 21:27:21 +01:00
Makefile blk-mq: new multi-queue block IO queueing mechanism 2013-10-25 11:56:00 +01:00
noop-iosched.c elevator: Fix a race in elevator switching 2013-07-03 13:25:24 +02:00
partition-generic.c Revert "loop: cleanup partitions when detaching loop device" 2013-04-08 10:12:11 +02:00
scsi_ioctl.c block: Fix memory leak in rw_copy_check_uvector() handling 2014-01-21 20:36:17 -08:00