Merge "BACKPORT: blk-mq: fix is_flush_rq"

	spin_unlock_irqrestore(&fq->mq_flush_lock, flags);

}

bool is_flush_rq(struct request *rq)

{

	return rq->end_io == flush_end_io;

}

/**

 * blk_kick_flush - consider issuing flush request

 * @q: request_queue being kicked

	bool reserved;

};

static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags,

		unsigned int bitnr)

{

	struct request *rq;

	unsigned long flags;

	struct ext_blk_mq_tags *etags;

	etags = container_of(tags, struct ext_blk_mq_tags, tags);

	spin_lock_irqsave(&etags->lock, flags);

	rq = tags->rqs[bitnr];

	if (!rq || !refcount_inc_not_zero(&rq->ref))

		rq = NULL;

	spin_unlock_irqrestore(&etags->lock, flags);

	return rq;

}

static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)

{

	struct bt_iter_data *iter_data = data;

	struct blk_mq_tags *tags = hctx->tags;

	bool reserved = iter_data->reserved;

	struct request *rq;

	bool ret = true;

	if (!reserved)

		bitnr += tags->nr_reserved_tags;

	rq = tags->rqs[bitnr];

	/*

	 * We can hit rq == NULL here, because the tagging functions

	 * test and set the bit before assigning ->rqs[].

	 */

	if (rq && rq->q == hctx->queue)

		return iter_data->fn(hctx, rq, iter_data->data, reserved);

	rq = blk_mq_find_and_get_req(tags, bitnr);

	if (!rq)

		return true;

	if (rq->q == hctx->queue && rq->mq_hctx == hctx)

		ret = iter_data->fn(hctx, rq, iter_data->data, reserved);

	blk_mq_put_rq_ref(rq);

	return ret;

}

/**

	struct blk_mq_tags *tags = iter_data->tags;

	bool reserved = iter_data->reserved;

	struct request *rq;

	bool ret = true;

	if (!reserved)

		bitnr += tags->nr_reserved_tags;

	 * We can hit rq == NULL here, because the tagging functions

	 * test and set the bit before assining ->rqs[].

	 */

	rq = tags->rqs[bitnr];

	if (rq && blk_mq_request_started(rq))

		return iter_data->fn(rq, iter_data->data, reserved);

	rq = blk_mq_find_and_get_req(tags, bitnr);

	if (!rq)

		return true;

	if (blk_mq_request_started(rq))

		ret = iter_data->fn(rq, iter_data->data, reserved);

	blk_mq_put_rq_ref(rq);

	return ret;

}

/**

 *		indicates whether or not @rq is a reserved request. Return

 *		true to continue iterating tags, false to stop.

 * @priv:	Will be passed as second argument to @fn.

 *

 * We grab one request reference before calling @fn and release it after

 * @fn returns.

 */

void blk_mq_tagset_busy_iter(struct blk_mq_tag_set *tagset,

		busy_tag_iter_fn *fn, void *priv)

				     int node, int alloc_policy)

{

	struct blk_mq_tags *tags;

	struct ext_blk_mq_tags *etags;

	if (total_tags > BLK_MQ_TAG_MAX) {

		pr_err("blk-mq: tag depth too large\n");

		return NULL;

	}

	tags = kzalloc_node(sizeof(*tags), GFP_KERNEL, node);

	if (!tags)

	etags = kzalloc_node(sizeof(*etags), GFP_KERNEL, node);

	if (!etags)

		return NULL;

	tags = &etags->tags;

	tags->nr_tags = total_tags;

	tags->nr_reserved_tags = reserved_tags;

	spin_lock_init(&etags->lock);

	return blk_mq_init_bitmap_tags(tags, node, alloc_policy);

}

	struct list_head page_list;

};

/*

 * Extended tag address space map. This was needed

 * to add a spinlock to blk_mq_tags in a KMI compliant

 * way (no changes could be made to struct blk_mq_tags).

 */

struct ext_blk_mq_tags {

	struct blk_mq_tags tags;

	 /*

	  * used to clear request reference in rqs[] before freeing one

	  * request pool

	  */

	spinlock_t lock;

};

extern struct blk_mq_tags *blk_mq_init_tags(unsigned int nr_tags, unsigned int reserved_tags, int node, int alloc_policy);

extern void blk_mq_free_tags(struct blk_mq_tags *tags);

	return false;

}

void blk_mq_put_rq_ref(struct request *rq)

{

	if (is_flush_rq(rq))

		rq->end_io(rq, 0);

	else if (refcount_dec_and_test(&rq->ref))

		__blk_mq_free_request(rq);

}

static bool blk_mq_check_expired(struct blk_mq_hw_ctx *hctx,

		struct request *rq, void *priv, bool reserved)

{

	if (blk_mq_req_expired(rq, next))

		blk_mq_rq_timed_out(rq, reserved);

	if (is_flush_rq(rq, hctx))

		rq->end_io(rq, 0);

	else if (refcount_dec_and_test(&rq->ref))

		__blk_mq_free_request(rq);

	blk_mq_put_rq_ref(rq);

	return true;

}

	}

}

static size_t order_to_size(unsigned int order)

{

	return (size_t)PAGE_SIZE << order;

}

/* called before freeing request pool in @tags */

static void blk_mq_clear_rq_mapping(struct blk_mq_tag_set *set,

		struct blk_mq_tags *tags, unsigned int hctx_idx)

{

	struct blk_mq_tags *drv_tags = set->tags[hctx_idx];

	struct ext_blk_mq_tags *drv_etags;

	struct page *page;

	unsigned long flags;

	list_for_each_entry(page, &tags->page_list, lru) {

		unsigned long start = (unsigned long)page_address(page);

		unsigned long end = start + order_to_size(page->private);

		int i;

		for (i = 0; i < set->queue_depth; i++) {

			struct request *rq = drv_tags->rqs[i];

			unsigned long rq_addr = (unsigned long)rq;

			if (rq_addr >= start && rq_addr < end) {

				WARN_ON_ONCE(refcount_read(&rq->ref) != 0);

				cmpxchg(&drv_tags->rqs[i], rq, NULL);

			}

		}

	}

	/*

	 * Wait until all pending iteration is done.

	 *

	 * Request reference is cleared and it is guaranteed to be observed

	 * after the ->lock is released.

	 */

	drv_etags = container_of(drv_tags, struct ext_blk_mq_tags, tags);

	spin_lock_irqsave(&drv_etags->lock, flags);

	spin_unlock_irqrestore(&drv_etags->lock, flags);

}

static blk_qc_t blk_mq_make_request(struct request_queue *q, struct bio *bio)

{

	const int is_sync = op_is_sync(bio->bi_opf);

		}

	}

	blk_mq_clear_rq_mapping(set, tags, hctx_idx);

	while (!list_empty(&tags->page_list)) {

		page = list_first_entry(&tags->page_list, struct page, lru);

		list_del_init(&page->lru);

	return tags;

}

static size_t order_to_size(unsigned int order)

{

	return (size_t)PAGE_SIZE << order;

}

static int blk_mq_init_request(struct blk_mq_tag_set *set, struct request *rq,

			       unsigned int hctx_idx, int node)

{

					    &hctx->cpuhp_dead);

}

/*

 * Before freeing hw queue, clearing the flush request reference in

 * tags->rqs[] for avoiding potential UAF.

 */

static void blk_mq_clear_flush_rq_mapping(struct blk_mq_tags *tags,

		unsigned int queue_depth, struct request *flush_rq)

{

	int i;

	unsigned long flags;

	struct ext_blk_mq_tags *etags;

	/* The hw queue may not be mapped yet */

	if (!tags)

		return;

	WARN_ON_ONCE(refcount_read(&flush_rq->ref) != 0);

	for (i = 0; i < queue_depth; i++)

		cmpxchg(&tags->rqs[i], flush_rq, NULL);

	/*

	 * Wait until all pending iteration is done.

	 *

	 * Request reference is cleared and it is guaranteed to be observed

	 * after the ->lock is released.

	 */

	etags = container_of(tags, struct ext_blk_mq_tags, tags);

	spin_lock_irqsave(&etags->lock, flags);

	spin_unlock_irqrestore(&etags->lock, flags);

}

/* hctx->ctxs will be freed in queue's release handler */

static void blk_mq_exit_hctx(struct request_queue *q,

		struct blk_mq_tag_set *set,

		struct blk_mq_hw_ctx *hctx, unsigned int hctx_idx)

{

	struct request *flush_rq = hctx->fq->flush_rq;

	if (blk_mq_hw_queue_mapped(hctx))

		blk_mq_tag_idle(hctx);

	blk_mq_clear_flush_rq_mapping(set->tags[hctx_idx],

			set->queue_depth, flush_rq);

	if (set->ops->exit_request)

		set->ops->exit_request(set, hctx->fq->flush_rq, hctx_idx);

		set->ops->exit_request(set, flush_rq, hctx_idx);

	if (set->ops->exit_hctx)

		set->ops->exit_hctx(hctx, hctx_idx);

bool blk_mq_get_driver_tag(struct request *rq);

struct request *blk_mq_dequeue_from_ctx(struct blk_mq_hw_ctx *hctx,

					struct blk_mq_ctx *start);

void blk_mq_put_rq_ref(struct request *rq);

/*

 * Internal helpers for allocating/freeing the request map