Commit a723bab3 authored Sep 27, 2015 by Akinobu Mita Committed by Jens Axboe Sep 29, 2015

blk-mq: Fix use after of free q->mq_map



CPU hotplug handling for blk-mq (blk_mq_queue_reinit) updates
q->mq_map by blk_mq_update_queue_map() for all request queues in
all_q_list.  On the other hand, q->mq_map is released before deleting
the queue from all_q_list.

So if CPU hotplug event occurs in the window, invalid memory access
can happen.  Fix it by releasing q->mq_map in blk_mq_release() to make
it happen latter than removal from all_q_list.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Suggested-by: Ming Lei <tom.leiming@gmail.com>
Reviewed-by: Ming Lei <tom.leiming@gmail.com>
Cc: Ming Lei <tom.leiming@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>

parent 4593fdbe

block/blk-mq.c

+3 −5

Original line number	Diff line number	Diff line
		@@ -1925,6 +1925,9 @@ void blk_mq_release(struct request_queue *q)
		kfree(hctx);
		}

		kfree(q->mq_map);
		q->mq_map = NULL;

		kfree(q->queue_hw_ctx);

		/* ctx kobj stays in queue_ctx */
		@@ -2070,11 +2073,6 @@ void blk_mq_free_queue(struct request_queue *q)
		blk_mq_free_hw_queues(q, set);

		percpu_ref_exit(&q->mq_usage_counter);

		kfree(q->mq_map);

		q->mq_map = NULL;

		mutex_lock(&all_q_mutex);
		list_del_init(&q->all_q_node);
		mutex_unlock(&all_q_mutex);