Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d50235b7 authored by Jianpeng Ma's avatar Jianpeng Ma Committed by Jens Axboe
Browse files

elevator: Fix a race in elevator switching 



There's a race between elevator switching and normal io operation.
    Because the allocation of struct elevator_queue and struct elevator_data
    don't in a atomic operation.So there are have chance to use NULL
    ->elevator_data.
    For example:
        Thread A:                               Thread B
        blk_queu_bio                            elevator_switch
        spin_lock_irq(q->queue_block)           elevator_alloc
        elv_merge                               elevator_init_fn

    Because call elevator_alloc, it can't hold queue_lock and the
    ->elevator_data is NULL.So at the same time, threadA call elv_merge and
    nedd some info of elevator_data.So the crash happened.

    Move the elevator_alloc into func elevator_init_fn, it make the
    operations in a atomic operation.

    Using the follow method can easy reproduce this bug
    1:dd if=/dev/sdb of=/dev/null
    2:while true;do echo noop > scheduler;echo deadline > scheduler;done

    The test method also use this method.

Signed-off-by: default avatarJianpeng Ma <majianpeng@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent a6b3f761

block/cfq-iosched.c

+14 −3
Original line number Original line Diff line number Diff line
@@ -4347,18 +4347,28 @@ static void cfq_exit_queue(struct elevator_queue *e) 
	kfree(cfqd);

	kfree(cfqd);

}

}





static int cfq_init_queue(struct request_queue *q)

static int cfq_init_queue(struct request_queue *q, struct elevator_type *e)

{

{

	struct cfq_data *cfqd;

	struct cfq_data *cfqd;

	struct blkcg_gq *blkg __maybe_unused;

	struct blkcg_gq *blkg __maybe_unused;

	int i, ret;

	int i, ret;

	struct elevator_queue *eq;



	eq = elevator_alloc(q, e);

	if (!eq)

		return -ENOMEM;





	cfqd = kmalloc_node(sizeof(*cfqd), GFP_KERNEL | __GFP_ZERO, q->node);

	cfqd = kmalloc_node(sizeof(*cfqd), GFP_KERNEL | __GFP_ZERO, q->node);

	if (!cfqd)

	if (!cfqd) {

		kobject_put(&eq->kobj);

		return -ENOMEM;

		return -ENOMEM;

	}

	eq->elevator_data = cfqd;





	cfqd->queue = q;

	cfqd->queue = q;

	q->elevator->elevator_data = cfqd;

	spin_lock_irq(q->queue_lock);

	q->elevator = eq;

	spin_unlock_irq(q->queue_lock);





	/* Init root service tree */

	/* Init root service tree */

	cfqd->grp_service_tree = CFQ_RB_ROOT;

	cfqd->grp_service_tree = CFQ_RB_ROOT;
@@ -4433,6 +4443,7 @@ static int cfq_init_queue(struct request_queue *q) 




out_free:

out_free:

	kfree(cfqd);

	kfree(cfqd);

	kobject_put(&eq->kobj);

	return ret;

	return ret;

}

}

block/deadline-iosched.c

+13 −3
Original line number Original line Diff line number Diff line
@@ -337,13 +337,21 @@ static void deadline_exit_queue(struct elevator_queue *e) 
/*

/*

 * initialize elevator private data (deadline_data).

 * initialize elevator private data (deadline_data).

 */

 */

static int deadline_init_queue(struct request_queue *q)

static int deadline_init_queue(struct request_queue *q, struct elevator_type *e)

{

{

	struct deadline_data *dd;

	struct deadline_data *dd;

	struct elevator_queue *eq;



	eq = elevator_alloc(q, e);

	if (!eq)

		return -ENOMEM;





	dd = kmalloc_node(sizeof(*dd), GFP_KERNEL | __GFP_ZERO, q->node);

	dd = kmalloc_node(sizeof(*dd), GFP_KERNEL | __GFP_ZERO, q->node);

	if (!dd)

	if (!dd) {

		kobject_put(&eq->kobj);

		return -ENOMEM;

		return -ENOMEM;

	}

	eq->elevator_data = dd;





	INIT_LIST_HEAD(&dd->fifo_list[READ]);

	INIT_LIST_HEAD(&dd->fifo_list[READ]);

	INIT_LIST_HEAD(&dd->fifo_list[WRITE]);

	INIT_LIST_HEAD(&dd->fifo_list[WRITE]);
@@ -355,7 +363,9 @@ static int deadline_init_queue(struct request_queue *q) 
	dd->front_merges = 1;

	dd->front_merges = 1;

	dd->fifo_batch = fifo_batch;

	dd->fifo_batch = fifo_batch;





	q->elevator->elevator_data = dd;

	spin_lock_irq(q->queue_lock);

	q->elevator = eq;

	spin_unlock_irq(q->queue_lock);

	return 0;

	return 0;

}

}

block/elevator.c

+5 −20
Original line number Original line Diff line number Diff line
@@ -150,7 +150,7 @@ void __init load_default_elevator_module(void) 




static struct kobj_type elv_ktype;

static struct kobj_type elv_ktype;





static struct elevator_queue *elevator_alloc(struct request_queue *q,

struct elevator_queue *elevator_alloc(struct request_queue *q,

				  struct elevator_type *e)

				  struct elevator_type *e)

{

{

	struct elevator_queue *eq;

	struct elevator_queue *eq;
@@ -170,6 +170,7 @@ static struct elevator_queue *elevator_alloc(struct request_queue *q, 
	elevator_put(e);

	elevator_put(e);

	return NULL;

	return NULL;

}

}

EXPORT_SYMBOL(elevator_alloc);





static void elevator_release(struct kobject *kobj)

static void elevator_release(struct kobject *kobj)

{

{
@@ -221,16 +222,7 @@ int elevator_init(struct request_queue *q, char *name) 
		}

		}

	}

	}





	q->elevator = elevator_alloc(q, e);

	err = e->ops.elevator_init_fn(q, e);

	if (!q->elevator)

		return -ENOMEM;



	err = e->ops.elevator_init_fn(q);

	if (err) {

		kobject_put(&q->elevator->kobj);

		return err;

	}



	return 0;

	return 0;

}

}

EXPORT_SYMBOL(elevator_init);

EXPORT_SYMBOL(elevator_init);
@@ -935,16 +927,9 @@ static int elevator_switch(struct request_queue *q, struct elevator_type *new_e) 
	spin_unlock_irq(q->queue_lock);

	spin_unlock_irq(q->queue_lock);





	/* allocate, init and register new elevator */

	/* allocate, init and register new elevator */

	err = -ENOMEM;

	err = new_e->ops.elevator_init_fn(q, new_e);

	q->elevator = elevator_alloc(q, new_e);

	if (err)

	if (!q->elevator)

		goto fail_init;



	err = new_e->ops.elevator_init_fn(q);

	if (err) {

		kobject_put(&q->elevator->kobj);

		goto fail_init;

		goto fail_init;

	}





	if (registered) {

	if (registered) {

		err = elv_register_queue(q);

		err = elv_register_queue(q);

block/noop-iosched.c

+14 −3
Original line number Original line Diff line number Diff line
@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct request *rq) 
	return list_entry(rq->queuelist.next, struct request, queuelist);

	return list_entry(rq->queuelist.next, struct request, queuelist);

}

}





static int noop_init_queue(struct request_queue *q)

static int noop_init_queue(struct request_queue *q, struct elevator_type *e)

{

{

	struct noop_data *nd;

	struct noop_data *nd;

	struct elevator_queue *eq;



	eq = elevator_alloc(q, e);

	if (!eq)

		return -ENOMEM;





	nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);

	nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);

	if (!nd)

	if (!nd) {

		kobject_put(&eq->kobj);

		return -ENOMEM;

		return -ENOMEM;

	}

	eq->elevator_data = nd;





	INIT_LIST_HEAD(&nd->queue);

	INIT_LIST_HEAD(&nd->queue);

	q->elevator->elevator_data = nd;



	spin_lock_irq(q->queue_lock);

	q->elevator = eq;

	spin_unlock_irq(q->queue_lock);

	return 0;

	return 0;

}

}

include/linux/elevator.h

+5 −1
Original line number Original line Diff line number Diff line
@@ -7,6 +7,7 @@ 
#ifdef CONFIG_BLOCK

#ifdef CONFIG_BLOCK





struct io_cq;

struct io_cq;

struct elevator_type;





typedef int (elevator_merge_fn) (struct request_queue *, struct request **,

typedef int (elevator_merge_fn) (struct request_queue *, struct request **,

				 struct bio *);

				 struct bio *);
@@ -35,7 +36,8 @@ typedef void (elevator_put_req_fn) (struct request *); 
typedef void (elevator_activate_req_fn) (struct request_queue *, struct request *);

typedef void (elevator_activate_req_fn) (struct request_queue *, struct request *);

typedef void (elevator_deactivate_req_fn) (struct request_queue *, struct request *);

typedef void (elevator_deactivate_req_fn) (struct request_queue *, struct request *);





typedef int (elevator_init_fn) (struct request_queue *);

typedef int (elevator_init_fn) (struct request_queue *,

				struct elevator_type *e);

typedef void (elevator_exit_fn) (struct elevator_queue *);

typedef void (elevator_exit_fn) (struct elevator_queue *);





struct elevator_ops

struct elevator_ops
@@ -155,6 +157,8 @@ extern int elevator_init(struct request_queue *, char *); 
extern void elevator_exit(struct elevator_queue *);

extern void elevator_exit(struct elevator_queue *);

extern int elevator_change(struct request_queue *, const char *);

extern int elevator_change(struct request_queue *, const char *);

extern bool elv_rq_merge_ok(struct request *, struct bio *);

extern bool elv_rq_merge_ok(struct request *, struct bio *);

extern struct elevator_queue *elevator_alloc(struct request_queue *,

					struct elevator_type *);





/*

/*

 * Helper functions.

 * Helper functions.