To avoid a circular reference, do not grab a device model reference
to the gendisk for each blkg, but just the lower level inode reference
preventing the memory from beeing freed.
This means blkg freeing and pd_free need to be careful to not rely
on anything torn down in disk_release.
Fixes: c43332fe028c ("blk-cgroup: delay calling blkcg_exit_disk until disk_release")
Reported-by: Ming Lei <ming.lei@xxxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
---
block/blk-cgroup.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 935028912e7abf..9e7e48c8fa47ae 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -136,7 +136,7 @@ static void blkg_free_workfn(struct work_struct *work)
list_del_init(&blkg->entry);
mutex_unlock(&blkg->disk->blkcg_mutex);
- put_disk(blkg->disk);
+ iput(blkg->disk->part0->bd_inode);
free_percpu(blkg->iostat_cpu);
percpu_ref_exit(&blkg->refcnt);
kfree(blkg);
@@ -264,9 +264,15 @@ static struct blkcg_gq *blkg_alloc(struct blkcg *blkcg, struct gendisk *disk,
if (!blkg->iostat_cpu)
goto out_exit_refcnt;
+ /*
+ * Grab a reference the part0 inode, which keeps the memory backing the
+ * gendisk from beeing released and safe for use in ->pd_free instead of
+ * the full fledged device model reference because the blkgs are only
+ * released in disk_release and would thus create circular references.
+ */
if (test_bit(GD_DEAD, &disk->state))
goto out_free_iostat;
- get_device(disk_to_dev(disk));
+ igrab(disk->part0->bd_inode);
blkg->disk = disk;
INIT_LIST_HEAD(&blkg->entry);
@@ -304,7 +310,7 @@ static struct blkcg_gq *blkg_alloc(struct blkcg *blkcg, struct gendisk *disk,
while (--i >= 0)
if (blkg->pd[i])
blkcg_policy[i]->pd_free_fn(blkg->pd[i]);
- put_disk(blkg->disk);
+ iput(blkg->disk->part0->bd_inode);
out_free_iostat:
free_percpu(blkg->iostat_cpu);
out_exit_refcnt:
--
2.39.1
