On Thu, Sep 27, 2012 at 9:39 AM, Bart Van Assche <bvanassche@xxxxxxx> wrote:
> Some request_fn implementations, e.g. scsi_request_fn(), unlock
> the queue lock. Make sure that blk_cleanup_queue() waits until all
> active request_fn invocations have finished. This fixes a potential
> use-after-free at the end of scsi_request_fn().
>
> Reported-by: Chanho Min <chanho.min@xxxxxxx>
> Cc: James Bottomley <JBottomley@xxxxxxxxxxxxx>
> Cc: Mike Christie <michaelc@xxxxxxxxxxx>
> Cc: Jens Axboe <axboe@xxxxxxxxx>
> Cc: Tejun Heo <tj@xxxxxxxxxx>
> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>
> ---
> block/blk-core.c | 7 +++++--
> drivers/scsi/scsi_lib.c | 10 +---------
> include/linux/blkdev.h | 5 +++++
> 3 files changed, 11 insertions(+), 11 deletions(-)
>
> diff --git a/block/blk-core.c b/block/blk-core.c
> index b5436b6..e41b291 100644
> --- a/block/blk-core.c
> +++ b/block/blk-core.c
> @@ -308,7 +308,9 @@ void __blk_run_queue_uncond(struct request_queue *q)
> if (unlikely(blk_queue_dead(q)))
> return;
>
> + q->request_fn_active++;
> q->request_fn(q);
> + q->request_fn_active--;
> }
>
> /**
> @@ -407,6 +409,7 @@ void blk_drain_queue(struct request_queue *q, bool drain_all)
> __blk_run_queue(q);
>
> drain |= q->nr_rqs_elvpriv;
> + drain |= q->request_fn_active;
>
> /*
> * Unfortunately, requests are queued at and tracked from
> @@ -494,8 +497,8 @@ EXPORT_SYMBOL_GPL(blk_queue_bypass_end);
> * blk_cleanup_queue - shutdown a request queue
> * @q: request queue to shutdown
> *
> - * Mark @q DEAD, drain all pending requests, destroy and put it. All
> - * future requests will be failed immediately with -ENODEV.
> + * Mark @q as dying, drain all pending requests, mark @q as dead, destroy and
> + * put it. All future requests will be failed immediately with -ENODEV.
> */
> void blk_cleanup_queue(struct request_queue *q)
> {
> diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
> index 593fc71..03571a3 100644
> --- a/drivers/scsi/scsi_lib.c
> +++ b/drivers/scsi/scsi_lib.c
> @@ -1517,10 +1517,6 @@ static void scsi_request_fn(struct request_queue *q)
> struct scsi_cmnd *cmd;
> struct request *req;
>
> - if(!get_device(&sdev->sdev_gendev))
> - /* We must be tearing the block queue down already */
> - return;
> -
> /*
> * To start with, we keep looping until the queue is empty, or until
> * the host is no longer able to accept any more requests.
> @@ -1629,11 +1625,7 @@ out_delay:
> if (sdev->device_busy == 0)
> blk_delay_queue(q, SCSI_QUEUE_DELAY);
> out:
> - /* must be careful here...if we trigger the ->remove() function
> - * we cannot be holding the q lock */
> - spin_unlock_irq(q->queue_lock);
> - put_device(&sdev->sdev_gendev);
> - spin_lock_irq(q->queue_lock);
> + ;
Any reason to keep this "out:" label now that it has no effect?
--
Dan
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
