On Mon, Feb 09, 2015 at 04:42:49PM +0300, Konstantin Khlebnikov wrote:
> Cfq_lookup_create_cfqg() allocates struct blkcg_gq using GFP_ATOMIC.
> In cfq_find_alloc_queue() possible allocation failure is not handled.
> As a result kernel oopses on NULL pointer dereference when
> cfq_link_cfqq_cfqg() calls cfqg_get() for NULL pointer.
>
> Bug was introduced in v3.5 in commit cd1604fab4f9 ("blkcg: factor
> out blkio_group creation"). Prior to that commit cfq group lookup
> had returned pointer to root group as fallback.
>
> This patch handles this error using existing fallback oom_cfqq.
>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
> ---
> block/cfq-iosched.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
Looks good to me. Thanks for the patch.
Acked-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
Vivek
>
> diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
> index 6f2751d..01898a4 100644
> --- a/block/cfq-iosched.c
> +++ b/block/cfq-iosched.c
> @@ -3590,6 +3590,11 @@ retry:
>
> blkcg = bio_blkcg(bio);
> cfqg = cfq_lookup_create_cfqg(cfqd, blkcg);
> + if (!cfqg) {
> + cfqq = &cfqd->oom_cfqq;
> + goto out;
> + }
> +
> cfqq = cic_to_cfqq(cic, is_sync);
>
> /*
> @@ -3626,7 +3631,7 @@ retry:
> } else
> cfqq = &cfqd->oom_cfqq;
> }
> -
> +out:
> if (new_cfqq)
> kmem_cache_free(cfq_pool, new_cfqq);
>
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html