[PATCH] blk-mq: initialize request before the 1st allocation

From: Ming Lei
Date: Wed Sep 17 2014 - 09:00:34 EST

Next message: Neil Horman: "[PATCH 1/2] 3c59x: Add dma error checking and recovery"
Previous message: Neil Horman: "Re: bisected regression: 3c59x corrupts packets in 3.17-rc5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Otherwise the request can be accessed from timeout handler
just after its 1st allocation from tag pool and before
initialization in blk_mq_rq_ctx_init(), so cause oops since
the request is filled up with garbage data.

Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxxxxx>
---
block/blk-mq.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 4aac826..d24673f 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -514,6 +514,10 @@ struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag)
{
struct request *rq = tags->rqs[tag];

+ /* uninitialized request */
+ if (!rq->q || rq->tag == -1)
+ return rq;
+
if (!is_flush_request(rq, tag))
return rq;

@@ -1401,6 +1405,12 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set,
left -= to_do * rq_size;
for (j = 0; j < to_do; j++) {
tags->rqs[i] = p;
+
+ /* Avoiding early access from timeout handler */
+ tags->rqs[i]->tag = -1;
+ tags->rqs[i]->q = NULL;
+ tags->rqs[i]->cmd_flags = 0;
+
if (set->ops->init_request) {
if (set->ops->init_request(set->driver_data,
tags->rqs[i], hctx_idx, i,
--
1.7.9.5

--
Ming Lei
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Neil Horman: "[PATCH 1/2] 3c59x: Add dma error checking and recovery"
Previous message: Neil Horman: "Re: bisected regression: 3c59x corrupts packets in 3.17-rc5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]