Re: [PATCH 09/14] blk-mq: Move duplicating code to blk_mq_exit_hctx()

From: Omar Sandoval
Date: Mon Sep 19 2016 - 13:57:26 EST


On Sun, Sep 18, 2016 at 09:37:19AM +0200, Alexander Gordeev wrote:
> CC: linux-block@xxxxxxxxxxxxxxx
> Signed-off-by: Alexander Gordeev <agordeev@xxxxxxxxxx>
> ---
> block/blk-mq.c | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 3efb700..cd32a08 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -1678,6 +1678,10 @@ static void blk_mq_exit_hctx(struct request_queue *q,
> blk_mq_unregister_cpu_notifier(&hctx->cpu_notifier);
> blk_free_flush_queue(hctx->fq);
> blk_mq_free_bitmap(&hctx->ctx_map);
> +
> + free_cpumask_var(hctx->cpumask);
> + kfree(hctx->ctxs);
> + kfree(hctx);
> }
>
> static void blk_mq_exit_hw_queues(struct request_queue *q,
> @@ -1686,12 +1690,8 @@ static void blk_mq_exit_hw_queues(struct request_queue *q,
> struct blk_mq_hw_ctx *hctx;
> unsigned int i;
>
> - queue_for_each_hw_ctx(q, hctx, i) {
> + queue_for_each_hw_ctx(q, hctx, i)
> blk_mq_exit_hctx(q, set, hctx, i);
> - free_cpumask_var(hctx->cpumask);
> - kfree(hctx->ctxs);
> - kfree(hctx);
> - }
>
> q->nr_hw_queues = 0;
> }
> @@ -2018,12 +2018,8 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
> set->tags[j] = NULL;
> }
> blk_mq_exit_hctx(q, set, hctx, j);
> - free_cpumask_var(hctx->cpumask);
> kobject_put(&hctx->kobj);

Now this hctx->kobj will be a use-after-free since we just kfreed hctx
in blk_mq_exit_hctx().

> - kfree(hctx->ctxs);
> - kfree(hctx);
> hctxs[j] = NULL;
> -
> }
> }
> q->nr_hw_queues = i;
> --
> 1.8.3.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-block" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html

--
Omar