• Ming Lei's avatar
    blk-mq: always free hctx after request queue is freed · 2f8f1336
    Ming Lei authored
    In normal queue cleanup path, hctx is released after request queue
    is freed, see blk_mq_release().
    
    However, in __blk_mq_update_nr_hw_queues(), hctx may be freed because
    of hw queues shrinking. This way is easy to cause use-after-free,
    because: one implicit rule is that it is safe to call almost all block
    layer APIs if the request queue is alive; and one hctx may be retrieved
    by one API, then the hctx can be freed by blk_mq_update_nr_hw_queues();
    finally use-after-free is triggered.
    
    Fixes this issue by always freeing hctx after releasing request queue.
    If some hctxs are removed in blk_mq_update_nr_hw_queues(), introduce
    a per-queue list to hold them, then try to resuse these hctxs if numa
    node is matched.
    
    Cc: Dongli Zhang <dongli.zhang@oracle.com>
    Cc: James Smart <james.smart@broadcom.com>
    Cc: Bart Van Assche <bart.vanassche@wdc.com>
    Cc: linux-scsi@vger.kernel.org,
    Cc: Martin K . Petersen <martin.petersen@oracle.com>,
    Cc: Christoph Hellwig <hch@lst.de>,
    Cc: James E . J . Bottomley <jejb@linux.vnet.ibm.com>,
    Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
    Tested-by: default avatarJames Smart <james.smart@broadcom.com>
    Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    2f8f1336
blkdev.h 50.8 KB