Commit 7ad58c02 authored by Jens Axboe's avatar Jens Axboe

block: fix use-after-free bug in blk throttle code

blk_throtl_exit() frees the throttle data hanging off the queue
in blk_cleanup_queue(), but blk_put_queue() will indirectly
dereference this data when calling blk_sync_queue() which in
turns calls throtl_shutdown_timer_wq().

Fix this by moving the freeing of the throttle data to when
the queue is truly being released, and post the call to
blk_sync_queue().
Reported-by: default avatarIngo Molnar <mingo@elte.hu>
Tested-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarJens Axboe <jaxboe@fusionio.com>
parent 7f388396
...@@ -462,8 +462,6 @@ void blk_cleanup_queue(struct request_queue *q) ...@@ -462,8 +462,6 @@ void blk_cleanup_queue(struct request_queue *q)
if (q->elevator) if (q->elevator)
elevator_exit(q->elevator); elevator_exit(q->elevator);
blk_throtl_exit(q);
blk_put_queue(q); blk_put_queue(q);
} }
EXPORT_SYMBOL(blk_cleanup_queue); EXPORT_SYMBOL(blk_cleanup_queue);
......
...@@ -471,6 +471,8 @@ static void blk_release_queue(struct kobject *kobj) ...@@ -471,6 +471,8 @@ static void blk_release_queue(struct kobject *kobj)
blk_sync_queue(q); blk_sync_queue(q);
blk_throtl_exit(q);
if (rl->rq_pool) if (rl->rq_pool)
mempool_destroy(rl->rq_pool); mempool_destroy(rl->rq_pool);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment