Commit 6ef88c97 authored Jun 07, 2023 by Li Nan Committed by openeuler-sync-bot Jun 07, 2023

block: fix null-pointer dereference in ioc_pd_init

hulk inclusion
category: bugfix
bugzilla: 188044, https://gitee.com/openeuler/kernel/issues/I64SY5


CVE: NA

--------------------------------

Remove block device when iocost is initializing may cause
null-pointer dereference:

	CPU1				   CPU2
  ioc_qos_write
   blkcg_conf_open_bdev
    blkdev_get_no_open
     kobject_get_unless_zero
    blk_iocost_init
     rq_qos_add
  					blk_cleanup_queue
  					 rq_qos_exit
  					  q->rq_qos = rqos->next
  					   //iocost is removed from q->roqs
      blkcg_activate_policy
       pd_init_fn
        ioc_pd_init
  	 ioc = q_to_ioc(blkg->q)
 	  //can't find iocost and return null

Fix problem by moving rq_qos_exit() to blk_release_queue().
ioc_qos_write() get bd_device.kobj in blkcg_conf_open_bdev(), so
blk_release_queue() will not be activated until iocost initialization is
complited.

Fixes: 7caa4715 ("blkcg: implement blk-iocost")

Conflict:
	block/blk-core.c
	commit 4134b635 ("Revert "block: fix null-deref in percpu_ref_put"")
	changed context, which does not affect this patch.

Signed-off-by: Li Nan <linan122@huawei.com>
(cherry picked from commit 2b9719ee)

parent b8e1d215

block/blk-core.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -402,8 +402,6 @@ void blk_cleanup_queue(struct request_queue *q)
		*/
		blk_freeze_queue(q);

		rq_qos_exit(q);

		blk_queue_flag_set(QUEUE_FLAG_DEAD, q);

		/* for synchronous bio-based driver finish in-flight integrity i/o */

block/blk-sysfs.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -792,6 +792,8 @@ static void blk_release_queue(struct kobject *kobj)

		blk_free_queue_stats(q->stats);

		rq_qos_exit(q);

		blk_exit_queue(q);

		blk_queue_free_zone_bitmaps(q);