2015-06-04 14:39:25

by Ming Lei

[permalink] [raw]
Subject: [RFC PATCH] blk-mq: fix failure case of blk_mq_init_allocated_queue

Generally blk_cleanup_queue() is called for cleaning up
the request queue, just like what blk_mq_init_queue() does,
so blk_mq_init_allocated_queue() should return failue
simply in case blk_mq_init_hw_queues() fails, otherwise
double-free may be triggered.

Cc: Mike Snitzer <[email protected]>
Signed-off-by: Ming Lei <[email protected]>
---
Mike, DM may need to follow the rule, otherwise
the request queue can't be reused after failure is
returned from blk_mq_init_allocated_queue() since
both wrong queue type and memory leak can be caused .

Or do blk_mq_init_allocated_queue() need to recover
the queue to previous state in case of failure?

block/blk-mq.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 594eea0..d68b1a3 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1732,11 +1732,8 @@ static int blk_mq_init_hw_queues(struct request_queue *q,
if (i == q->nr_hw_queues)
return 0;

- /*
- * Init failed
- */
- blk_mq_exit_hw_queues(q, set, i);
-
+ /* Let blk_cleanup_queue() handle the partial initialization */
+ q->nr_hw_queues = i;
return 1;
}

@@ -1920,6 +1917,10 @@ struct request_queue *blk_mq_init_queue(struct blk_mq_tag_set *set)
}
EXPORT_SYMBOL(blk_mq_init_queue);

+/*
+ * In case of failure returned from this function,
+ * blk_cleanup_queue() has to be called for cleanup.
+ */
struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
struct request_queue *q)
{
@@ -2004,8 +2005,9 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,

blk_mq_init_cpu_queues(q, set->nr_hw_queues);

+ /* blk_cleanup_queue() will handle the failure */
if (blk_mq_init_hw_queues(q, set))
- goto err_hctxs;
+ return ERR_PTR(-ENOMEM);

mutex_lock(&all_q_mutex);
list_add_tail(&q->all_q_node, &all_q_list);
--
1.9.1