The q->id is used as an index within the blkg_tree radix tree.
If the entry is not released before reclaiming the blk_queue_ida's id
blkcg_init_queue() within a different driver from which this id
was originally for can fail due to the entry at that index within
the radix tree already existing.
Signed-off-by: Alexandru Moise <[email protected]>
---
block/blk-cgroup.c | 2 +-
block/blk-sysfs.c | 4 ++++
include/linux/blk-cgroup.h | 2 ++
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 1c16694ae145..224e937dbb59 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -369,7 +369,7 @@ static void blkg_destroy(struct blkcg_gq *blkg)
*
* Destroy all blkgs associated with @q.
*/
-static void blkg_destroy_all(struct request_queue *q)
+void blkg_destroy_all(struct request_queue *q)
{
struct blkcg_gq *blkg, *n;
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index d00d1b0ec109..a72866458f22 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -816,6 +816,10 @@ static void __blk_release_queue(struct work_struct *work)
if (q->bio_split)
bioset_free(q->bio_split);
+ spin_lock_irq(q->queue_lock);
+ blkg_destroy_all(q);
+ spin_unlock_irq(q->queue_lock);
+
ida_simple_remove(&blk_queue_ida, q->id);
call_rcu(&q->rcu_head, blk_free_queue_rcu);
}
diff --git a/include/linux/blk-cgroup.h b/include/linux/blk-cgroup.h
index 6c666fd7de3c..4470fdb6ea8f 100644
--- a/include/linux/blk-cgroup.h
+++ b/include/linux/blk-cgroup.h
@@ -179,6 +179,8 @@ struct blkcg_gq *blkg_lookup_create(struct blkcg *blkcg,
int blkcg_init_queue(struct request_queue *q);
void blkcg_drain_queue(struct request_queue *q);
void blkcg_exit_queue(struct request_queue *q);
+void blkg_destroy_all(struct request_queue *q);
+
/* Blkio controller policy registration */
int blkcg_policy_register(struct blkcg_policy *pol);
--
2.16.3
Hi Alexandru,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on block/for-next]
[also build test ERROR on v4.16 next-20180406]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Alexandru-Moise/blk-cgroup-remove-entries-in-blkg_tree-before-queue-release/20180407-035957
base: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-next
config: x86_64-randconfig-x001-201813 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All errors (new ones prefixed by >>):
block/blk-sysfs.c: In function '__blk_release_queue':
>> block/blk-sysfs.c:820:2: error: implicit declaration of function 'blkg_destroy_all'; did you mean 'blk_stat_add'? [-Werror=implicit-function-declaration]
blkg_destroy_all(q);
^~~~~~~~~~~~~~~~
blk_stat_add
cc1: some warnings being treated as errors
vim +820 block/blk-sysfs.c
770
771 /**
772 * __blk_release_queue - release a request queue when it is no longer needed
773 * @work: pointer to the release_work member of the request queue to be released
774 *
775 * Description:
776 * blk_release_queue is the counterpart of blk_init_queue(). It should be
777 * called when a request queue is being released; typically when a block
778 * device is being de-registered. Its primary task it to free the queue
779 * itself.
780 *
781 * Notes:
782 * The low level driver must have finished any outstanding requests first
783 * via blk_cleanup_queue().
784 *
785 * Although blk_release_queue() may be called with preemption disabled,
786 * __blk_release_queue() may sleep.
787 */
788 static void __blk_release_queue(struct work_struct *work)
789 {
790 struct request_queue *q = container_of(work, typeof(*q), release_work);
791
792 if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags))
793 blk_stat_remove_callback(q, q->poll_cb);
794 blk_stat_free_callback(q->poll_cb);
795
796 blk_free_queue_stats(q->stats);
797
798 blk_exit_rl(q, &q->root_rl);
799
800 if (q->queue_tags)
801 __blk_queue_free_tags(q);
802
803 if (!q->mq_ops) {
804 if (q->exit_rq_fn)
805 q->exit_rq_fn(q, q->fq->flush_rq);
806 blk_free_flush_queue(q->fq);
807 } else {
808 blk_mq_release(q);
809 }
810
811 blk_trace_shutdown(q);
812
813 if (q->mq_ops)
814 blk_mq_debugfs_unregister(q);
815
816 if (q->bio_split)
817 bioset_free(q->bio_split);
818
819 spin_lock_irq(q->queue_lock);
> 820 blkg_destroy_all(q);
821 spin_unlock_irq(q->queue_lock);
822
823 ida_simple_remove(&blk_queue_ida, q->id);
824 call_rcu(&q->rcu_head, blk_free_queue_rcu);
825 }
826
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi Alexandru,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on block/for-next]
[also build test ERROR on v4.16 next-20180406]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Alexandru-Moise/blk-cgroup-remove-entries-in-blkg_tree-before-queue-release/20180407-035957
base: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-next
config: c6x-evmc6678_defconfig (attached as .config)
compiler: c6x-elf-gcc (GCC) 7.2.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=c6x
All errors (new ones prefixed by >>):
block/blk-sysfs.c: In function '__blk_release_queue':
>> block/blk-sysfs.c:820:2: error: implicit declaration of function 'blkg_destroy_all'; did you mean 'irq_destroy_ipi'? [-Werror=implicit-function-declaration]
blkg_destroy_all(q);
^~~~~~~~~~~~~~~~
irq_destroy_ipi
cc1: some warnings being treated as errors
vim +820 block/blk-sysfs.c
770
771 /**
772 * __blk_release_queue - release a request queue when it is no longer needed
773 * @work: pointer to the release_work member of the request queue to be released
774 *
775 * Description:
776 * blk_release_queue is the counterpart of blk_init_queue(). It should be
777 * called when a request queue is being released; typically when a block
778 * device is being de-registered. Its primary task it to free the queue
779 * itself.
780 *
781 * Notes:
782 * The low level driver must have finished any outstanding requests first
783 * via blk_cleanup_queue().
784 *
785 * Although blk_release_queue() may be called with preemption disabled,
786 * __blk_release_queue() may sleep.
787 */
788 static void __blk_release_queue(struct work_struct *work)
789 {
790 struct request_queue *q = container_of(work, typeof(*q), release_work);
791
792 if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags))
793 blk_stat_remove_callback(q, q->poll_cb);
794 blk_stat_free_callback(q->poll_cb);
795
796 blk_free_queue_stats(q->stats);
797
798 blk_exit_rl(q, &q->root_rl);
799
800 if (q->queue_tags)
801 __blk_queue_free_tags(q);
802
803 if (!q->mq_ops) {
804 if (q->exit_rq_fn)
805 q->exit_rq_fn(q, q->fq->flush_rq);
806 blk_free_flush_queue(q->fq);
807 } else {
808 blk_mq_release(q);
809 }
810
811 blk_trace_shutdown(q);
812
813 if (q->mq_ops)
814 blk_mq_debugfs_unregister(q);
815
816 if (q->bio_split)
817 bioset_free(q->bio_split);
818
819 spin_lock_irq(q->queue_lock);
> 820 blkg_destroy_all(q);
821 spin_unlock_irq(q->queue_lock);
822
823 ida_simple_remove(&blk_queue_ida, q->id);
824 call_rcu(&q->rcu_head, blk_free_queue_rcu);
825 }
826
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation