Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp5846323ybn; Sun, 29 Sep 2019 07:00:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzWFA7dE+QMq18CqiSIdxTSh/1Fv9QkRjR9DXOWTACTQLoz/8FyuOt7Etk7//sm46Mv0Vm/ X-Received: by 2002:a50:ac0d:: with SMTP id v13mr14549549edc.189.1569765643227; Sun, 29 Sep 2019 07:00:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569765643; cv=none; d=google.com; s=arc-20160816; b=A2ImXoh0h/MdP8ry99tvsak7mLH7rb+eL6ZoviZiLGiWpceEHmBD23d1OVot7p47Rs dYkH2ZIiWFgcSRjRBJxdPMtFKm9D6ACWMpKkiCcLh9e7JOLiNLQWrdcHgb/Sn4eHsjM9 px4p+clWc8IpPD8oD0UAJ9wfWTnf+uo5eSk3TNqVLpvFXhxcHLYtQKDryasukJdz+9mH yTelRPK8YBwCyFquEkly31sFtzTA1VeGAuzBGdrtKxWLKsfaEm9yp9wftJEPPU4O4hD0 oIVLZc/umwS54qexdC3YK5E785/yimaKqIXQU52qcqO2v3P/uHoKHI/cdRYrYweUHiBP aaFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rOBOtFOhu1eUsWV7aPB9UNSVRLhPBSca0fwZMiIunr0=; b=jrtJV8RqUQ/Qd8lFFdjr9VN6YPtT1QHbV1164gXQJLGMUHhSx5CmL21z3M2zIyEZB0 YK69DmaHleDgagSI+nLfX96tkcABZzNlNNVbNqHyY91iQ0gb25MnxHoZB9sSB4mNSVtt yx6owijDNet74Bsq1W2NCNGu4CguwMt3dGqARhrVbe4HFULpOc1eEvaUmnCiPXD5Qwlm 0ZgFT7I2ygozNEvlP/J3gHPhKPLKMXrsSBP02cPvrkjAbx7HW04fIj5rfoVggv0bLekq 5s4jQmvFuTbOJZgF0RUWws4IU6JryBD84uF+eXGtP/gFCqwFSn9Sn6e+SvsBku2RIMWF MgJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JNU6Zakc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i33si5464286eda.205.2019.09.29.07.00.19; Sun, 29 Sep 2019 07:00:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JNU6Zakc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729622AbfI2N7A (ORCPT + 99 others); Sun, 29 Sep 2019 09:59:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:39900 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729614AbfI2N65 (ORCPT ); Sun, 29 Sep 2019 09:58:57 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 93A5221835; Sun, 29 Sep 2019 13:58:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569765537; bh=0vs7MKP/u+n+bqQbFXLZ3o3kg6UDGOoJgE5xJnQoLTg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JNU6ZakcpsH2dzJk1+2pWfdNguUlNMVH4CCJW9tlglnNETM7AMgH0AFAcvH9V0V+0 lmAIlJwKCj/NFMxLjULmb72GGjjvYTbizUi0IlXcHc0ZCuRbJIVaLSwr+W1Jly43AC aPA3E+IiWNfkJMhNndhhtXZnFmTWBb00bdih+phc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ming Lei , zhengbin , Jens Axboe , Sasha Levin Subject: [PATCH 4.19 49/63] blk-mq: move cancel of requeue_work to the front of blk_exit_queue Date: Sun, 29 Sep 2019 15:54:22 +0200 Message-Id: <20190929135039.979179041@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190929135031.382429403@linuxfoundation.org> References: <20190929135031.382429403@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: zhengbin [ Upstream commit e26cc08265dda37d2acc8394604f220ef412299d ] blk_exit_queue will free elevator_data, while blk_mq_requeue_work will access it. Move cancel of requeue_work to the front of blk_exit_queue to avoid use-after-free. blk_exit_queue blk_mq_requeue_work __elevator_exit blk_mq_run_hw_queues blk_mq_exit_sched blk_mq_run_hw_queue dd_exit_queue blk_mq_hctx_has_pending kfree(elevator_data) blk_mq_sched_has_work dd_has_work Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release") Cc: stable@vger.kernel.org Reviewed-by: Ming Lei Signed-off-by: zhengbin Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- block/blk-mq.c | 2 -- block/blk-sysfs.c | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 9dfafee65bce2..7ea85ec52026e 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2461,8 +2461,6 @@ void blk_mq_release(struct request_queue *q) struct blk_mq_hw_ctx *hctx; unsigned int i; - cancel_delayed_work_sync(&q->requeue_work); - /* hctx kobj stays in hctx */ queue_for_each_hw_ctx(q, hctx, i) { if (!hctx) diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index 3772671cf2bc5..bab47a17b96f4 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -836,6 +836,9 @@ static void __blk_release_queue(struct work_struct *work) blk_free_queue_stats(q->stats); + if (q->mq_ops) + cancel_delayed_work_sync(&q->requeue_work); + blk_exit_rl(q, &q->root_rl); if (q->queue_tags) -- 2.20.1