tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'block-6.2-2022-12-19' of git://git.kernel.dk/linux

Pull block fixes from Jens Axboe:

- Various fixes for BFQ (Yu, Yuwei)

- Fix for loop command line parsing (Isaac)

- No need to specifically clear REQ_ALLOC_CACHE on IOPOLL downgrade
anymore (me)

- blk-iocost enum fix for newer gcc (Jiri)

- UAF fix for queue release (Ming)

- blk-iolatency error handling memory leak fix (Tejun)

* tag 'block-6.2-2022-12-19' of git://git.kernel.dk/linux:
block: don't clear REQ_ALLOC_CACHE for non-polled requests
block: fix use-after-free of q->q_usage_counter
block, bfq: only do counting of pending-request for BFQ_GROUP_IOSCHED
blk-iolatency: Fix memory leak on add_disk() failures
loop: Fix the max_loop commandline argument treatment when it is set to 0
block/blk-iocost (gcc13): keep large values in a new enum
block, bfq: replace 0/1 with false/true in bic apis
block, bfq: don't return bfqg from __bfq_bic_change_cgroup()
block, bfq: fix possible uaf for 'bfqq->bic'

Linus Torvalds 569c3a28 5d4740fc

+47 -38
+7 -9
block/bfq-cgroup.c
··· 724 724 * sure that the reference to cgroup is valid across the call (see 725 725 * comments in bfq_bic_update_cgroup on this issue) 726 726 */ 727 - static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, 728 - struct bfq_io_cq *bic, 729 - struct bfq_group *bfqg) 727 + static void __bfq_bic_change_cgroup(struct bfq_data *bfqd, 728 + struct bfq_io_cq *bic, 729 + struct bfq_group *bfqg) 730 730 { 731 - struct bfq_queue *async_bfqq = bic_to_bfqq(bic, 0); 732 - struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, 1); 731 + struct bfq_queue *async_bfqq = bic_to_bfqq(bic, false); 732 + struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, true); 733 733 struct bfq_entity *entity; 734 734 735 735 if (async_bfqq) { 736 736 entity = &async_bfqq->entity; 737 737 738 738 if (entity->sched_data != &bfqg->sched_data) { 739 - bic_set_bfqq(bic, NULL, 0); 739 + bic_set_bfqq(bic, NULL, false); 740 740 bfq_release_process_ref(bfqd, async_bfqq); 741 741 } 742 742 } ··· 772 772 */ 773 773 bfq_put_cooperator(sync_bfqq); 774 774 bfq_release_process_ref(bfqd, sync_bfqq); 775 - bic_set_bfqq(bic, NULL, 1); 775 + bic_set_bfqq(bic, NULL, true); 776 776 } 777 777 } 778 778 } 779 - 780 - return bfqg; 781 779 } 782 780 783 781 void bfq_bic_update_cgroup(struct bfq_io_cq *bic, struct bio *bio)
+10 -3
block/bfq-iosched.c
··· 386 386 387 387 void bic_set_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq, bool is_sync) 388 388 { 389 + struct bfq_queue *old_bfqq = bic->bfqq[is_sync]; 390 + 391 + /* Clear bic pointer if bfqq is detached from this bic */ 392 + if (old_bfqq && old_bfqq->bic == bic) 393 + old_bfqq->bic = NULL; 394 + 389 395 /* 390 396 * If bfqq != NULL, then a non-stable queue merge between 391 397 * bic->bfqq and bfqq is happening here. This causes troubles ··· 3114 3108 /* 3115 3109 * Merge queues (that is, let bic redirect its requests to new_bfqq) 3116 3110 */ 3117 - bic_set_bfqq(bic, new_bfqq, 1); 3111 + bic_set_bfqq(bic, new_bfqq, true); 3118 3112 bfq_mark_bfqq_coop(new_bfqq); 3119 3113 /* 3120 3114 * new_bfqq now belongs to at least two bics (it is a shared queue): ··· 5317 5311 unsigned long flags; 5318 5312 5319 5313 spin_lock_irqsave(&bfqd->lock, flags); 5320 - bfqq->bic = NULL; 5321 5314 bfq_exit_bfqq(bfqd, bfqq); 5322 5315 bic_set_bfqq(bic, NULL, is_sync); 5323 5316 spin_unlock_irqrestore(&bfqd->lock, flags); ··· 6562 6557 return bfqq; 6563 6558 } 6564 6559 6565 - bic_set_bfqq(bic, NULL, 1); 6560 + bic_set_bfqq(bic, NULL, true); 6566 6561 6567 6562 bfq_put_cooperator(bfqq); 6568 6563 ··· 7063 7058 bfqd->idle_slice_timer.function = bfq_idle_slice_timer; 7064 7059 7065 7060 bfqd->queue_weights_tree = RB_ROOT_CACHED; 7061 + #ifdef CONFIG_BFQ_GROUP_IOSCHED 7066 7062 bfqd->num_groups_with_pending_reqs = 0; 7063 + #endif 7067 7064 7068 7065 INIT_LIST_HEAD(&bfqd->active_list); 7069 7066 INIT_LIST_HEAD(&bfqd->idle_list);
+4
block/bfq-iosched.h
··· 197 197 /* flag, set to request a weight, ioprio or ioprio_class change */ 198 198 int prio_changed; 199 199 200 + #ifdef CONFIG_BFQ_GROUP_IOSCHED 200 201 /* flag, set if the entity is counted in groups_with_pending_reqs */ 201 202 bool in_groups_with_pending_reqs; 203 + #endif 202 204 203 205 /* last child queue of entity created (for non-leaf entities) */ 204 206 struct bfq_queue *last_bfqq_created; ··· 493 491 */ 494 492 struct rb_root_cached queue_weights_tree; 495 493 494 + #ifdef CONFIG_BFQ_GROUP_IOSCHED 496 495 /* 497 496 * Number of groups with at least one process that 498 497 * has at least one request waiting for completion. Note that ··· 541 538 * with no request waiting for completion. 542 539 */ 543 540 unsigned int num_groups_with_pending_reqs; 541 + #endif 544 542 545 543 /* 546 544 * Per-class (RT, BE, IDLE) number of bfq_queues containing
+4 -4
block/bfq-wf2q.c
··· 1612 1612 1613 1613 void bfq_add_bfqq_in_groups_with_pending_reqs(struct bfq_queue *bfqq) 1614 1614 { 1615 + #ifdef CONFIG_BFQ_GROUP_IOSCHED 1615 1616 struct bfq_entity *entity = &bfqq->entity; 1616 1617 1617 1618 if (!entity->in_groups_with_pending_reqs) { 1618 1619 entity->in_groups_with_pending_reqs = true; 1619 - #ifdef CONFIG_BFQ_GROUP_IOSCHED 1620 1620 if (!(bfqq_group(bfqq)->num_queues_with_pending_reqs++)) 1621 1621 bfqq->bfqd->num_groups_with_pending_reqs++; 1622 - #endif 1623 1622 } 1623 + #endif 1624 1624 } 1625 1625 1626 1626 void bfq_del_bfqq_in_groups_with_pending_reqs(struct bfq_queue *bfqq) 1627 1627 { 1628 + #ifdef CONFIG_BFQ_GROUP_IOSCHED 1628 1629 struct bfq_entity *entity = &bfqq->entity; 1629 1630 1630 1631 if (entity->in_groups_with_pending_reqs) { 1631 1632 entity->in_groups_with_pending_reqs = false; 1632 - #ifdef CONFIG_BFQ_GROUP_IOSCHED 1633 1633 if (!(--bfqq_group(bfqq)->num_queues_with_pending_reqs)) 1634 1634 bfqq->bfqd->num_groups_with_pending_reqs--; 1635 - #endif 1636 1635 } 1636 + #endif 1637 1637 } 1638 1638 1639 1639 /*
+2
block/blk-cgroup.c
··· 33 33 #include "blk-cgroup.h" 34 34 #include "blk-ioprio.h" 35 35 #include "blk-throttle.h" 36 + #include "blk-rq-qos.h" 36 37 37 38 /* 38 39 * blkcg_pol_mutex protects blkcg_policy[] and policy [de]activation. ··· 1323 1322 void blkcg_exit_disk(struct gendisk *disk) 1324 1323 { 1325 1324 blkg_destroy_all(disk); 1325 + rq_qos_exit(disk->queue); 1326 1326 blk_throtl_exit(disk); 1327 1327 } 1328 1328
+5 -4
block/blk-core.c
··· 254 254 255 255 static void blk_free_queue_rcu(struct rcu_head *rcu_head) 256 256 { 257 - kmem_cache_free(blk_requestq_cachep, 258 - container_of(rcu_head, struct request_queue, rcu_head)); 257 + struct request_queue *q = container_of(rcu_head, 258 + struct request_queue, rcu_head); 259 + 260 + percpu_ref_exit(&q->q_usage_counter); 261 + kmem_cache_free(blk_requestq_cachep, q); 259 262 } 260 263 261 264 static void blk_free_queue(struct request_queue *q) 262 265 { 263 - percpu_ref_exit(&q->q_usage_counter); 264 - 265 266 if (q->poll_stat) 266 267 blk_stat_remove_callback(q, q->poll_cb); 267 268 blk_stat_free_callback(q->poll_cb);
+2
block/blk-iocost.c
··· 232 232 233 233 /* 1/64k is granular enough and can easily be handled w/ u32 */ 234 234 WEIGHT_ONE = 1 << 16, 235 + }; 235 236 237 + enum { 236 238 /* 237 239 * As vtime is used to calculate the cost of each IO, it needs to 238 240 * be fairly high precision. For example, it should be able to
+12 -16
drivers/block/loop.c
··· 1773 1773 /* 1774 1774 * And now the modules code and kernel interface. 1775 1775 */ 1776 - static int max_loop; 1776 + 1777 + /* 1778 + * If max_loop is specified, create that many devices upfront. 1779 + * This also becomes a hard limit. If max_loop is not specified, 1780 + * create CONFIG_BLK_DEV_LOOP_MIN_COUNT loop devices at module 1781 + * init time. Loop devices can be requested on-demand with the 1782 + * /dev/loop-control interface, or be instantiated by accessing 1783 + * a 'dead' device node. 1784 + */ 1785 + static int max_loop = CONFIG_BLK_DEV_LOOP_MIN_COUNT; 1777 1786 module_param(max_loop, int, 0444); 1778 1787 MODULE_PARM_DESC(max_loop, "Maximum number of loop devices"); 1779 1788 module_param(max_part, int, 0444); ··· 2190 2181 2191 2182 static int __init loop_init(void) 2192 2183 { 2193 - int i, nr; 2184 + int i; 2194 2185 int err; 2195 2186 2196 2187 part_shift = 0; ··· 2218 2209 goto err_out; 2219 2210 } 2220 2211 2221 - /* 2222 - * If max_loop is specified, create that many devices upfront. 2223 - * This also becomes a hard limit. If max_loop is not specified, 2224 - * create CONFIG_BLK_DEV_LOOP_MIN_COUNT loop devices at module 2225 - * init time. Loop devices can be requested on-demand with the 2226 - * /dev/loop-control interface, or be instantiated by accessing 2227 - * a 'dead' device node. 2228 - */ 2229 - if (max_loop) 2230 - nr = max_loop; 2231 - else 2232 - nr = CONFIG_BLK_DEV_LOOP_MIN_COUNT; 2233 - 2234 2212 err = misc_register(&loop_misc); 2235 2213 if (err < 0) 2236 2214 goto err_out; ··· 2229 2233 } 2230 2234 2231 2235 /* pre-create number of devices given by config or max_loop */ 2232 - for (i = 0; i < nr; i++) 2236 + for (i = 0; i < max_loop; i++) 2233 2237 loop_add(i); 2234 2238 2235 2239 printk(KERN_INFO "loop: module loaded\n");
+1 -2
include/linux/bio.h
··· 782 782 783 783 static inline void bio_clear_polled(struct bio *bio) 784 784 { 785 - /* can't support alloc cache if we turn off polling */ 786 - bio->bi_opf &= ~(REQ_POLLED | REQ_ALLOC_CACHE); 785 + bio->bi_opf &= ~REQ_POLLED; 787 786 } 788 787 789 788 struct bio *blk_next_bio(struct bio *bio, struct block_device *bdev,