tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

blk-mq: initialize 'struct request' and associated data to zero

Jan Engelhardt reports a strange oops with an invalid ->sense_buffer
pointer in scsi_init_cmd_errh() with the blk-mq code.

The sense_buffer pointer should have been initialized by the call to
scsi_init_request() from blk_mq_init_rq_map(), but there seems to be
some non-repeatable memory corruptor.

This patch makes sure we initialize the whole struct request allocation
(and the associated 'struct scsi_cmnd' for the SCSI case) to zero, by
using __GFP_ZERO in the allocation. The old code initialized a couple
of individual fields, leaving the rest undefined (although many of them
are then initialized in later phases, like blk_mq_rq_ctx_init() etc.

It's not entirely clear why this matters, but it's the rigth thing to do
regardless, and with 4.0 imminent this is the defensive "let's just make
sure everything is initialized properly" patch.

Tested-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds ac211175 8fa59759

options
unified split
Changed files
+1 -3
block
blk-mq.c
+1 -3
block/blk-mq.c
··· 1457 1457 1458 1458 do { 1459 1459 page = alloc_pages_node(set->numa_node, 1460 - GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY, 1460 + GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY | __GFP_ZERO, 1461 1461 this_order); 1462 1462 if (page) 1463 1463 break; ··· 1479 1479 left -= to_do * rq_size; 1480 1480 for (j = 0; j < to_do; j++) { 1481 1481 tags->rqs[i] = p; 1482 - tags->rqs[i]->atomic_flags = 0; 1483 - tags->rqs[i]->cmd_flags = 0; 1484 1482 if (set->ops->init_request) { 1485 1483 if (set->ops->init_request(set->driver_data, 1486 1484 tags->rqs[i], hctx_idx, i,