• S
    block: fix NULL icq_cache reference · 05c30b95
    Shaohua Li 提交于
    Vivek reported a kernel crash:
    [   94.217015] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
    [   94.218004] IP: [<ffffffff81142fae>] kmem_cache_free+0x5e/0x200
    [   94.218004] PGD 13abda067 PUD 137d52067 PMD 0
    [   94.218004] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
    [   94.218004] CPU 0
    [   94.218004] Modules linked in: [last unloaded: scsi_wait_scan]
    [   94.218004]
    [   94.218004] Pid: 0, comm: swapper/0 Not tainted 3.2.0+ #16 Hewlett-Packard HP xw6600 Workstation/0A9Ch
    [   94.218004] RIP: 0010:[<ffffffff81142fae>]  [<ffffffff81142fae>] kmem_cache_free+0x5e/0x200
    [   94.218004] RSP: 0018:ffff88013fc03de0  EFLAGS: 00010006
    [   94.218004] RAX: ffffffff81e0d020 RBX: ffff880138b3c680 RCX: 00000001801c001b
    [   94.218004] RDX: 00000000003aac1d RSI: ffff880138b3c680 RDI: ffffffff81142fae
    [   94.218004] RBP: ffff88013fc03e10 R08: ffff880137830238 R09: 0000000000000001
    [   94.218004] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    [   94.218004] R13: ffffea0004e2cf00 R14: ffffffff812f6eb6 R15: 0000000000000246
    [   94.218004] FS:  0000000000000000(0000) GS:ffff88013fc00000(0000) knlGS:0000000000000000
    [   94.218004] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [   94.218004] CR2: 000000000000001c CR3: 00000001395ab000 CR4: 00000000000006f0
    [   94.218004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [   94.218004] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [   94.218004] Process swapper/0 (pid: 0, threadinfo ffffffff81e00000, task ffffffff81e0d020)
    [   94.218004] Stack:
    [   94.218004]  0000000000000102 ffff88013fc0db20 ffffffff81e22700 ffff880139500f00
    [   94.218004]  0000000000000001 000000000000000a ffff88013fc03e20 ffffffff812f6eb6
    [   94.218004]  ffff88013fc03e90 ffffffff810c8da2 ffffffff81e01fd8 ffff880137830240
    [   94.218004] Call Trace:
    [   94.218004]  <IRQ>
    [   94.218004]  [<ffffffff812f6eb6>] icq_free_icq_rcu+0x16/0x20
    [   94.218004]  [<ffffffff810c8da2>] __rcu_process_callbacks+0x1c2/0x420
    [   94.218004]  [<ffffffff810c9038>] rcu_process_callbacks+0x38/0x250
    [   94.218004]  [<ffffffff810405ee>] __do_softirq+0xce/0x3e0
    [   94.218004]  [<ffffffff8108ed04>] ? clockevents_program_event+0x74/0x100
    [   94.218004]  [<ffffffff81090104>] ? tick_program_event+0x24/0x30
    [   94.218004]  [<ffffffff8183ed1c>] call_softirq+0x1c/0x30
    [   94.218004]  [<ffffffff8100422d>] do_softirq+0x8d/0xc0
    [   94.218004]  [<ffffffff81040c3e>] irq_exit+0xae/0xe0
    [   94.218004]  [<ffffffff8183f4be>] smp_apic_timer_interrupt+0x6e/0x99
    [   94.218004]  [<ffffffff8183e330>] apic_timer_interrupt+0x70/0x80
    
    Once a queue is quiesced, it's not supposed to have any elvpriv data or
    icq's, and elevator switching depends on that.  Request alloc path
    followed the rule for elvpriv data but forgot apply it to icq's
    leading to the following crash during elevator switch. Fix it by not
    allocating icq's if ELVPRIV is not set for the request.
    Reported-by: NVivek Goyal <vgoyal@redhat.com>
    Tested-by: NVivek Goyal <vgoyal@redhat.com>
    Signed-off-by: NShaohua Li <shaohua.li@intel.com>
    Acked-by: NTejun Heo <tj@kernel.org>
    Signed-off-by: NJens Axboe <axboe@kernel.dk>
    05c30b95
blk-core.c 76.6 KB