block: queue lock must be acquired when iterating over rls

blk_set_queue_dying() does not acquire queue lock before it calls blk_queue_for_each_rl(). This allows a racing blkg_destroy() to remove blkg->q_node from the linked list and have blk_queue_for_each_rl() loop infitely over the removed blkg->q_node list node. Signed-off-by: N Tahsin Erdogan <tahsin@google.com> Signed-off-by: N Jens Axboe <axboe@fb.com>

block: queue lock must be acquired when iterating over rls
blk_set_queue_dying() does not acquire queue lock before it calls blk_queue_for_each_rl(). This allows a racing blkg_destroy() to remove blkg->q_node from the linked list and have blk_queue_for_each_rl() loop infitely over the removed blkg->q_node list node. Signed-off-by: N Tahsin Erdogan <tahsin@google.com> Signed-off-by: N Jens Axboe <axboe@fb.com>
bbfc3c5d · Tahsin Erdogan · Jens Axboe · 5fad1b64 · bbfc3c5d
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

block/blk-core.c block/blk-core.c +2 -0

未找到文件。
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -527,12 +527,14 @@ void blk_set_queue_dying(struct request_queue *q)
 	else {
 		struct request_list *rl;

+		spin_lock_irq(q->queue_lock);
 		blk_queue_for_each_rl(rl, q) {
 			if (rl->rq_pool) {
 				wake_up(&rl->wait[BLK_RW_SYNC]);
 				wake_up(&rl->wait[BLK_RW_ASYNC]);
 			}
 		}
+		spin_unlock_irq(q->queue_lock);
 	}
 }
 EXPORT_SYMBOL_GPL(blk_set_queue_dying);