Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'block-5.10-2020-11-20' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:

- NVMe pull request from Christoph:
- Doorbell Buffer freeing fix (Minwoo Im)
- CSE log leak fix (Keith Busch)

- blk-cgroup hd_struct leak fix (Christoph)

- Flush request state fix (Ming)

- dasd NULL deref fix (Stefan)

* tag 'block-5.10-2020-11-20' of git://git.kernel.dk/linux-block:
s390/dasd: fix null pointer dereference for ERP requests
blk-cgroup: fix a hd_struct leak in blkcg_fill_root_iostats
nvme: fix memory leak freeing command effects
nvme: directly cache command effects log
nvme: free sq/cq dbbuf pointers when dbbuf set fails
block: mark flush request as IDLE when it is really finished

+46 -14
+1
block/blk-cgroup.c
··· 849 849 blkg_iostat_set(&blkg->iostat.cur, &tmp); 850 850 u64_stats_update_end(&blkg->iostat.sync); 851 851 } 852 + disk_put_part(part); 852 853 } 853 854 } 854 855
+6 -1
block/blk-flush.c
··· 225 225 /* release the tag's ownership to the req cloned from */ 226 226 spin_lock_irqsave(&fq->mq_flush_lock, flags); 227 227 228 - WRITE_ONCE(flush_rq->state, MQ_RQ_IDLE); 229 228 if (!refcount_dec_and_test(&flush_rq->ref)) { 230 229 fq->rq_status = error; 231 230 spin_unlock_irqrestore(&fq->mq_flush_lock, flags); 232 231 return; 233 232 } 234 233 234 + /* 235 + * Flush request has to be marked as IDLE when it is really ended 236 + * because its .end_io() is called from timeout code path too for 237 + * avoiding use-after-free. 238 + */ 239 + WRITE_ONCE(flush_rq->state, MQ_RQ_IDLE); 235 240 if (fq->rq_status != BLK_STS_OK) 236 241 error = fq->rq_status; 237 242
+18 -7
drivers/nvme/host/core.c
··· 2929 2929 static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi, 2930 2930 struct nvme_effects_log **log) 2931 2931 { 2932 - struct nvme_cel *cel = xa_load(&ctrl->cels, csi); 2932 + struct nvme_effects_log *cel = xa_load(&ctrl->cels, csi); 2933 2933 int ret; 2934 2934 2935 2935 if (cel) ··· 2940 2940 return -ENOMEM; 2941 2941 2942 2942 ret = nvme_get_log(ctrl, 0x00, NVME_LOG_CMD_EFFECTS, 0, csi, 2943 - &cel->log, sizeof(cel->log), 0); 2943 + cel, sizeof(*cel), 0); 2944 2944 if (ret) { 2945 2945 kfree(cel); 2946 2946 return ret; 2947 2947 } 2948 2948 2949 - cel->csi = csi; 2950 - xa_store(&ctrl->cels, cel->csi, cel, GFP_KERNEL); 2949 + xa_store(&ctrl->cels, csi, cel, GFP_KERNEL); 2951 2950 out: 2952 - *log = &cel->log; 2951 + *log = cel; 2953 2952 return 0; 2954 2953 } 2955 2954 ··· 4373 4374 } 4374 4375 EXPORT_SYMBOL_GPL(nvme_uninit_ctrl); 4375 4376 4377 + static void nvme_free_cels(struct nvme_ctrl *ctrl) 4378 + { 4379 + struct nvme_effects_log *cel; 4380 + unsigned long i; 4381 + 4382 + xa_for_each (&ctrl->cels, i, cel) { 4383 + xa_erase(&ctrl->cels, i); 4384 + kfree(cel); 4385 + } 4386 + 4387 + xa_destroy(&ctrl->cels); 4388 + } 4389 + 4376 4390 static void nvme_free_ctrl(struct device *dev) 4377 4391 { 4378 4392 struct nvme_ctrl *ctrl = ··· 4395 4383 if (!subsys || ctrl->instance != subsys->instance) 4396 4384 ida_simple_remove(&nvme_instance_ida, ctrl->instance); 4397 4385 4398 - xa_destroy(&ctrl->cels); 4399 - 4386 + nvme_free_cels(ctrl); 4400 4387 nvme_mpath_uninit(ctrl); 4401 4388 __free_page(ctrl->discard_page); 4402 4389
-6
drivers/nvme/host/nvme.h
··· 226 226 #endif 227 227 }; 228 228 229 - struct nvme_cel { 230 - struct list_head entry; 231 - struct nvme_effects_log log; 232 - u8 csi; 233 - }; 234 - 235 229 struct nvme_ctrl { 236 230 bool comp_seen; 237 231 enum nvme_ctrl_state state;
+15
drivers/nvme/host/pci.c
··· 292 292 nvmeq->dbbuf_cq_ei = &dev->dbbuf_eis[cq_idx(qid, dev->db_stride)]; 293 293 } 294 294 295 + static void nvme_dbbuf_free(struct nvme_queue *nvmeq) 296 + { 297 + if (!nvmeq->qid) 298 + return; 299 + 300 + nvmeq->dbbuf_sq_db = NULL; 301 + nvmeq->dbbuf_cq_db = NULL; 302 + nvmeq->dbbuf_sq_ei = NULL; 303 + nvmeq->dbbuf_cq_ei = NULL; 304 + } 305 + 295 306 static void nvme_dbbuf_set(struct nvme_dev *dev) 296 307 { 297 308 struct nvme_command c; 309 + unsigned int i; 298 310 299 311 if (!dev->dbbuf_dbs) 300 312 return; ··· 320 308 dev_warn(dev->ctrl.device, "unable to set dbbuf\n"); 321 309 /* Free memory and continue on */ 322 310 nvme_dbbuf_dma_free(dev); 311 + 312 + for (i = 1; i <= dev->online_queues; i++) 313 + nvme_dbbuf_free(&dev->queues[i]); 323 314 } 324 315 } 325 316
+6
drivers/s390/block/dasd.c
··· 2980 2980 2981 2981 if (!block) 2982 2982 return -EINVAL; 2983 + /* 2984 + * If the request is an ERP request there is nothing to requeue. 2985 + * This will be done with the remaining original request. 2986 + */ 2987 + if (cqr->refers) 2988 + return 0; 2983 2989 spin_lock_irq(&cqr->dq->lock); 2984 2990 req = (struct request *) cqr->callback_data; 2985 2991 blk_mq_requeue_request(req, false);