tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus-20180727' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
"Bigger than usual at this time, mostly due to the O_DIRECT corruption
issue and the fact that I was on vacation last week. This contains:

- NVMe pull request with two fixes for the FC code, and two target
fixes (Christoph)

- a DIF bio reset iteration fix (Greg Edwards)

- two nbd reply and requeue fixes (Josef)

- SCSI timeout fixup (Keith)

- a small series that fixes an issue with bio_iov_iter_get_pages(),
which ended up causing corruption for larger sized O_DIRECT writes
that ended up racing with buffered writes (Martin Wilck)"

* tag 'for-linus-20180727' of git://git.kernel.dk/linux-block:
block: reset bi_iter.bi_done after splitting bio
block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs
blkdev: __blkdev_direct_IO_simple: fix leak in error case
block: bio_iov_iter_get_pages: fix size of last iovec
nvmet: only check for filebacking on -ENOTBLK
nvmet: fixup crash on NULL device path
scsi: set timed out out mq requests to complete
blk-mq: export setting request completion state
nvme: if_ready checks to fail io to deleting controller
nvmet-fc: fix target sgl list on large transfers
nbd: handle unexpected replies better
nbd: don't requeue the same request twice.

Linus Torvalds eb181a81 864af0d4

+209 -56
+41 -13
block/bio.c
··· 903 903 EXPORT_SYMBOL(bio_add_page); 904 904 905 905 /** 906 - * bio_iov_iter_get_pages - pin user or kernel pages and add them to a bio 906 + * __bio_iov_iter_get_pages - pin user or kernel pages and add them to a bio 907 907 * @bio: bio to add pages to 908 908 * @iter: iov iterator describing the region to be mapped 909 909 * 910 - * Pins as many pages from *iter and appends them to @bio's bvec array. The 910 + * Pins pages from *iter and appends them to @bio's bvec array. The 911 911 * pages will have to be released using put_page() when done. 912 + * For multi-segment *iter, this function only adds pages from the 913 + * the next non-empty segment of the iov iterator. 912 914 */ 913 - int bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter) 915 + static int __bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter) 914 916 { 915 - unsigned short nr_pages = bio->bi_max_vecs - bio->bi_vcnt; 917 + unsigned short nr_pages = bio->bi_max_vecs - bio->bi_vcnt, idx; 916 918 struct bio_vec *bv = bio->bi_io_vec + bio->bi_vcnt; 917 919 struct page **pages = (struct page **)bv; 918 - size_t offset, diff; 920 + size_t offset; 919 921 ssize_t size; 920 922 921 923 size = iov_iter_get_pages(iter, pages, LONG_MAX, nr_pages, &offset); 922 924 if (unlikely(size <= 0)) 923 925 return size ? size : -EFAULT; 924 - nr_pages = (size + offset + PAGE_SIZE - 1) / PAGE_SIZE; 926 + idx = nr_pages = (size + offset + PAGE_SIZE - 1) / PAGE_SIZE; 925 927 926 928 /* 927 929 * Deep magic below: We need to walk the pinned pages backwards ··· 936 934 bio->bi_iter.bi_size += size; 937 935 bio->bi_vcnt += nr_pages; 938 936 939 - diff = (nr_pages * PAGE_SIZE - offset) - size; 940 - while (nr_pages--) { 941 - bv[nr_pages].bv_page = pages[nr_pages]; 942 - bv[nr_pages].bv_len = PAGE_SIZE; 943 - bv[nr_pages].bv_offset = 0; 937 + while (idx--) { 938 + bv[idx].bv_page = pages[idx]; 939 + bv[idx].bv_len = PAGE_SIZE; 940 + bv[idx].bv_offset = 0; 944 941 } 945 942 946 943 bv[0].bv_offset += offset; 947 944 bv[0].bv_len -= offset; 948 - if (diff) 949 - bv[bio->bi_vcnt - 1].bv_len -= diff; 945 + bv[nr_pages - 1].bv_len -= nr_pages * PAGE_SIZE - offset - size; 950 946 951 947 iov_iter_advance(iter, size); 948 + return 0; 949 + } 950 + 951 + /** 952 + * bio_iov_iter_get_pages - pin user or kernel pages and add them to a bio 953 + * @bio: bio to add pages to 954 + * @iter: iov iterator describing the region to be mapped 955 + * 956 + * Pins pages from *iter and appends them to @bio's bvec array. The 957 + * pages will have to be released using put_page() when done. 958 + * The function tries, but does not guarantee, to pin as many pages as 959 + * fit into the bio, or are requested in *iter, whatever is smaller. 960 + * If MM encounters an error pinning the requested pages, it stops. 961 + * Error is returned only if 0 pages could be pinned. 962 + */ 963 + int bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter) 964 + { 965 + unsigned short orig_vcnt = bio->bi_vcnt; 966 + 967 + do { 968 + int ret = __bio_iov_iter_get_pages(bio, iter); 969 + 970 + if (unlikely(ret)) 971 + return bio->bi_vcnt > orig_vcnt ? 0 : ret; 972 + 973 + } while (iov_iter_count(iter) && !bio_full(bio)); 974 + 952 975 return 0; 953 976 } 954 977 EXPORT_SYMBOL_GPL(bio_iov_iter_get_pages); ··· 1893 1866 bio_integrity_trim(split); 1894 1867 1895 1868 bio_advance(bio, split->bi_iter.bi_size); 1869 + bio->bi_iter.bi_done = 0; 1896 1870 1897 1871 if (bio_flagged(bio, BIO_TRACE_COMPLETION)) 1898 1872 bio_set_flag(split, BIO_TRACE_COMPLETION);
+1 -3
block/blk-mq.c
··· 558 558 bool shared = false; 559 559 int cpu; 560 560 561 - if (cmpxchg(&rq->state, MQ_RQ_IN_FLIGHT, MQ_RQ_COMPLETE) != 562 - MQ_RQ_IN_FLIGHT) 561 + if (!blk_mq_mark_complete(rq)) 563 562 return; 564 - 565 563 if (rq->internal_tag != -1) 566 564 blk_mq_sched_completed_request(rq); 567 565
+79 -17
drivers/block/nbd.c
··· 112 112 struct task_struct *task_setup; 113 113 }; 114 114 115 + #define NBD_CMD_REQUEUED 1 116 + 115 117 struct nbd_cmd { 116 118 struct nbd_device *nbd; 119 + struct mutex lock; 117 120 int index; 118 121 int cookie; 119 - struct completion send_complete; 120 122 blk_status_t status; 123 + unsigned long flags; 124 + u32 cmd_cookie; 121 125 }; 122 126 123 127 #if IS_ENABLED(CONFIG_DEBUG_FS) ··· 148 144 static inline struct device *nbd_to_dev(struct nbd_device *nbd) 149 145 { 150 146 return disk_to_dev(nbd->disk); 147 + } 148 + 149 + static void nbd_requeue_cmd(struct nbd_cmd *cmd) 150 + { 151 + struct request *req = blk_mq_rq_from_pdu(cmd); 152 + 153 + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) 154 + blk_mq_requeue_request(req, true); 155 + } 156 + 157 + #define NBD_COOKIE_BITS 32 158 + 159 + static u64 nbd_cmd_handle(struct nbd_cmd *cmd) 160 + { 161 + struct request *req = blk_mq_rq_from_pdu(cmd); 162 + u32 tag = blk_mq_unique_tag(req); 163 + u64 cookie = cmd->cmd_cookie; 164 + 165 + return (cookie << NBD_COOKIE_BITS) | tag; 166 + } 167 + 168 + static u32 nbd_handle_to_tag(u64 handle) 169 + { 170 + return (u32)handle; 171 + } 172 + 173 + static u32 nbd_handle_to_cookie(u64 handle) 174 + { 175 + return (u32)(handle >> NBD_COOKIE_BITS); 151 176 } 152 177 153 178 static const char *nbdcmd_to_ascii(int cmd) ··· 352 319 } 353 320 config = nbd->config; 354 321 322 + if (!mutex_trylock(&cmd->lock)) 323 + return BLK_EH_RESET_TIMER; 324 + 355 325 if (config->num_connections > 1) { 356 326 dev_err_ratelimited(nbd_to_dev(nbd), 357 327 "Connection timed out, retrying (%d/%d alive)\n", ··· 379 343 nbd_mark_nsock_dead(nbd, nsock, 1); 380 344 mutex_unlock(&nsock->tx_lock); 381 345 } 382 - blk_mq_requeue_request(req, true); 346 + mutex_unlock(&cmd->lock); 347 + nbd_requeue_cmd(cmd); 383 348 nbd_config_put(nbd); 384 349 return BLK_EH_DONE; 385 350 } ··· 390 353 } 391 354 set_bit(NBD_TIMEDOUT, &config->runtime_flags); 392 355 cmd->status = BLK_STS_IOERR; 356 + mutex_unlock(&cmd->lock); 393 357 sock_shutdown(nbd); 394 358 nbd_config_put(nbd); 395 359 done: ··· 468 430 struct iov_iter from; 469 431 unsigned long size = blk_rq_bytes(req); 470 432 struct bio *bio; 433 + u64 handle; 471 434 u32 type; 472 435 u32 nbd_cmd_flags = 0; 473 - u32 tag = blk_mq_unique_tag(req); 474 436 int sent = nsock->sent, skip = 0; 475 437 476 438 iov_iter_kvec(&from, WRITE | ITER_KVEC, &iov, 1, sizeof(request)); ··· 512 474 goto send_pages; 513 475 } 514 476 iov_iter_advance(&from, sent); 477 + } else { 478 + cmd->cmd_cookie++; 515 479 } 516 480 cmd->index = index; 517 481 cmd->cookie = nsock->cookie; ··· 522 482 request.from = cpu_to_be64((u64)blk_rq_pos(req) << 9); 523 483 request.len = htonl(size); 524 484 } 525 - memcpy(request.handle, &tag, sizeof(tag)); 485 + handle = nbd_cmd_handle(cmd); 486 + memcpy(request.handle, &handle, sizeof(handle)); 526 487 527 488 dev_dbg(nbd_to_dev(nbd), "request %p: sending control (%s@%llu,%uB)\n", 528 489 req, nbdcmd_to_ascii(type), ··· 541 500 nsock->pending = req; 542 501 nsock->sent = sent; 543 502 } 503 + set_bit(NBD_CMD_REQUEUED, &cmd->flags); 544 504 return BLK_STS_RESOURCE; 545 505 } 546 506 dev_err_ratelimited(disk_to_dev(nbd->disk), ··· 583 541 */ 584 542 nsock->pending = req; 585 543 nsock->sent = sent; 544 + set_bit(NBD_CMD_REQUEUED, &cmd->flags); 586 545 return BLK_STS_RESOURCE; 587 546 } 588 547 dev_err(disk_to_dev(nbd->disk), ··· 616 573 struct nbd_reply reply; 617 574 struct nbd_cmd *cmd; 618 575 struct request *req = NULL; 576 + u64 handle; 619 577 u16 hwq; 620 578 u32 tag; 621 579 struct kvec iov = {.iov_base = &reply, .iov_len = sizeof(reply)}; 622 580 struct iov_iter to; 581 + int ret = 0; 623 582 624 583 reply.magic = 0; 625 584 iov_iter_kvec(&to, READ | ITER_KVEC, &iov, 1, sizeof(reply)); ··· 639 594 return ERR_PTR(-EPROTO); 640 595 } 641 596 642 - memcpy(&tag, reply.handle, sizeof(u32)); 643 - 597 + memcpy(&handle, reply.handle, sizeof(handle)); 598 + tag = nbd_handle_to_tag(handle); 644 599 hwq = blk_mq_unique_tag_to_hwq(tag); 645 600 if (hwq < nbd->tag_set.nr_hw_queues) 646 601 req = blk_mq_tag_to_rq(nbd->tag_set.tags[hwq], ··· 651 606 return ERR_PTR(-ENOENT); 652 607 } 653 608 cmd = blk_mq_rq_to_pdu(req); 609 + 610 + mutex_lock(&cmd->lock); 611 + if (cmd->cmd_cookie != nbd_handle_to_cookie(handle)) { 612 + dev_err(disk_to_dev(nbd->disk), "Double reply on req %p, cmd_cookie %u, handle cookie %u\n", 613 + req, cmd->cmd_cookie, nbd_handle_to_cookie(handle)); 614 + ret = -ENOENT; 615 + goto out; 616 + } 617 + if (test_bit(NBD_CMD_REQUEUED, &cmd->flags)) { 618 + dev_err(disk_to_dev(nbd->disk), "Raced with timeout on req %p\n", 619 + req); 620 + ret = -ENOENT; 621 + goto out; 622 + } 654 623 if (ntohl(reply.error)) { 655 624 dev_err(disk_to_dev(nbd->disk), "Other side returned error (%d)\n", 656 625 ntohl(reply.error)); 657 626 cmd->status = BLK_STS_IOERR; 658 - return cmd; 627 + goto out; 659 628 } 660 629 661 630 dev_dbg(nbd_to_dev(nbd), "request %p: got reply\n", req); ··· 694 635 if (nbd_disconnected(config) || 695 636 config->num_connections <= 1) { 696 637 cmd->status = BLK_STS_IOERR; 697 - return cmd; 638 + goto out; 698 639 } 699 - return ERR_PTR(-EIO); 640 + ret = -EIO; 641 + goto out; 700 642 } 701 643 dev_dbg(nbd_to_dev(nbd), "request %p: got %d bytes data\n", 702 644 req, bvec.bv_len); 703 645 } 704 - } else { 705 - /* See the comment in nbd_queue_rq. */ 706 - wait_for_completion(&cmd->send_complete); 707 646 } 708 - return cmd; 647 + out: 648 + mutex_unlock(&cmd->lock); 649 + return ret ? ERR_PTR(ret) : cmd; 709 650 } 710 651 711 652 static void recv_work(struct work_struct *work) ··· 864 805 */ 865 806 blk_mq_start_request(req); 866 807 if (unlikely(nsock->pending && nsock->pending != req)) { 867 - blk_mq_requeue_request(req, true); 808 + nbd_requeue_cmd(cmd); 868 809 ret = 0; 869 810 goto out; 870 811 } ··· 877 818 dev_err_ratelimited(disk_to_dev(nbd->disk), 878 819 "Request send failed, requeueing\n"); 879 820 nbd_mark_nsock_dead(nbd, nsock, 1); 880 - blk_mq_requeue_request(req, true); 821 + nbd_requeue_cmd(cmd); 881 822 ret = 0; 882 823 } 883 824 out: ··· 901 842 * that the server is misbehaving (or there was an error) before we're 902 843 * done sending everything over the wire. 903 844 */ 904 - init_completion(&cmd->send_complete); 845 + mutex_lock(&cmd->lock); 846 + clear_bit(NBD_CMD_REQUEUED, &cmd->flags); 905 847 906 848 /* We can be called directly from the user space process, which means we 907 849 * could possibly have signals pending so our sendmsg will fail. In ··· 914 854 ret = BLK_STS_IOERR; 915 855 else if (!ret) 916 856 ret = BLK_STS_OK; 917 - complete(&cmd->send_complete); 857 + mutex_unlock(&cmd->lock); 918 858 919 859 return ret; 920 860 } ··· 1520 1460 { 1521 1461 struct nbd_cmd *cmd = blk_mq_rq_to_pdu(rq); 1522 1462 cmd->nbd = set->driver_data; 1463 + cmd->flags = 0; 1464 + mutex_init(&cmd->lock); 1523 1465 return 0; 1524 1466 } 1525 1467
+7 -3
drivers/nvme/host/fabrics.c
··· 539 539 /* 540 540 * For something we're not in a state to send to the device the default action 541 541 * is to busy it and retry it after the controller state is recovered. However, 542 - * anything marked for failfast or nvme multipath is immediately failed. 542 + * if the controller is deleting or if anything is marked for failfast or 543 + * nvme multipath it is immediately failed. 543 544 * 544 545 * Note: commands used to initialize the controller will be marked for failfast. 545 546 * Note: nvme cli/ioctl commands are marked for failfast. 546 547 */ 547 - blk_status_t nvmf_fail_nonready_command(struct request *rq) 548 + blk_status_t nvmf_fail_nonready_command(struct nvme_ctrl *ctrl, 549 + struct request *rq) 548 550 { 549 - if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) 551 + if (ctrl->state != NVME_CTRL_DELETING && 552 + ctrl->state != NVME_CTRL_DEAD && 553 + !blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) 550 554 return BLK_STS_RESOURCE; 551 555 nvme_req(rq)->status = NVME_SC_ABORT_REQ; 552 556 return BLK_STS_IOERR;
+2 -1
drivers/nvme/host/fabrics.h
··· 162 162 void nvmf_free_options(struct nvmf_ctrl_options *opts); 163 163 int nvmf_get_address(struct nvme_ctrl *ctrl, char *buf, int size); 164 164 bool nvmf_should_reconnect(struct nvme_ctrl *ctrl); 165 - blk_status_t nvmf_fail_nonready_command(struct request *rq); 165 + blk_status_t nvmf_fail_nonready_command(struct nvme_ctrl *ctrl, 166 + struct request *rq); 166 167 bool __nvmf_check_ready(struct nvme_ctrl *ctrl, struct request *rq, 167 168 bool queue_live); 168 169
+1 -1
drivers/nvme/host/fc.c
··· 2272 2272 2273 2273 if (ctrl->rport->remoteport.port_state != FC_OBJSTATE_ONLINE || 2274 2274 !nvmf_check_ready(&queue->ctrl->ctrl, rq, queue_ready)) 2275 - return nvmf_fail_nonready_command(rq); 2275 + return nvmf_fail_nonready_command(&queue->ctrl->ctrl, rq); 2276 2276 2277 2277 ret = nvme_setup_cmd(ns, rq, sqe); 2278 2278 if (ret)
+1 -1
drivers/nvme/host/rdma.c
··· 1639 1639 WARN_ON_ONCE(rq->tag < 0); 1640 1640 1641 1641 if (!nvmf_check_ready(&queue->ctrl->ctrl, rq, queue_ready)) 1642 - return nvmf_fail_nonready_command(rq); 1642 + return nvmf_fail_nonready_command(&queue->ctrl->ctrl, rq); 1643 1643 1644 1644 dev = queue->device->dev; 1645 1645 ib_dma_sync_single_for_cpu(dev, sqe->dma,
+7 -2
drivers/nvme/target/configfs.c
··· 282 282 { 283 283 struct nvmet_ns *ns = to_nvmet_ns(item); 284 284 struct nvmet_subsys *subsys = ns->subsys; 285 + size_t len; 285 286 int ret; 286 287 287 288 mutex_lock(&subsys->lock); ··· 290 289 if (ns->enabled) 291 290 goto out_unlock; 292 291 293 - kfree(ns->device_path); 292 + ret = -EINVAL; 293 + len = strcspn(page, "\n"); 294 + if (!len) 295 + goto out_unlock; 294 296 297 + kfree(ns->device_path); 295 298 ret = -ENOMEM; 296 - ns->device_path = kstrndup(page, strcspn(page, "\n"), GFP_KERNEL); 299 + ns->device_path = kstrndup(page, len, GFP_KERNEL); 297 300 if (!ns->device_path) 298 301 goto out_unlock; 299 302
+1 -1
drivers/nvme/target/core.c
··· 339 339 goto out_unlock; 340 340 341 341 ret = nvmet_bdev_ns_enable(ns); 342 - if (ret) 342 + if (ret == -ENOTBLK) 343 343 ret = nvmet_file_ns_enable(ns); 344 344 if (ret) 345 345 goto out_unlock;
+35 -9
drivers/nvme/target/fc.c
··· 58 58 struct work_struct work; 59 59 } __aligned(sizeof(unsigned long long)); 60 60 61 + /* desired maximum for a single sequence - if sg list allows it */ 61 62 #define NVMET_FC_MAX_SEQ_LENGTH (256 * 1024) 62 - #define NVMET_FC_MAX_XFR_SGENTS (NVMET_FC_MAX_SEQ_LENGTH / PAGE_SIZE) 63 63 64 64 enum nvmet_fcp_datadir { 65 65 NVMET_FCP_NODATA, ··· 74 74 struct nvme_fc_cmd_iu cmdiubuf; 75 75 struct nvme_fc_ersp_iu rspiubuf; 76 76 dma_addr_t rspdma; 77 + struct scatterlist *next_sg; 77 78 struct scatterlist *data_sg; 78 79 int data_sg_cnt; 79 80 u32 offset; ··· 1026 1025 INIT_LIST_HEAD(&newrec->assoc_list); 1027 1026 kref_init(&newrec->ref); 1028 1027 ida_init(&newrec->assoc_cnt); 1029 - newrec->max_sg_cnt = min_t(u32, NVMET_FC_MAX_XFR_SGENTS, 1030 - template->max_sgl_segments); 1028 + newrec->max_sg_cnt = template->max_sgl_segments; 1031 1029 1032 1030 ret = nvmet_fc_alloc_ls_iodlist(newrec); 1033 1031 if (ret) { ··· 1722 1722 ((fod->io_dir == NVMET_FCP_WRITE) ? 1723 1723 DMA_FROM_DEVICE : DMA_TO_DEVICE)); 1724 1724 /* note: write from initiator perspective */ 1725 + fod->next_sg = fod->data_sg; 1725 1726 1726 1727 return 0; 1727 1728 ··· 1867 1866 struct nvmet_fc_fcp_iod *fod, u8 op) 1868 1867 { 1869 1868 struct nvmefc_tgt_fcp_req *fcpreq = fod->fcpreq; 1869 + struct scatterlist *sg = fod->next_sg; 1870 1870 unsigned long flags; 1871 - u32 tlen; 1871 + u32 remaininglen = fod->req.transfer_len - fod->offset; 1872 + u32 tlen = 0; 1872 1873 int ret; 1873 1874 1874 1875 fcpreq->op = op; 1875 1876 fcpreq->offset = fod->offset; 1876 1877 fcpreq->timeout = NVME_FC_TGTOP_TIMEOUT_SEC; 1877 1878 1878 - tlen = min_t(u32, tgtport->max_sg_cnt * PAGE_SIZE, 1879 - (fod->req.transfer_len - fod->offset)); 1879 + /* 1880 + * for next sequence: 1881 + * break at a sg element boundary 1882 + * attempt to keep sequence length capped at 1883 + * NVMET_FC_MAX_SEQ_LENGTH but allow sequence to 1884 + * be longer if a single sg element is larger 1885 + * than that amount. This is done to avoid creating 1886 + * a new sg list to use for the tgtport api. 1887 + */ 1888 + fcpreq->sg = sg; 1889 + fcpreq->sg_cnt = 0; 1890 + while (tlen < remaininglen && 1891 + fcpreq->sg_cnt < tgtport->max_sg_cnt && 1892 + tlen + sg_dma_len(sg) < NVMET_FC_MAX_SEQ_LENGTH) { 1893 + fcpreq->sg_cnt++; 1894 + tlen += sg_dma_len(sg); 1895 + sg = sg_next(sg); 1896 + } 1897 + if (tlen < remaininglen && fcpreq->sg_cnt == 0) { 1898 + fcpreq->sg_cnt++; 1899 + tlen += min_t(u32, sg_dma_len(sg), remaininglen); 1900 + sg = sg_next(sg); 1901 + } 1902 + if (tlen < remaininglen) 1903 + fod->next_sg = sg; 1904 + else 1905 + fod->next_sg = NULL; 1906 + 1880 1907 fcpreq->transfer_length = tlen; 1881 1908 fcpreq->transferred_length = 0; 1882 1909 fcpreq->fcp_error = 0; 1883 1910 fcpreq->rsplen = 0; 1884 - 1885 - fcpreq->sg = &fod->data_sg[fod->offset / PAGE_SIZE]; 1886 - fcpreq->sg_cnt = DIV_ROUND_UP(tlen, PAGE_SIZE); 1887 1911 1888 1912 /* 1889 1913 * If the last READDATA request: check if LLDD supports
+1 -1
drivers/nvme/target/loop.c
··· 162 162 blk_status_t ret; 163 163 164 164 if (!nvmf_check_ready(&queue->ctrl->ctrl, req, queue_ready)) 165 - return nvmf_fail_nonready_command(req); 165 + return nvmf_fail_nonready_command(&queue->ctrl->ctrl, req); 166 166 167 167 ret = nvme_setup_cmd(ns, req, &iod->cmd); 168 168 if (ret)
+14
drivers/scsi/scsi_error.c
··· 296 296 rtn = host->hostt->eh_timed_out(scmd); 297 297 298 298 if (rtn == BLK_EH_DONE) { 299 + /* 300 + * For blk-mq, we must set the request state to complete now 301 + * before sending the request to the scsi error handler. This 302 + * will prevent a use-after-free in the event the LLD manages 303 + * to complete the request before the error handler finishes 304 + * processing this timed out request. 305 + * 306 + * If the request was already completed, then the LLD beat the 307 + * time out handler from transferring the request to the scsi 308 + * error handler. In that case we can return immediately as no 309 + * further action is required. 310 + */ 311 + if (req->q->mq_ops && !blk_mq_mark_complete(req)) 312 + return rtn; 299 313 if (scsi_abort_command(scmd) != SUCCESS) { 300 314 set_host_byte(scmd, DID_TIME_OUT); 301 315 scsi_eh_scmd_add(scmd);
+5 -4
fs/block_dev.c
··· 221 221 222 222 ret = bio_iov_iter_get_pages(&bio, iter); 223 223 if (unlikely(ret)) 224 - return ret; 224 + goto out; 225 225 ret = bio.bi_iter.bi_size; 226 226 227 227 if (iov_iter_rw(iter) == READ) { ··· 250 250 put_page(bvec->bv_page); 251 251 } 252 252 253 - if (vecs != inline_vecs) 254 - kfree(vecs); 255 - 256 253 if (unlikely(bio.bi_status)) 257 254 ret = blk_status_to_errno(bio.bi_status); 255 + 256 + out: 257 + if (vecs != inline_vecs) 258 + kfree(vecs); 258 259 259 260 bio_uninit(&bio); 260 261
+14
include/linux/blk-mq.h
··· 287 287 288 288 void blk_mq_quiesce_queue_nowait(struct request_queue *q); 289 289 290 + /** 291 + * blk_mq_mark_complete() - Set request state to complete 292 + * @rq: request to set to complete state 293 + * 294 + * Returns true if request state was successfully set to complete. If 295 + * successful, the caller is responsibile for seeing this request is ended, as 296 + * blk_mq_complete_request will not work again. 297 + */ 298 + static inline bool blk_mq_mark_complete(struct request *rq) 299 + { 300 + return cmpxchg(&rq->state, MQ_RQ_IN_FLIGHT, MQ_RQ_COMPLETE) == 301 + MQ_RQ_IN_FLIGHT; 302 + } 303 + 290 304 /* 291 305 * Driver command data is immediately after the request. So subtract request 292 306 * size to get back to the original request, add request size to get the PDU.