cfq-iosched: handle failure of cfq group allocation

commit 69abaffec7d47a083739b79e3066cb3730eba72e upstream. Cfq_lookup_create_cfqg() allocates struct blkcg_gq using GFP_ATOMIC. In cfq_find_alloc_queue() possible allocation failure is not handled. As a result kernel oopses on NULL pointer dereference when cfq_link_cfqq_cfqg() calls cfqg_get() for NULL pointer. Bug was introduced in v3.5 in commit cd1604fab4f9 ("blkcg: factor out blkio_group creation"). Prior to that commit cfq group lookup had returned pointer to root group as fallback. This patch handles this error using existing fallback oom_cfqq. Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Acked-by: Tejun Heo <tj@kernel.org> Acked-by: Vivek Goyal <vgoyal@redhat.com> Fixes: cd1604fab4f9 ("blkcg: factor out blkio_group creation") Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

cfq-iosched: handle failure of cfq group allocation
commit 69abaffec7d47a083739b79e3066cb3730eba72e upstream. Cfq_lookup_create_cfqg() allocates struct blkcg_gq using GFP_ATOMIC. In cfq_find_alloc_queue() possible allocation failure is not handled. As a result kernel oopses on NULL pointer dereference when cfq_link_cfqq_cfqg() calls cfqg_get() for NULL pointer. Bug was introduced in v3.5 in commit cd1604fab4f9 ("blkcg: factor out blkio_group creation"). Prior to that commit cfq group lookup had returned pointer to root group as fallback. This patch handles this error using existing fallback oom_cfqq. Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Acked-by: Tejun Heo <tj@kernel.org> Acked-by: Vivek Goyal <vgoyal@redhat.com> Fixes: cd1604fab4f9 ("blkcg: factor out blkio_group creation") Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Konstantin Khlebnikov · Greg Kroah-Hartman
1 parent e78f848979
Showing 1 changed file with 6 additions and 1 deletions Side-by-side Diff
block/cfq-iosched.c
@@ -3590,6 +3590,11 @@
  
 	blkcg = bio_blkcg(bio);
 	cfqg = cfq_lookup_create_cfqg(cfqd, blkcg);
+	if (!cfqg) {
+		cfqq = &cfqd->oom_cfqq;
+		goto out;
+	}
+
 	cfqq = cic_to_cfqq(cic, is_sync);
  
 	/*
@@ -3626,7 +3631,7 @@
 		} else
 			cfqq = &cfqd->oom_cfqq;
 	}
-
+out:
 	if (new_cfqq)
 		kmem_cache_free(cfq_pool, new_cfqq);
...	...	@@ -3590,6 +3590,11 @@
3590	3590
3591	3591	blkcg = bio_blkcg(bio);
3592	3592	cfqg = cfq_lookup_create_cfqg(cfqd, blkcg);
	3593	+ if (!cfqg) {
	3594	+ cfqq = &cfqd->oom_cfqq;
	3595	+ goto out;
	3596	+ }
	3597	+
3593	3598	cfqq = cic_to_cfqq(cic, is_sync);
3594	3599
3595	3600	/*
...	...	@@ -3626,7 +3631,7 @@
3626	3631	} else
3627	3632	cfqq = &cfqd->oom_cfqq;
3628	3633	}
3629		-
	3634	+out:
3630	3635	if (new_cfqq)
3631	3636	kmem_cache_free(cfq_pool, new_cfqq);
3632	3637