linux/drivers/block
Jeff Moyer 74c9c9134b mtip32x: fix regression introduced by blk-mq per-hctx flush
Hi,

After commit f70ced0917 (blk-mq: support per-distpatch_queue flush
machinery), the mtip32xx driver may oops upon module load due to walking
off the end of an array in mtip_init_cmd.  On initialization of the
flush_rq, init_request is called with request_index >= the maximum queue
depth the driver supports.  For mtip32xx, this value is used to index
into an array.  What this means is that the driver will walk off the end
of the array, and either oops or cause random memory corruption.

The problem is easily reproduced by doing modprobe/rmmod of the mtip32xx
driver in a loop.  I can typically reproduce the problem in about 30
seconds.

Now, in the case of mtip32xx, it actually doesn't support flush/fua, so
I think we can simply return without doing anything.  In addition, no
other mq-enabled driver does anything with the request_index passed into
init_request(), so no other driver is affected.  However, I'm not really
sure what is expected of drivers.  Ming, what did you envision drivers
would do when initializing the flush requests?

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2015-08-25 14:35:51 -06:00
..
aoe block: remove artifical max_hw_sectors cap 2014-10-21 14:02:54 -06:00
drbd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-07-04 19:36:06 -07:00
mtip32xx mtip32x: fix regression introduced by blk-mq per-hctx flush 2015-08-25 14:35:51 -06:00
paride Char/Misc driver patches for 4.2-rc1 2015-06-26 14:51:15 -07:00
rsxx block/rsxx: use generic io stats accounting functions to simplify io stat accounting 2014-11-24 08:05:18 -07:00
xen-blkback Merge branch 'stable/for-jens-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus 2015-07-27 11:58:41 -06:00
zram zram: fix pool name truncation 2015-08-14 15:56:32 -07:00
DAC960.c block: use pci_zalloc_consistent 2014-08-08 15:57:28 -07:00
DAC960.h
Kconfig libnvdimm, pmem: move pmem to drivers/nvdimm/ 2015-06-24 21:24:10 -04:00
Makefile libnvdimm, pmem: move pmem to drivers/nvdimm/ 2015-06-24 21:24:10 -04:00
amiflop.c block: drop owner assignment from platform_drivers 2014-10-20 16:20:18 +02:00
ataflop.c Merge branch 'for-3.16/core' of git://git.kernel.dk/linux-block into next 2014-06-02 09:29:34 -07:00
brd.c brd: rename XIP to DAX 2015-02-16 17:56:04 -08:00
cciss.c cciss: correct the non-resettable board list 2015-05-31 11:14:34 -07:00
cciss.h
cciss_cmd.h
cciss_scsi.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
cciss_scsi.h
cpqarray.c genirq: Remove the deprecated 'IRQF_DISABLED' request_irq() flag entirely 2015-03-05 20:53:06 +01:00
cpqarray.h
cryptoloop.c move linux/loop.h to drivers/block 2013-06-29 12:46:45 +04:00
floppy.c floppy: Avoid manual call of device_create_file() 2015-02-03 13:00:36 +01:00
hd.c block: hd: remove deprecated IRQF_DISABLED 2014-10-01 08:16:07 -06:00
ida_cmd.h
ida_ioctl.h
loop.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-07-04 19:36:06 -07:00
loop.h block: loop: don't hold lo_ctl_mutex in lo_open 2015-05-20 09:06:09 -06:00
mg_disk.c block: drop owner assignment from platform_drivers 2014-10-20 16:20:18 +02:00
nbd.c block: nbd: convert to blkdev_reread_part() 2015-05-20 09:06:13 -06:00
null_blk.c null_blk: fix use-after-free problem 2015-07-22 13:30:20 -06:00
nvme-core.c NVMe: Reread partitions on metadata formats 2015-07-15 15:36:47 -06:00
nvme-scsi.c Merge branch 'for-4.2/drivers' of git://git.kernel.dk/linux-block 2015-06-25 15:12:50 -07:00
osdblk.c block: support different tag allocation policy 2015-01-23 14:15:46 -07:00
pktcdvd.c writeback: separate out include/linux/backing-dev-defs.h 2015-06-02 08:33:34 -06:00
ps3disk.c block: Kill bio_segments()/bi_vcnt usage 2013-11-23 22:33:51 -08:00
ps3vram.c block/ps3vram: Remove obsolete reference to MTD 2015-06-10 14:06:55 -06:00
rbd.c rbd: fix copyup completion race 2015-07-31 11:38:57 +03:00
rbd_types.h rbd: get rid of RBD_MAX_SEG_NAME_LEN 2012-12-17 08:37:29 -06:00
skd_main.c block: disable entropy contributions for nonrot devices 2014-10-04 10:55:32 -06:00
skd_s1120.h skd: fix formatting in skd_s1120.h 2013-11-08 09:10:30 -07:00
smart1,2.h
sunvdc.c sunvdc: reconnect ldc after vds service domain restarts 2014-12-11 18:52:45 -08:00
swim.c block: drop owner assignment from platform_drivers 2014-10-20 16:20:18 +02:00
swim3.c powerpc: Move Power Macintosh drivers to generic byteswappers 2015-03-23 14:29:40 +11:00
swim_asm.S
sx8.c block: rename REQ_TYPE_SPECIAL to REQ_TYPE_DRV_PRIV 2015-05-05 13:40:03 -06:00
umem.c block: Convert drivers to immutable biovecs 2013-11-23 22:33:51 -08:00
umem.h
virtio_blk.c block: rename REQ_TYPE_SPECIAL to REQ_TYPE_DRV_PRIV 2015-05-05 13:40:03 -06:00
xen-blkfront.c Merge branch 'stable/for-jens-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus 2015-07-27 11:58:41 -06:00
xsysace.c block: systemace: Remove .owner field for driver 2014-08-21 20:37:54 -05:00
z2ram.c block: remove struct request buffer member 2014-04-15 14:03:02 -06:00