summaryrefslogtreecommitdiff
path: root/block/blk-sysfs.c
diff options
context:
space:
mode:
authorChristoph Hellwig <hch@lst.de>2021-08-16 15:46:24 +0200
committerJens Axboe <axboe@kernel.dk>2021-08-23 12:54:31 -0600
commitd152c682f03ceb65c0d9663d4ba6ee2d46aa784d (patch)
tree31cc1a85256072b4d65d881472c2f6ace7c10178 /block/blk-sysfs.c
parent61a35cfc26334fe1c8e970ca8fafeae2daae257d (diff)
downloadlwn-d152c682f03ceb65c0d9663d4ba6ee2d46aa784d.tar.gz
lwn-d152c682f03ceb65c0d9663d4ba6ee2d46aa784d.zip
block: add an explicit ->disk backpointer to the request_queue
Replace the magic lookup through the kobject tree with an explicit backpointer, given that the device model links are set up and torn down at times when I/O is still possible, leading to potential NULL or invalid pointer dereferences. Fixes: edb0872f44ec ("block: move the bdi from the request_queue to the gendisk") Reported-by: syzbot <syzbot+aa0801b6b32dca9dda82@syzkaller.appspotmail.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Tested-by: Sven Schnelle <svens@linux.ibm.com> Link: https://lore.kernel.org/r/20210816134624.GA24234@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'block/blk-sysfs.c')
-rw-r--r--block/blk-sysfs.c13
1 files changed, 6 insertions, 7 deletions
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index 586507a5b8c2..7fd99487300c 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -90,9 +90,9 @@ static ssize_t queue_ra_show(struct request_queue *q, char *page)
{
unsigned long ra_kb;
- if (!queue_has_disk(q))
+ if (!q->disk)
return -EINVAL;
- ra_kb = queue_to_disk(q)->bdi->ra_pages << (PAGE_SHIFT - 10);
+ ra_kb = q->disk->bdi->ra_pages << (PAGE_SHIFT - 10);
return queue_var_show(ra_kb, page);
}
@@ -102,12 +102,12 @@ queue_ra_store(struct request_queue *q, const char *page, size_t count)
unsigned long ra_kb;
ssize_t ret;
- if (!queue_has_disk(q))
+ if (!q->disk)
return -EINVAL;
ret = queue_var_store(&ra_kb, page, count);
if (ret < 0)
return ret;
- queue_to_disk(q)->bdi->ra_pages = ra_kb >> (PAGE_SHIFT - 10);
+ q->disk->bdi->ra_pages = ra_kb >> (PAGE_SHIFT - 10);
return ret;
}
@@ -254,9 +254,8 @@ queue_max_sectors_store(struct request_queue *q, const char *page, size_t count)
spin_lock_irq(&q->queue_lock);
q->limits.max_sectors = max_sectors_kb << 1;
- if (queue_has_disk(q))
- queue_to_disk(q)->bdi->io_pages =
- max_sectors_kb >> (PAGE_SHIFT - 10);
+ if (q->disk)
+ q->disk->bdi->io_pages = max_sectors_kb >> (PAGE_SHIFT - 10);
spin_unlock_irq(&q->queue_lock);
return ret;