Commit ba1cbad9 authored by Mike Snitzer's avatar Mike Snitzer Committed by Alasdair G Kergon

dm: handle requests beyond end of device instead of using BUG_ON

The access beyond the end of device BUG_ON that was introduced to
dm_request_fn via commit 29e4013d ("dm: implement
REQ_FLUSH/FUA support for request-based dm") was an overly
drastic (but simple) response to this situation.

I have received a report that this BUG_ON was hit and now think
it would be better to use dm_kill_unmapped_request() to fail the clone
and original request with -EIO.

map_request() will assign the valid target returned by
dm_table_find_target to tio->ti.  But when the target
isn't valid tio->ti is never assigned (because map_request isn't
called); so add a check for tio->ti != NULL to dm_done().
Reported-by: default avatarMike Christie <michaelc@cs.wisc.edu>
Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
Signed-off-by: default avatarJun'ichi Nomura <j-nomura@ce.jp.nec.com>
Cc: stable@vger.kernel.org # v2.6.37+
Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
parent 7ba10aa6
...@@ -865,10 +865,14 @@ static void dm_done(struct request *clone, int error, bool mapped) ...@@ -865,10 +865,14 @@ static void dm_done(struct request *clone, int error, bool mapped)
{ {
int r = error; int r = error;
struct dm_rq_target_io *tio = clone->end_io_data; struct dm_rq_target_io *tio = clone->end_io_data;
dm_request_endio_fn rq_end_io = tio->ti->type->rq_end_io; dm_request_endio_fn rq_end_io = NULL;
if (mapped && rq_end_io) if (tio->ti) {
r = rq_end_io(tio->ti, clone, error, &tio->info); rq_end_io = tio->ti->type->rq_end_io;
if (mapped && rq_end_io)
r = rq_end_io(tio->ti, clone, error, &tio->info);
}
if (r <= 0) if (r <= 0)
/* The target wants to complete the I/O */ /* The target wants to complete the I/O */
...@@ -1588,15 +1592,6 @@ static int map_request(struct dm_target *ti, struct request *clone, ...@@ -1588,15 +1592,6 @@ static int map_request(struct dm_target *ti, struct request *clone,
int r, requeued = 0; int r, requeued = 0;
struct dm_rq_target_io *tio = clone->end_io_data; struct dm_rq_target_io *tio = clone->end_io_data;
/*
* Hold the md reference here for the in-flight I/O.
* We can't rely on the reference count by device opener,
* because the device may be closed during the request completion
* when all bios are completed.
* See the comment in rq_completed() too.
*/
dm_get(md);
tio->ti = ti; tio->ti = ti;
r = ti->type->map_rq(ti, clone, &tio->info); r = ti->type->map_rq(ti, clone, &tio->info);
switch (r) { switch (r) {
...@@ -1628,6 +1623,26 @@ static int map_request(struct dm_target *ti, struct request *clone, ...@@ -1628,6 +1623,26 @@ static int map_request(struct dm_target *ti, struct request *clone,
return requeued; return requeued;
} }
static struct request *dm_start_request(struct mapped_device *md, struct request *orig)
{
struct request *clone;
blk_start_request(orig);
clone = orig->special;
atomic_inc(&md->pending[rq_data_dir(clone)]);
/*
* Hold the md reference here for the in-flight I/O.
* We can't rely on the reference count by device opener,
* because the device may be closed during the request completion
* when all bios are completed.
* See the comment in rq_completed() too.
*/
dm_get(md);
return clone;
}
/* /*
* q->request_fn for request-based dm. * q->request_fn for request-based dm.
* Called with the queue lock held. * Called with the queue lock held.
...@@ -1657,14 +1672,21 @@ static void dm_request_fn(struct request_queue *q) ...@@ -1657,14 +1672,21 @@ static void dm_request_fn(struct request_queue *q)
pos = blk_rq_pos(rq); pos = blk_rq_pos(rq);
ti = dm_table_find_target(map, pos); ti = dm_table_find_target(map, pos);
BUG_ON(!dm_target_is_valid(ti)); if (!dm_target_is_valid(ti)) {
/*
* Must perform setup, that dm_done() requires,
* before calling dm_kill_unmapped_request
*/
DMERR_LIMIT("request attempted access beyond the end of device");
clone = dm_start_request(md, rq);
dm_kill_unmapped_request(clone, -EIO);
continue;
}
if (ti->type->busy && ti->type->busy(ti)) if (ti->type->busy && ti->type->busy(ti))
goto delay_and_out; goto delay_and_out;
blk_start_request(rq); clone = dm_start_request(md, rq);
clone = rq->special;
atomic_inc(&md->pending[rq_data_dir(clone)]);
spin_unlock(q->queue_lock); spin_unlock(q->queue_lock);
if (map_request(ti, clone, md)) if (map_request(ti, clone, md))
...@@ -1684,8 +1706,6 @@ static void dm_request_fn(struct request_queue *q) ...@@ -1684,8 +1706,6 @@ static void dm_request_fn(struct request_queue *q)
blk_delay_queue(q, HZ / 10); blk_delay_queue(q, HZ / 10);
out: out:
dm_table_put(map); dm_table_put(map);
return;
} }
int dm_underlying_device_busy(struct request_queue *q) int dm_underlying_device_busy(struct request_queue *q)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment