From: yu kuai yukuai3@huawei.com
hulk inclusion category: bugfix bugzilla: 34280 CVE: NA
---------------------------
blk_mq_tagset_busy_iter() is not safe that it could get stale request in tags->rqs[]. Use blk_mq_queue_tag_inflight_iter() here.
Signed-off-by: yu kuai yukuai3@huawei.com Reviewed-by: Hou Tao houtao1@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/block/nbd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 51ba8d0..9b1684a 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -763,7 +763,8 @@ static void recv_work(struct work_struct *work) kfree(args); }
-static void nbd_clear_req(struct request *req, void *data, bool reserved) +static void nbd_clear_req(struct blk_mq_hw_ctx *hctx, + struct request *req, void *data, bool reserved) { struct nbd_cmd *cmd = blk_mq_rq_to_pdu(req);
@@ -777,7 +778,7 @@ static void nbd_clear_req(struct request *req, void *data, bool reserved) static void nbd_clear_que(struct nbd_device *nbd) { blk_mq_quiesce_queue(nbd->disk->queue); - blk_mq_tagset_busy_iter(&nbd->tag_set, nbd_clear_req, NULL); + blk_mq_queue_tag_inflight_iter(nbd->disk->queue, nbd_clear_req, NULL); blk_mq_unquiesce_queue(nbd->disk->queue); dev_dbg(disk_to_dev(nbd->disk), "queue cleared\n"); }