block, bfq: turn put_queue into release_process_ref in __bfq_bic_change_cgroup

mainline inclusion from mainline-5.7-rc1 commit c8997736 category: bugfix bugzilla: 50775 CVE: NA bfq_release_process_ref() was introduced by commit 478de338 ("block, bfq: deschedule empty bfq_queues not referred by any process"), however, this patch is not related to this issue and involved with other patches, thus we defined it here instead of backport the patch. --------------------------- A bfq_put_queue() may be invoked in __bfq_bic_change_cgroup(). The goal of this put is to release a process reference to a bfq_queue. But process-reference releases may trigger also some extra operation, and, to this goal, are handled through bfq_release_process_ref(). So, turn the invocation of bfq_put_queue() into an invocation of bfq_release_process_ref(). Tested-by: <cki-project@redhat.com> Signed-off-by: Paolo Valente <paolo.valente@linaro.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Yufen Yu <yuyufen@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>

block, bfq: turn put_queue into release_process_ref in __bfq_bic_change_cgroup
mainline inclusion from mainline-5.7-rc1 commit c8997736 category: bugfix bugzilla: 50775 CVE: NA bfq_release_process_ref() was introduced by commit 478de338 ("block, bfq: deschedule empty bfq_queues not referred by any process"), however, this patch is not related to this issue and involved with other patches, thus we defined it here instead of backport the patch. --------------------------- A bfq_put_queue() may be invoked in __bfq_bic_change_cgroup(). The goal of this put is to release a process reference to a bfq_queue. But process-reference releases may trigger also some extra operation, and, to this goal, are handled through bfq_release_process_ref(). So, turn the invocation of bfq_put_queue() into an invocation of bfq_release_process_ref(). Tested-by: <cki-project@redhat.com> Signed-off-by: Paolo Valente <paolo.valente@linaro.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Yufen Yu <yuyufen@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
adf0a9d3 · Paolo Valente · Cheng Jian · 5efbe561 · adf0a9d3
Commit adf0a9d3 authored 4 years ago by Paolo Valente Committed by Cheng Jian 4 years ago
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -595,6 +595,27 @@ void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
 	bfq_put_queue(bfqq);
 }

+static
+void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+{
+	/*
+	 * To prevent bfqq's service guarantees from being violated,
+	 * bfqq may be left busy, i.e., queued for service, even if
+	 * empty (see comments in __bfq_bfqq_expire() for
+	 * details). But, if no process will send requests to bfqq any
+	 * longer, then there is no point in keeping bfqq queued for
+	 * service. In addition, keeping bfqq queued for service, but
+	 * with no process ref any longer, may have caused bfqq to be
+	 * freed when dequeued from service. But this is assumed to
+	 * never happen.
+	 */
+	if (bfq_bfqq_busy(bfqq) && RB_EMPTY_ROOT(&bfqq->sort_list) &&
+	    bfqq != bfqd->in_service_queue)
+		bfq_del_bfqq_busy(bfqd, bfqq, false);
+
+	bfq_put_queue(bfqq);
+}
+
 /**
 * __bfq_bic_change_cgroup - move @bic to @cgroup.
 * @bfqd: the queue descriptor.
@@ -628,10 +649,7 @@ static struct bfq_group *__bfq_bic_change_cgroup(struct bfq_data *bfqd,

 		if (entity->sched_data != &bfqg->sched_data) {
 			bic_set_bfqq(bic, NULL, 0);
-			bfq_log_bfqq(bfqd, async_bfqq,
-				     "bic_change_group: %p %d",
-				     async_bfqq, async_bfqq->ref);
-			bfq_put_queue(async_bfqq);
+			bfq_release_process_ref(bfqd, async_bfqq);
 		}
 	}