--- /dev/null
+From ffe81d45322cc3cb140f0db080a4727ea284661e Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 4 Dec 2018 20:06:48 -0700
+Subject: blk-mq: fix corruption with direct issue
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit ffe81d45322cc3cb140f0db080a4727ea284661e upstream.
+
+If we attempt a direct issue to a SCSI device, and it returns BUSY, then
+we queue the request up normally. However, the SCSI layer may have
+already setup SG tables etc for this particular command. If we later
+merge with this request, then the old tables are no longer valid. Once
+we issue the IO, we only read/write the original part of the request,
+not the new state of it.
+
+This causes data corruption, and is most often noticed with the file
+system complaining about the just read data being invalid:
+
+[ 235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256)
+
+because most of it is garbage...
+
+This doesn't happen from the normal issue path, as we will simply defer
+the request to the hardware queue dispatch list if we fail. Once it's on
+the dispatch list, we never merge with it.
+
+Fix this from the direct issue path by flagging the request as
+REQ_NOMERGE so we don't change the size of it before issue.
+
+See also:
+ https://bugzilla.kernel.org/show_bug.cgi?id=201685
+
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1698,6 +1698,15 @@ static blk_status_t __blk_mq_issue_direc
+ break;
+ case BLK_STS_RESOURCE:
+ case BLK_STS_DEV_RESOURCE:
++ /*
++ * If direct dispatch fails, we cannot allow any merging on
++ * this IO. Drivers (like SCSI) may have set up permanent state
++ * for this request, like SG tables and mappings, and if we
++ * merge to it later on then we'll still only do IO to the
++ * original part.
++ */
++ rq->cmd_flags |= REQ_NOMERGE;
++
+ blk_mq_update_dispatch_busy(hctx, true);
+ __blk_mq_requeue_request(rq);
+ break;
+@@ -1710,6 +1719,18 @@ static blk_status_t __blk_mq_issue_direc
+ return ret;
+ }
+
++/*
++ * Don't allow direct dispatch of anything but regular reads/writes,
++ * as some of the other commands can potentially share request space
++ * with data we need for the IO scheduler. If we attempt a direct dispatch
++ * on those and fail, we can't safely add it to the scheduler afterwards
++ * without potentially overwriting data that the driver has already written.
++ */
++static bool blk_rq_can_direct_dispatch(struct request *rq)
++{
++ return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE;
++}
++
+ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
+ struct request *rq,
+ blk_qc_t *cookie,
+@@ -1731,7 +1752,7 @@ static blk_status_t __blk_mq_try_issue_d
+ goto insert;
+ }
+
+- if (q->elevator && !bypass_insert)
++ if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert))
+ goto insert;
+
+ if (!blk_mq_get_dispatch_budget(hctx))
+@@ -1793,6 +1814,9 @@ void blk_mq_try_issue_list_directly(stru
+ struct request *rq = list_first_entry(list, struct request,
+ queuelist);
+
++ if (!blk_rq_can_direct_dispatch(rq))
++ break;
++
+ list_del_init(&rq->queuelist);
+ ret = blk_mq_request_issue_directly(rq);
+ if (ret != BLK_STS_OK) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
