From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: "Williams, Dan J" Subject: Re: [PATCH] block: protect rw_page against device teardown Date: Fri, 20 Nov 2015 18:26:19 +0000 Message-ID: <1448043978.29114.1.camel@intel.com> References: <201511200825.O2a2KLtg%fengguang.wu@intel.com> <1447980689.20885.16.camel@intel.com> <20151120181228.GE18246@linux.intel.com> In-Reply-To: <20151120181228.GE18246@linux.intel.com> Content-Language: en-US Content-Type: text/plain; charset="utf-8" Content-ID: <3C9BEFE31A4D1A41A216BF6264E82D6B@intel.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org To: "willy@linux.intel.com" Cc: "linux-kernel@vger.kernel.org" , "linux-nvdimm@lists.01.org" , "linux-block@vger.kernel.org" , "stable@vger.kernel.org" , "axboe@fb.com" , "viro@zeniv.linux.org.uk" List-ID: T24gRnJpLCAyMDE1LTExLTIwIGF0IDEzOjEyIC0wNTAwLCBNYXR0aGV3IFdpbGNveCB3cm90ZToN Cj4gSSdkIHByZWZlciBiZGV2X3JlYWRfcGFnZSgpIGFuZCBiZGV2X3dyaXRlX3BhZ2UoKSB0byBi ZSBhIGJpdCBtb3JlDQo+IGNvbnNpc3RlbnQNCj4gKGVnICdyYycgdnMgJ3Jlc3VsdCcpLCBidXQ6 DQo+IA0KPiBBY2tlZC1ieTogTWF0dGhldyBXaWxjb3ggPHdpbGx5QGxpbnV4LmludGVsLmNvbT4N Cg0KVGhhbmtzISDCoEZpeGVkIHVwIHZlcnNpb246DQoNCjg8LS0tLQ0KU3ViamVjdDogYmxvY2s6 IHByb3RlY3QgcndfcGFnZSBhZ2FpbnN0IGRldmljZSB0ZWFyZG93bg0KDQpGcm9tOiBEYW4gV2ls bGlhbXMgPGRhbi5qLndpbGxpYW1zQGludGVsLmNvbT4NCg0KRml4IHVzZSBhZnRlciBmcmVlIGNy YXNoZXMgbGlrZSB0aGUgZm9sbG93aW5nOg0KDQrCoGdlbmVyYWwgcHJvdGVjdGlvbiBmYXVsdDog MDAwMCBbIzFdIFNNUA0KwqBDYWxsIFRyYWNlOg0KwqAgWzxmZmZmZmZmZmEwMDUwMjE2Pl0gPyBw bWVtX2RvX2J2ZWMuaXNyYS4xMisweGE2LzB4ZjAgW25kX3BtZW1dDQrCoCBbPGZmZmZmZmZmYTAw NTBiYTI+XSBwbWVtX3J3X3BhZ2UrMHg0Mi8weDgwIFtuZF9wbWVtXQ0KwqAgWzxmZmZmZmZmZjgx MjhmZDkwPl0gYmRldl9yZWFkX3BhZ2UrMHg1MC8weDYwDQrCoCBbPGZmZmZmZmZmODEyOTcyZjA+ XSBkb19tcGFnZV9yZWFkcGFnZSsweDUxMC8weDc3MA0KwqAgWzxmZmZmZmZmZjgxMjhmZDIwPl0g PyBJX0JERVYrMHgyMC8weDIwDQrCoCBbPGZmZmZmZmZmODExZDg2ZGM+XSA/IGxydV9jYWNoZV9h ZGQrMHgxYy8weDUwDQrCoCBbPGZmZmZmZmZmODEyOTc2NTc+XSBtcGFnZV9yZWFkcGFnZXMrMHgx MDcvMHgxNzANCsKgIFs8ZmZmZmZmZmY4MTI4ZmQyMD5dID8gSV9CREVWKzB4MjAvMHgyMA0KwqAg WzxmZmZmZmZmZjgxMjhmZDIwPl0gPyBJX0JERVYrMHgyMC8weDIwDQrCoCBbPGZmZmZmZmZmODEy OTA1OGQ+XSBibGtkZXZfcmVhZHBhZ2VzKzB4MWQvMHgyMA0KwqAgWzxmZmZmZmZmZjgxMWQ2MTVm Pl0gX19kb19wYWdlX2NhY2hlX3JlYWRhaGVhZCsweDI4Zi8weDMxMA0KwqAgWzxmZmZmZmZmZjgx MWQ2MDM5Pl0gPyBfX2RvX3BhZ2VfY2FjaGVfcmVhZGFoZWFkKzB4MTY5LzB4MzEwDQrCoCBbPGZm ZmZmZmZmODExYzVhYmQ+XSA/IHBhZ2VjYWNoZV9nZXRfcGFnZSsweDJkLzB4MWQwDQrCoCBbPGZm ZmZmZmZmODExYzc2ZjY+XSBmaWxlbWFwX2ZhdWx0KzB4Mzk2LzB4NTMwDQrCoCBbPGZmZmZmZmZm ODExZjgxNmU+XSBfX2RvX2ZhdWx0KzB4NGUvMHhmMA0KwqAgWzxmZmZmZmZmZjgxMWZjZTdkPl0g aGFuZGxlX21tX2ZhdWx0KzB4MTFiZC8weDFiNTANCg0KQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwu b3JnPg0KQ2M6IEplbnMgQXhib2UgPGF4Ym9lQGZiLmNvbT4NCkNjOiBBbGV4YW5kZXIgVmlybyA8 dmlyb0B6ZW5pdi5saW51eC5vcmcudWs+DQpSZXBvcnRlZC1ieToga2J1aWxkIHRlc3Qgcm9ib3Qg PGxrcEBpbnRlbC5jb20+DQpBY2tlZC1ieTogTWF0dGhldyBXaWxjb3ggPHdpbGx5QGxpbnV4Lmlu dGVsLmNvbT4NClt3aWxseTogc3ltbWV0cnkgZml4dXBzXQ0KU2lnbmVkLW9mZi1ieTogRGFuIFdp bGxpYW1zIDxkYW4uai53aWxsaWFtc0BpbnRlbC5jb20+DQotLS0NCsKgYmxvY2svYmxrLmjCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqB8wqDCoMKgwqAyIC0tDQrCoGZzL2Jsb2NrX2Rldi5jwqDCoMKg wqDCoMKgwqDCoMKgfMKgwqDCoDE4ICsrKysrKysrKysrKysrKystLQ0KwqBpbmNsdWRlL2xpbnV4 L2Jsa2Rldi5oIHzCoMKgwqDCoDIgKysNCsKgMyBmaWxlcyBjaGFuZ2VkLCAxOCBpbnNlcnRpb25z KCspLCA0IGRlbGV0aW9ucygtKQ0KDQpkaWZmIC0tZ2l0IGEvYmxvY2svYmxrLmggYi9ibG9jay9i bGsuaA0KaW5kZXggZGE3MjJlYjc4NmRmLi5jNDM5MjZkM2Q3NGQgMTAwNjQ0DQotLS0gYS9ibG9j ay9ibGsuaA0KKysrIGIvYmxvY2svYmxrLmgNCkBAIC03Miw4ICs3Miw2IEBAIHZvaWQgYmxrX2Rl cXVldWVfcmVxdWVzdChzdHJ1Y3QgcmVxdWVzdCAqcnEpOw0KwqB2b2lkIF9fYmxrX3F1ZXVlX2Zy ZWVfdGFncyhzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSk7DQrCoGJvb2wgX19ibGtfZW5kX2JpZGlf cmVxdWVzdChzdHJ1Y3QgcmVxdWVzdCAqcnEsIGludCBlcnJvciwNCsKgCQkJwqDCoMKgwqB1bnNp Z25lZCBpbnQgbnJfYnl0ZXMsIHVuc2lnbmVkIGludCBiaWRpX2J5dGVzKTsNCi1pbnQgYmxrX3F1 ZXVlX2VudGVyKHN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxLCBnZnBfdCBnZnApOw0KLXZvaWQgYmxr X3F1ZXVlX2V4aXQoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEpOw0KwqB2b2lkIGJsa19mcmVlemVf cXVldWUoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEpOw0KwqANCsKgc3RhdGljIGlubGluZSB2b2lk IGJsa19xdWV1ZV9lbnRlcl9saXZlKHN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxKQ0KZGlmZiAtLWdp dCBhL2ZzL2Jsb2NrX2Rldi5jIGIvZnMvYmxvY2tfZGV2LmMNCmluZGV4IGJiMGRmYjFjN2FmMS4u YzI1NjM5ZTkwN2JkIDEwMDY0NA0KLS0tIGEvZnMvYmxvY2tfZGV2LmMNCisrKyBiL2ZzL2Jsb2Nr X2Rldi5jDQpAQCAtMzkwLDkgKzM5MCwxNyBAQCBpbnQgYmRldl9yZWFkX3BhZ2Uoc3RydWN0IGJs b2NrX2RldmljZSAqYmRldiwgc2VjdG9yX3Qgc2VjdG9yLA0KwqAJCQlzdHJ1Y3QgcGFnZSAqcGFn ZSkNCsKgew0KwqAJY29uc3Qgc3RydWN0IGJsb2NrX2RldmljZV9vcGVyYXRpb25zICpvcHMgPSBi ZGV2LT5iZF9kaXNrLT5mb3BzOw0KKwlpbnQgcmVzdWx0ID0gLUVPUE5PVFNVUFA7DQorDQrCoAlp ZiAoIW9wcy0+cndfcGFnZSB8fCBiZGV2X2dldF9pbnRlZ3JpdHkoYmRldikpDQotCQlyZXR1cm4g LUVPUE5PVFNVUFA7DQotCXJldHVybiBvcHMtPnJ3X3BhZ2UoYmRldiwgc2VjdG9yICsgZ2V0X3N0 YXJ0X3NlY3QoYmRldiksIHBhZ2UsIFJFQUQpOw0KKwkJcmV0dXJuIHJlc3VsdDsNCisNCisJcmVz dWx0ID0gYmxrX3F1ZXVlX2VudGVyKGJkZXYtPmJkX3F1ZXVlLCBHRlBfS0VSTkVMKTsNCisJaWYg KHJlc3VsdCkNCisJCXJldHVybiByZXN1bHQ7DQorCXJlc3VsdCA9IG9wcy0+cndfcGFnZShiZGV2 LCBzZWN0b3IgKyBnZXRfc3RhcnRfc2VjdChiZGV2KSwgcGFnZSwgUkVBRCk7DQorCWJsa19xdWV1 ZV9leGl0KGJkZXYtPmJkX3F1ZXVlKTsNCisJcmV0dXJuIHJlc3VsdDsNCsKgfQ0KwqBFWFBPUlRf U1lNQk9MX0dQTChiZGV2X3JlYWRfcGFnZSk7DQrCoA0KQEAgLTQyMSwxNCArNDI5LDIwIEBAIGlu dCBiZGV2X3dyaXRlX3BhZ2Uoc3RydWN0IGJsb2NrX2RldmljZSAqYmRldiwgc2VjdG9yX3Qgc2Vj dG9yLA0KwqAJaW50IHJlc3VsdDsNCsKgCWludCBydyA9ICh3YmMtPnN5bmNfbW9kZSA9PSBXQl9T WU5DX0FMTCkgPyBXUklURV9TWU5DIDogV1JJVEU7DQrCoAljb25zdCBzdHJ1Y3QgYmxvY2tfZGV2 aWNlX29wZXJhdGlvbnMgKm9wcyA9IGJkZXYtPmJkX2Rpc2stPmZvcHM7DQorDQrCoAlpZiAoIW9w cy0+cndfcGFnZSB8fCBiZGV2X2dldF9pbnRlZ3JpdHkoYmRldikpDQrCoAkJcmV0dXJuIC1FT1BO T1RTVVBQOw0KKwlyZXN1bHQgPSBibGtfcXVldWVfZW50ZXIoYmRldi0+YmRfcXVldWUsIEdGUF9L RVJORUwpOw0KKwlpZiAocmVzdWx0KQ0KKwkJcmV0dXJuIHJlc3VsdDsNCisNCsKgCXNldF9wYWdl X3dyaXRlYmFjayhwYWdlKTsNCsKgCXJlc3VsdCA9IG9wcy0+cndfcGFnZShiZGV2LCBzZWN0b3Ig KyBnZXRfc3RhcnRfc2VjdChiZGV2KSwgcGFnZSwgcncpOw0KwqAJaWYgKHJlc3VsdCkNCsKgCQll bmRfcGFnZV93cml0ZWJhY2socGFnZSk7DQrCoAllbHNlDQrCoAkJdW5sb2NrX3BhZ2UocGFnZSk7 DQorCWJsa19xdWV1ZV9leGl0KGJkZXYtPmJkX3F1ZXVlKTsNCsKgCXJldHVybiByZXN1bHQ7DQrC oH0NCsKgRVhQT1JUX1NZTUJPTF9HUEwoYmRldl93cml0ZV9wYWdlKTsNCmRpZmYgLS1naXQgYS9p bmNsdWRlL2xpbnV4L2Jsa2Rldi5oIGIvaW5jbHVkZS9saW51eC9ibGtkZXYuaA0KaW5kZXggM2Zl MjdmOGQ5MWYwLi5jMGQyYjc5MjdjMWYgMTAwNjQ0DQotLS0gYS9pbmNsdWRlL2xpbnV4L2Jsa2Rl di5oDQorKysgYi9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oDQpAQCAtNzk0LDYgKzc5NCw4IEBAIGV4 dGVybiBpbnQgc2NzaV9jbWRfaW9jdGwoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgc3RydWN0IGdl bmRpc2sgKiwgZm1vZGVfdCwNCsKgZXh0ZXJuIGludCBzZ19zY3NpX2lvY3RsKHN0cnVjdCByZXF1 ZXN0X3F1ZXVlICosIHN0cnVjdCBnZW5kaXNrICosIGZtb2RlX3QsDQrCoAkJCcKgc3RydWN0IHNj c2lfaW9jdGxfY29tbWFuZCBfX3VzZXIgKik7DQrCoA0KK2V4dGVybiBpbnQgYmxrX3F1ZXVlX2Vu dGVyKHN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxLCBnZnBfdCBnZnApOw0KK2V4dGVybiB2b2lkIGJs a19xdWV1ZV9leGl0KHN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxKTsNCsKgZXh0ZXJuIHZvaWQgYmxr X3N0YXJ0X3F1ZXVlKHN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxKTsNCsKgZXh0ZXJuIHZvaWQgYmxr X3N0b3BfcXVldWUoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEpOw0KwqBleHRlcm4gdm9pZCBibGtf c3luY19xdWV1ZShzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSk7 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1162034AbbKTS0Y (ORCPT ); Fri, 20 Nov 2015 13:26:24 -0500 Received: from mga11.intel.com ([192.55.52.93]:23146 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759671AbbKTS0V (ORCPT ); Fri, 20 Nov 2015 13:26:21 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,323,1444719600"; d="scan'208";a="825432557" From: "Williams, Dan J" To: "willy@linux.intel.com" CC: "linux-kernel@vger.kernel.org" , "linux-nvdimm@lists.01.org" , "linux-block@vger.kernel.org" , "stable@vger.kernel.org" , "axboe@fb.com" , "viro@zeniv.linux.org.uk" Subject: Re: [PATCH] block: protect rw_page against device teardown Thread-Topic: [PATCH] block: protect rw_page against device teardown Thread-Index: AQHRIyhuSG9JiWRUaU+5Fg2UB8U5lp6klY0AgAAFbYCAASLZAIAAA90A Date: Fri, 20 Nov 2015 18:26:19 +0000 Message-ID: <1448043978.29114.1.camel@intel.com> References: <201511200825.O2a2KLtg%fengguang.wu@intel.com> <1447980689.20885.16.camel@intel.com> <20151120181228.GE18246@linux.intel.com> In-Reply-To: <20151120181228.GE18246@linux.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.252.137.149] Content-Type: text/plain; charset="utf-8" Content-ID: <3C9BEFE31A4D1A41A216BF6264E82D6B@intel.com> MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id tAKIQSfv003032 On Fri, 2015-11-20 at 13:12 -0500, Matthew Wilcox wrote: > I'd prefer bdev_read_page() and bdev_write_page() to be a bit more > consistent > (eg 'rc' vs 'result'), but: > > Acked-by: Matthew Wilcox Thanks!  Fixed up version: 8<---- Subject: block: protect rw_page against device teardown From: Dan Williams Fix use after free crashes like the following:  general protection fault: 0000 [#1] SMP  Call Trace:   [] ? pmem_do_bvec.isra.12+0xa6/0xf0 [nd_pmem]   [] pmem_rw_page+0x42/0x80 [nd_pmem]   [] bdev_read_page+0x50/0x60   [] do_mpage_readpage+0x510/0x770   [] ? I_BDEV+0x20/0x20   [] ? lru_cache_add+0x1c/0x50   [] mpage_readpages+0x107/0x170   [] ? I_BDEV+0x20/0x20   [] ? I_BDEV+0x20/0x20   [] blkdev_readpages+0x1d/0x20   [] __do_page_cache_readahead+0x28f/0x310   [] ? __do_page_cache_readahead+0x169/0x310   [] ? pagecache_get_page+0x2d/0x1d0   [] filemap_fault+0x396/0x530   [] __do_fault+0x4e/0xf0   [] handle_mm_fault+0x11bd/0x1b50 Cc: Cc: Jens Axboe Cc: Alexander Viro Reported-by: kbuild test robot Acked-by: Matthew Wilcox [willy: symmetry fixups] Signed-off-by: Dan Williams ---  block/blk.h            |    2 --  fs/block_dev.c         |   18 ++++++++++++++++--  include/linux/blkdev.h |    2 ++  3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/block/blk.h b/block/blk.h index da722eb786df..c43926d3d74d 100644 --- a/block/blk.h +++ b/block/blk.h @@ -72,8 +72,6 @@ void blk_dequeue_request(struct request *rq);  void __blk_queue_free_tags(struct request_queue *q);  bool __blk_end_bidi_request(struct request *rq, int error,       unsigned int nr_bytes, unsigned int bidi_bytes); -int blk_queue_enter(struct request_queue *q, gfp_t gfp); -void blk_queue_exit(struct request_queue *q);  void blk_freeze_queue(struct request_queue *q);    static inline void blk_queue_enter_live(struct request_queue *q) diff --git a/fs/block_dev.c b/fs/block_dev.c index bb0dfb1c7af1..c25639e907bd 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -390,9 +390,17 @@ int bdev_read_page(struct block_device *bdev, sector_t sector,   struct page *page)  {   const struct block_device_operations *ops = bdev->bd_disk->fops; + int result = -EOPNOTSUPP; +   if (!ops->rw_page || bdev_get_integrity(bdev)) - return -EOPNOTSUPP; - return ops->rw_page(bdev, sector + get_start_sect(bdev), page, READ); + return result; + + result = blk_queue_enter(bdev->bd_queue, GFP_KERNEL); + if (result) + return result; + result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, READ); + blk_queue_exit(bdev->bd_queue); + return result;  }  EXPORT_SYMBOL_GPL(bdev_read_page);   @@ -421,14 +429,20 @@ int bdev_write_page(struct block_device *bdev, sector_t sector,   int result;   int rw = (wbc->sync_mode == WB_SYNC_ALL) ? WRITE_SYNC : WRITE;   const struct block_device_operations *ops = bdev->bd_disk->fops; +   if (!ops->rw_page || bdev_get_integrity(bdev))   return -EOPNOTSUPP; + result = blk_queue_enter(bdev->bd_queue, GFP_KERNEL); + if (result) + return result; +   set_page_writeback(page);   result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, rw);   if (result)   end_page_writeback(page);   else   unlock_page(page); + blk_queue_exit(bdev->bd_queue);   return result;  }  EXPORT_SYMBOL_GPL(bdev_write_page); diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index 3fe27f8d91f0..c0d2b7927c1f 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -794,6 +794,8 @@ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,  extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,    struct scsi_ioctl_command __user *);   +extern int blk_queue_enter(struct request_queue *q, gfp_t gfp); +extern void blk_queue_exit(struct request_queue *q);  extern void blk_start_queue(struct request_queue *q);  extern void blk_stop_queue(struct request_queue *q);  extern void blk_sync_queue(struct request_queue *q);{.n++%ݶw{.n+{G{ayʇڙ,jfhz_(階ݢj"mG?&~iOzv^m ?I