From: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Yu Kuai <yukuai1-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
Cc: Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
Li Nan <linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
josef-DigfWCa+lFGyeJad7bwFQA@public.gmane.org,
axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-block-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
yi.zhang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org,
"yukuai (C)" <yukuai3-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH -next v2 8/9] block: fix null-pointer dereference in ioc_pd_init
Date: Mon, 12 Dec 2022 13:10:26 -1000 [thread overview]
Message-ID: <Y5e04oKUEEBXqaar@slm.duckdns.org> (raw)
In-Reply-To: <96487803-12cc-a694-0099-784106596fd1-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
Hello,
On Mon, Dec 05, 2022 at 05:32:17PM +0800, Yu Kuai wrote:
> 1) queue_lock is held to protect rq_qos_add() and rq_qos_del(), whlie
> it's not held to protect rq_qos_exit(), which is absolutely not safe
> because they can be called concurrently by configuring iocost and
> removing device.
> I'm thinking about holding the lock to fetch the list and reset
> q->rq_qos first:
>
> diff --git a/block/blk-rq-qos.c b/block/blk-rq-qos.c
> index 88f0fe7dcf54..271ad65eebd9 100644
> --- a/block/blk-rq-qos.c
> +++ b/block/blk-rq-qos.c
> @@ -288,9 +288,15 @@ void rq_qos_wait(struct rq_wait *rqw, void
> *private_data,
>
> void rq_qos_exit(struct request_queue *q)
> {
> - while (q->rq_qos) {
> - struct rq_qos *rqos = q->rq_qos;
> - q->rq_qos = rqos->next;
> + struct rq_qos *rqos;
> +
> + spin_lock_irq(&q->queue_lock);
> + rqos = q->rq_qos;
> + q->rq_qos = NULL;
> + spin_unlock_irq(&q->queue_lock);
> +
> + while (rqos) {
> rqos->ops->exit(rqos);
> + rqos = rqos->next;
> }
> }
>
> 2) rq_qos_add() can still succeed after rq_qos_exit() is done, which
> will cause memory leak. Hence a checking is required beforing adding
> to q->rq_qos. I'm thinking about flag QUEUE_FLAG_DYING first, but the
> flag will not set if disk state is not marked GD_OWNS_QUEUE. Since
> blk_unregister_queue() is called before rq_qos_exit(), use the queue
> flag QUEUE_FLAG_REGISTERED should be OK.
>
> For the current problem that device can be removed while initializing
> , I'm thinking about some possible solutions:
>
> Since bfq is initialized in elevator initialization, and others are
> in queue initialization, such problem is only possible in iocost, hence
> it make sense to fix it in iocost:
So, iolatency is likely to switch to similar lazy init scheme, so we better
fix it in the rq_qos / core block layer.
...
> 3) Or is it better to fix it in the higher level? For example:
> add a new restriction that blkcg_deactivate_policy() should be called
> with blkcg_activate_policy() in pairs, and blkcg_deactivate_policy()
> will wait for blkcg_activate_policy() to finish. Something like:
>
> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
> index ef4fef1af909..6266f702157f 100644
> --- a/block/blk-cgroup.c
> +++ b/block/blk-cgroup.c
> @@ -1410,7 +1410,7 @@ int blkcg_activate_policy(struct request_queue *q,
> struct blkcg_gq *blkg, *pinned_blkg = NULL;
> int ret;
>
> - if (blkcg_policy_enabled(q, pol))
> + if (WARN_ON_ONCE(blkcg_policy_enabled(q, pol)))
> return 0;
>
> if (queue_is_mq(q))
> @@ -1477,6 +1477,8 @@ int blkcg_activate_policy(struct request_queue *q,
> blkg_put(pinned_blkg);
> if (pd_prealloc)
> pol->pd_free_fn(pd_prealloc);
> + if (!ret)
> + wake_up(q->policy_waitq);
> return ret;
>
> enomem:
> @@ -1512,7 +1514,7 @@ void blkcg_deactivate_policy(struct request_queue *q,
> struct blkcg_gq *blkg;
>
> if (!blkcg_policy_enabled(q, pol))
> - return;
> + wait_event(q->policy_waitq, blkcg_policy_enabled(q, pol));
> wait_event(q->xxx, blkcg_policy_enabled(q, pol));
Yeah, along this line but hopefully something simpler like a mutex.
Thanks.
--
tejun
WARNING: multiple messages have this Message-ID (diff)
From: Tejun Heo <tj@kernel.org>
To: Yu Kuai <yukuai1@huaweicloud.com>
Cc: Christoph Hellwig <hch@infradead.org>,
Li Nan <linan122@huawei.com>,
josef@toxicpanda.com, axboe@kernel.dk, cgroups@vger.kernel.org,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
yi.zhang@huawei.com, "yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [PATCH -next v2 8/9] block: fix null-pointer dereference in ioc_pd_init
Date: Mon, 12 Dec 2022 13:10:26 -1000 [thread overview]
Message-ID: <Y5e04oKUEEBXqaar@slm.duckdns.org> (raw)
In-Reply-To: <96487803-12cc-a694-0099-784106596fd1@huaweicloud.com>
Hello,
On Mon, Dec 05, 2022 at 05:32:17PM +0800, Yu Kuai wrote:
> 1) queue_lock is held to protect rq_qos_add() and rq_qos_del(), whlie
> it's not held to protect rq_qos_exit(), which is absolutely not safe
> because they can be called concurrently by configuring iocost and
> removing device.
> I'm thinking about holding the lock to fetch the list and reset
> q->rq_qos first:
>
> diff --git a/block/blk-rq-qos.c b/block/blk-rq-qos.c
> index 88f0fe7dcf54..271ad65eebd9 100644
> --- a/block/blk-rq-qos.c
> +++ b/block/blk-rq-qos.c
> @@ -288,9 +288,15 @@ void rq_qos_wait(struct rq_wait *rqw, void
> *private_data,
>
> void rq_qos_exit(struct request_queue *q)
> {
> - while (q->rq_qos) {
> - struct rq_qos *rqos = q->rq_qos;
> - q->rq_qos = rqos->next;
> + struct rq_qos *rqos;
> +
> + spin_lock_irq(&q->queue_lock);
> + rqos = q->rq_qos;
> + q->rq_qos = NULL;
> + spin_unlock_irq(&q->queue_lock);
> +
> + while (rqos) {
> rqos->ops->exit(rqos);
> + rqos = rqos->next;
> }
> }
>
> 2) rq_qos_add() can still succeed after rq_qos_exit() is done, which
> will cause memory leak. Hence a checking is required beforing adding
> to q->rq_qos. I'm thinking about flag QUEUE_FLAG_DYING first, but the
> flag will not set if disk state is not marked GD_OWNS_QUEUE. Since
> blk_unregister_queue() is called before rq_qos_exit(), use the queue
> flag QUEUE_FLAG_REGISTERED should be OK.
>
> For the current problem that device can be removed while initializing
> , I'm thinking about some possible solutions:
>
> Since bfq is initialized in elevator initialization, and others are
> in queue initialization, such problem is only possible in iocost, hence
> it make sense to fix it in iocost:
So, iolatency is likely to switch to similar lazy init scheme, so we better
fix it in the rq_qos / core block layer.
...
> 3) Or is it better to fix it in the higher level? For example:
> add a new restriction that blkcg_deactivate_policy() should be called
> with blkcg_activate_policy() in pairs, and blkcg_deactivate_policy()
> will wait for blkcg_activate_policy() to finish. Something like:
>
> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
> index ef4fef1af909..6266f702157f 100644
> --- a/block/blk-cgroup.c
> +++ b/block/blk-cgroup.c
> @@ -1410,7 +1410,7 @@ int blkcg_activate_policy(struct request_queue *q,
> struct blkcg_gq *blkg, *pinned_blkg = NULL;
> int ret;
>
> - if (blkcg_policy_enabled(q, pol))
> + if (WARN_ON_ONCE(blkcg_policy_enabled(q, pol)))
> return 0;
>
> if (queue_is_mq(q))
> @@ -1477,6 +1477,8 @@ int blkcg_activate_policy(struct request_queue *q,
> blkg_put(pinned_blkg);
> if (pd_prealloc)
> pol->pd_free_fn(pd_prealloc);
> + if (!ret)
> + wake_up(q->policy_waitq);
> return ret;
>
> enomem:
> @@ -1512,7 +1514,7 @@ void blkcg_deactivate_policy(struct request_queue *q,
> struct blkcg_gq *blkg;
>
> if (!blkcg_policy_enabled(q, pol))
> - return;
> + wait_event(q->policy_waitq, blkcg_policy_enabled(q, pol));
> wait_event(q->xxx, blkcg_policy_enabled(q, pol));
Yeah, along this line but hopefully something simpler like a mutex.
Thanks.
--
tejun
next prev parent reply other threads:[~2022-12-12 23:10 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 13:21 [PATCH -next v2 0/9] iocost bugfix Li Nan
2022-11-30 13:21 ` Li Nan
2022-11-30 13:21 ` [PATCH -next v2 1/9] blk-iocost: cleanup ioc_qos_write() and ioc_cost_model_write() Li Nan
2022-11-30 13:21 ` Li Nan
2022-11-30 15:54 ` Christoph Hellwig
[not found] ` <Y4d801NjwwT0voKA-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2022-11-30 15:55 ` Christoph Hellwig
2022-11-30 15:55 ` Christoph Hellwig
[not found] ` <20221130132156.2836184-2-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 20:31 ` Tejun Heo
2022-11-30 20:31 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 2/9] blk-iocost: improve hanlder of match_u64() Li Nan
2022-11-30 13:21 ` Li Nan
2022-11-30 20:32 ` Tejun Heo
[not found] ` <Y4e90zFnhhq764lP-NiLfg/pYEd1N0TnZuCh8vA@public.gmane.org>
2022-12-01 2:15 ` Yu Kuai
2022-12-01 2:15 ` Yu Kuai
[not found] ` <7e4f1cea-2691-9b81-35f6-0dd236149f56-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
2022-12-01 10:08 ` Tejun Heo
2022-12-01 10:08 ` Tejun Heo
2022-12-01 13:47 ` Yu Kuai
2022-11-30 13:21 ` [PATCH -next v2 4/9] blk-iocost: read params inside lock in sysfs apis Li Nan
2022-11-30 13:21 ` Li Nan
[not found] ` <20221130132156.2836184-5-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 20:16 ` Tejun Heo
2022-11-30 20:16 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 6/9] blk-iocost: change div64_u64 to DIV64_U64_ROUND_UP in ioc_refresh_params() Li Nan
2022-11-30 13:21 ` Li Nan
[not found] ` <20221130132156.2836184-7-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 20:22 ` Tejun Heo
2022-11-30 20:22 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 7/9] blk-iocost: fix UAF in ioc_pd_free Li Nan
2022-11-30 13:21 ` Li Nan
[not found] ` <20221130132156.2836184-8-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 20:42 ` Tejun Heo
2022-11-30 20:42 ` Tejun Heo
[not found] ` <Y4fAJpKcVL7Q9hgY-NiLfg/pYEd1N0TnZuCh8vA@public.gmane.org>
2022-12-06 7:53 ` Yu Kuai
2022-12-06 7:53 ` Yu Kuai
[not found] ` <20221130132156.2836184-1-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 13:21 ` [PATCH -next v2 3/9] blk-iocost: don't allow to configure bio based device Li Nan
2022-11-30 13:21 ` Li Nan
[not found] ` <20221130132156.2836184-4-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 20:15 ` Tejun Heo
2022-11-30 20:15 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 5/9] blk-iocost: fix divide by 0 error in calc_lcoefs() Li Nan
2022-11-30 13:21 ` Li Nan
[not found] ` <20221130132156.2836184-6-linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-30 20:20 ` Tejun Heo
2022-11-30 20:20 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 8/9] block: fix null-pointer dereference in ioc_pd_init Li Nan
2022-11-30 13:21 ` Li Nan
2022-11-30 20:50 ` Tejun Heo
2022-12-01 2:12 ` Yu Kuai
2022-12-01 2:12 ` Yu Kuai
[not found] ` <9ca2b7ab-7fd3-a9a3-12a6-021a78886b54-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
2022-12-01 10:11 ` Tejun Heo
2022-12-01 10:11 ` Tejun Heo
[not found] ` <Y4h94m8QMPtS4xJV-NiLfg/pYEd1N0TnZuCh8vA@public.gmane.org>
2022-12-01 10:23 ` Yu Kuai
2022-12-01 10:23 ` Yu Kuai
2022-12-01 10:31 ` Tejun Heo
2022-12-05 9:32 ` Yu Kuai
[not found] ` <96487803-12cc-a694-0099-784106596fd1-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
2022-12-12 23:10 ` Tejun Heo [this message]
2022-12-12 23:10 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 9/9] blk-iocost: fix walk_list corruption Li Nan
2022-11-30 13:21 ` Li Nan
2022-11-30 20:59 ` Tejun Heo
2022-12-01 1:19 ` Yu Kuai
2022-12-01 1:19 ` Yu Kuai
[not found] ` <c028dd77-cabf-edd6-c893-8ee24762ac8c-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
2022-12-01 10:00 ` Tejun Heo
2022-12-01 10:00 ` Tejun Heo
[not found] ` <Y4h7RxdT83g+zFN0-NiLfg/pYEd1N0TnZuCh8vA@public.gmane.org>
2022-12-01 10:14 ` Yu Kuai
2022-12-01 10:14 ` Yu Kuai
[not found] ` <de04965e-1341-3053-0f4b-395b8390d00c-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org>
2022-12-01 10:29 ` Tejun Heo
2022-12-01 10:29 ` Tejun Heo
2022-12-01 13:43 ` Yu Kuai
2022-12-05 9:35 ` Yu Kuai
2022-12-05 9:35 ` Yu Kuai
2022-11-30 17:26 ` [PATCH -next v2 0/9] iocost bugfix Jens Axboe
2022-11-30 17:26 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y5e04oKUEEBXqaar@slm.duckdns.org \
--to=tj-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=josef-DigfWCa+lFGyeJad7bwFQA@public.gmane.org \
--cc=linan122-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=linux-block-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=yi.zhang-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=yukuai1-XF6JlduFytWkHkcT6e4Xnw@public.gmane.org \
--cc=yukuai3-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.