From: Ming Lei <ming.lei@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, Tejun Heo <tj@kernel.org>,
Yu Kuai <yukuai3@huawei.com>, Christoph Hellwig <hch@lst.de>,
Ming Lei <ming.lei@redhat.com>
Subject: [PATCH 1/3] block: avoid use-after-free on throttle data
Date: Fri, 18 Mar 2022 21:01:42 +0800 [thread overview]
Message-ID: <20220318130144.1066064-2-ming.lei@redhat.com> (raw)
In-Reply-To: <20220318130144.1066064-1-ming.lei@redhat.com>
In throtl_pending_timer_fn(), request queue is retrieved from throttle
data. And tg's pending timer is deleted synchronously when releasing the
associated blkg, at that time, throttle data may have been freed since
commit 1059699f87eb ("block: move blkcg initialization/destroy into disk
allocation/release handler") moves freeing q->td to disk_release() from
blk_release_queue(). So use-after-free on q->td in throtl_pending_timer_fn
can be triggered.
Fixes the issue by:
- do nothing in case that disk is released, when there isn't any bio to
dispatch
- retrieve request queue from blkg instead of throttle data for
non top-level pending timer.
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
block/blk-throttle.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index a3b3ebc72dd4..880701d0106f 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -1137,12 +1137,22 @@ static void throtl_pending_timer_fn(struct timer_list *t)
struct throtl_service_queue *sq = from_timer(sq, t, pending_timer);
struct throtl_grp *tg = sq_to_tg(sq);
struct throtl_data *td = sq_to_td(sq);
- struct request_queue *q = td->queue;
struct throtl_service_queue *parent_sq;
+ struct request_queue *q;
bool dispatched;
int ret;
+ /* throtl_data may be gone, so figure out request queue by blkg */
+ if (tg)
+ q = tg->pd.blkg->q;
+ else
+ q = td->queue;
+
spin_lock_irq(&q->queue_lock);
+
+ if (!q->root_blkg)
+ goto out_unlock;
+
if (throtl_can_upgrade(td, NULL))
throtl_upgrade_state(td);
--
2.31.1
next prev parent reply other threads:[~2022-03-18 13:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-18 13:01 [PATCH for-5.18 0/3] block: throttle related fixes Ming Lei
2022-03-18 13:01 ` Ming Lei [this message]
2022-03-18 13:01 ` [PATCH 2/3] block: let blkcg_gq grab request queue's refcnt Ming Lei
2022-03-22 9:33 ` Christoph Hellwig
2022-03-22 10:23 ` Ming Lei
2022-03-22 16:45 ` Tejun Heo
2022-03-23 0:32 ` Ming Lei
2022-04-20 1:46 ` Williams, Dan J
2022-04-20 2:01 ` yukuai (C)
2022-04-20 2:20 ` Ming Lei
2022-04-20 3:40 ` Dan Williams
2022-03-18 13:01 ` [PATCH 3/3] block: cancel all throttled bios in del_gendisk() Ming Lei
2022-03-18 15:58 ` [PATCH for-5.18 0/3] block: throttle related fixes Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220318130144.1066064-2-ming.lei@redhat.com \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=tj@kernel.org \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).