From: Li Nan <linan122@huawei.com>
To: <tj@kernel.org>, <josef@toxicpanda.com>, <axboe@kernel.dk>
Cc: <cgroups@vger.kernel.org>, <linux-block@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <linan122@huawei.com>,
<yukuai3@huawei.com>, <yi.zhang@huawei.com>
Subject: [PATCH -next v2 9/9] blk-iocost: fix walk_list corruption
Date: Wed, 30 Nov 2022 21:21:56 +0800 [thread overview]
Message-ID: <20221130132156.2836184-10-linan122@huawei.com> (raw)
In-Reply-To: <20221130132156.2836184-1-linan122@huawei.com>
From: Yu Kuai <yukuai3@huawei.com>
Our test report a problem:
------------[ cut here ]------------
list_del corruption. next->prev should be ffff888127e0c4b0, but was ffff888127e090b0
WARNING: CPU: 2 PID: 3117789 at lib/list_debug.c:62 __list_del_entry_valid+0x119/0x130
RIP: 0010:__list_del_entry_valid+0x119/0x130
RIP: 0010:__list_del_entry_valid+0x119/0x130
Call Trace:
<IRQ>
iocg_flush_stat.isra.0+0x11e/0x230
? ioc_rqos_done+0x230/0x230
? ioc_now+0x14f/0x180
ioc_timer_fn+0x569/0x1640
We haven't reporduced it yet, but we think this is due to parent iocg is
freed before child iocg, and then in ioc_timer_fn, walk_list is
corrupted.
1) Remove child cgroup can concurrent with remove parent cgroup, and
ioc_pd_free for parent iocg can be called before child iocg. This can be
fixed by moving the handle of walk_list to ioc_pd_offline, since that
offline from child is ensured to be called before parent.
2) ioc_pd_free can be triggered from both removing device and removing
cgroup, this patch fix the problem by deleting timer before deactivating
policy, so that free parent iocg first in this case won't matter.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Li Nan <linan122@huawei.com>
---
block/blk-iocost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/blk-iocost.c b/block/blk-iocost.c
index 710cf63a1643..d2b873908f88 100644
--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -2813,13 +2813,14 @@ static void ioc_rqos_exit(struct rq_qos *rqos)
{
struct ioc *ioc = rqos_to_ioc(rqos);
+ del_timer_sync(&ioc->timer);
+
blkcg_deactivate_policy(rqos->q, &blkcg_policy_iocost);
spin_lock_irq(&ioc->lock);
ioc->running = IOC_STOP;
spin_unlock_irq(&ioc->lock);
- del_timer_sync(&ioc->timer);
free_percpu(ioc->pcpu_stat);
kfree(ioc);
}
--
2.31.1
next prev parent reply other threads:[~2022-11-30 13:01 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 13:21 [PATCH -next v2 0/9] iocost bugfix Li Nan
2022-11-30 13:21 ` [PATCH -next v2 1/9] blk-iocost: cleanup ioc_qos_write() and ioc_cost_model_write() Li Nan
2022-11-30 15:54 ` Christoph Hellwig
2022-11-30 15:55 ` Christoph Hellwig
2022-11-30 20:31 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 2/9] blk-iocost: improve hanlder of match_u64() Li Nan
2022-11-30 20:32 ` Tejun Heo
2022-12-01 2:15 ` Yu Kuai
2022-12-01 10:08 ` Tejun Heo
2022-12-01 13:47 ` Yu Kuai
2022-11-30 13:21 ` [PATCH -next v2 3/9] blk-iocost: don't allow to configure bio based device Li Nan
2022-11-30 20:15 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 4/9] blk-iocost: read params inside lock in sysfs apis Li Nan
2022-11-30 20:16 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 5/9] blk-iocost: fix divide by 0 error in calc_lcoefs() Li Nan
2022-11-30 20:20 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 6/9] blk-iocost: change div64_u64 to DIV64_U64_ROUND_UP in ioc_refresh_params() Li Nan
2022-11-30 20:22 ` Tejun Heo
2022-11-30 13:21 ` [PATCH -next v2 7/9] blk-iocost: fix UAF in ioc_pd_free Li Nan
2022-11-30 20:42 ` Tejun Heo
2022-12-06 7:53 ` Yu Kuai
2022-11-30 13:21 ` [PATCH -next v2 8/9] block: fix null-pointer dereference in ioc_pd_init Li Nan
2022-11-30 20:50 ` Tejun Heo
2022-12-01 2:12 ` Yu Kuai
2022-12-01 10:11 ` Tejun Heo
2022-12-01 10:23 ` Yu Kuai
2022-12-01 10:31 ` Tejun Heo
2022-12-05 9:32 ` Yu Kuai
2022-12-12 23:10 ` Tejun Heo
2022-11-30 13:21 ` Li Nan [this message]
2022-11-30 20:59 ` [PATCH -next v2 9/9] blk-iocost: fix walk_list corruption Tejun Heo
2022-12-01 1:19 ` Yu Kuai
2022-12-01 10:00 ` Tejun Heo
2022-12-01 10:14 ` Yu Kuai
2022-12-01 10:29 ` Tejun Heo
2022-12-01 13:43 ` Yu Kuai
2022-12-05 9:35 ` Yu Kuai
2022-11-30 17:26 ` [PATCH -next v2 0/9] iocost bugfix Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221130132156.2836184-10-linan122@huawei.com \
--to=linan122@huawei.com \
--cc=axboe@kernel.dk \
--cc=cgroups@vger.kernel.org \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tj@kernel.org \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox