Re: [PATCH blktests] block/002: delay debugfs directory check

["yukuai (C)" <yukuai3@huawei.com>]

在 2022/04/20 20:42, Shinichiro Kawasaki 写道:
>> Hello,
>>
>> Jens has merged Yu Kuai's fix[1], so I think it won't be triggered now.
>>
>>
>> [1] https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git/commit/?h=block-5.18&id=a87c29e1a85e64b28445bb1e80505230bf2e3b4b
> 
> Hi Ming, I applied the patch above on top of v5.18-rc3 and ran block/002.
> Unfortunately, it failed with a new symptom with KASAN use-after-free [2]. I
> ran block/002 with linux-block/block-5.18 branch tip with git hash a87c29e1a85e
> and got the same KASAN uaf. Reverting the patch from the linux-block/block-5.18
> branch, the KASAN uaf disappears (Still block/002 fails). Regarding block/002,
> it looks the patch made the failure symptom worse.
> 
> [2]
> 
> [  466.424358] run blktests block/002 at 2022-04-20 19:44:02
> [  466.508847] scsi_debug:sdebug_driver_probe: scsi_debug: trim poll_queues to 0. poll_q/nr_hw = (0/1)
> [  466.518617] scsi host7: scsi_debug: version 0191 [20210520]
>                   dev_size_mb=8, opts=0x0, submit_queues=1, statistics=0
> [  466.535080] scsi 7:0:0:0: Direct-Access     Linux    scsi_debug       0191 PQ: 0 ANSI: 7
> [  466.548701] sd 7:0:0:0: Power-on or device reset occurred
> [  466.549819] sd 7:0:0:0: Attached scsi generic sg9 type 0
> [  466.557985] sd 7:0:0:0: [sdi] 16384 512-byte logical blocks: (8.39 MB/8.00 MiB)
> [  466.570116] sd 7:0:0:0: [sdi] Write Protect is off
> [  466.575644] sd 7:0:0:0: [sdi] Mode Sense: 73 00 10 08
> [  466.577821] sd 7:0:0:0: [sdi] Write cache: enabled, read cache: enabled, supports DPO and FUA
> [  466.590343] sd 7:0:0:0: [sdi] Optimal transfer size 524288 bytes
> [  466.645516] sd 7:0:0:0: [sdi] Attached SCSI disk
> [  467.438285] sd 7:0:0:0: [sdi] Synchronizing SCSI cache
> [  467.458790] ==================================================================
> [  467.466714] BUG: KASAN: use-after-free in __lock_acquire+0x396b/0x5030
> [  467.473951] Read of size 8 at addr ffff888104e05248 by task check/1549
> 
> [  467.483373] CPU: 1 PID: 1549 Comm: check Not tainted 5.18.0-rc3+ #24
> [  467.490426] Hardware name: Supermicro X10SLL-F/X10SLL-F, BIOS 3.0 04/24/2015
> [  467.498164] Call Trace:
> [  467.501313]  <TASK>
> [  467.504120]  dump_stack_lvl+0x56/0x6f
> [  467.508488]  print_report.cold+0x5e/0x5db
> [  467.513205]  ? __lock_acquire+0x396b/0x5030
> [  467.518092]  kasan_report+0xbf/0xf0
> [  467.522288]  ? lockdep_lock+0x30/0x1a0
> [  467.526738]  ? __lock_acquire+0x396b/0x5030
> [  467.531630]  __lock_acquire+0x396b/0x5030
> [  467.536346]  ? lockdep_unlock+0xf2/0x240
> [  467.540970]  ? __lock_acquire+0x23db/0x5030
> [  467.545861]  ? lockdep_hardirqs_on_prepare+0x410/0x410
> [  467.551705]  lock_acquire+0x19a/0x4b0
> [  467.556068]  ? lockref_get+0x9/0x40
> [  467.560264]  ? lock_release+0x6c0/0x6c0
> [  467.564806]  ? lock_is_held_type+0xe2/0x140
> [  467.569693]  ? find_held_lock+0x2c/0x110
> [  467.574316]  ? lock_release+0x3a7/0x6c0
> [  467.578856]  _raw_spin_lock+0x2f/0x40
> [  467.583222]  ? lockref_get+0x9/0x40
> [  467.587414]  lockref_get+0x9/0x40
> [  467.591439]  simple_recursive_removal+0x36/0x7e0
> [  467.596758]  ? debugfs_remove+0x60/0x60
> [  467.601300]  ? do_raw_spin_unlock+0x55/0x1f0
> [  467.606278]  debugfs_remove+0x40/0x60
> [  467.610643]  blk_mq_debugfs_unregister_queue_rqos+0x34/0x70
> [  467.616919]  rq_qos_exit+0x1b/0xf0
> [  467.621028]  ? sysfs_file_ops+0x170/0x170
> [  467.625740]  blk_cleanup_queue+0xfd/0x1f0
> [  467.630449]  __scsi_remove_device+0xdd/0x2b0
> [  467.635422]  sdev_store_delete+0x83/0x120
> [  467.640137]  kernfs_fop_write_iter+0x353/0x520
> [  467.645287]  new_sync_write+0x2d9/0x500
> [  467.649827]  ? new_sync_read+0x500/0x500
> [  467.654455]  ? perf_msr_probe+0x1f0/0x280
> [  467.659170]  ? lock_release+0x6c0/0x6c0
> [  467.663709]  ? inode_security+0x54/0xf0
> [  467.668253]  ? lock_is_held_type+0xe2/0x140
> [  467.673144]  vfs_write+0x61c/0x910
> [  467.677250]  ksys_write+0xe3/0x1a0
> [  467.681355]  ? __ia32_sys_read+0xa0/0xa0
> [  467.685982]  ? syscall_enter_from_user_mode+0x21/0x70
> [  467.691740]  do_syscall_64+0x3b/0x90
> [  467.696018]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> [  467.701772] RIP: 0033:0x7f2d0b701817
> [  467.706046] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
> [  467.725492] RSP: 002b:00007ffd37a645e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> [  467.733762] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f2d0b701817
> [  467.741596] RDX: 0000000000000002 RSI: 000055a23ecf4630 RDI: 0000000000000001
> [  467.749431] RBP: 000055a23ecf4630 R08: 0000000000000000 R09: 00007f2d0b7b64e0
> [  467.757267] R10: 00007f2d0b7b63e0 R11: 0000000000000246 R12: 0000000000000002
> [  467.765101] R13: 00007f2d0b7fb5a0 R14: 0000000000000002 R15: 00007f2d0b7fb7a0
> [  467.772945]  </TASK>
> 
> [  467.778033] Allocated by task 111:
> [  467.782141]  kasan_save_stack+0x1e/0x40
> [  467.786681]  __kasan_slab_alloc+0x90/0xc0
> [  467.791395]  kmem_cache_alloc_lru+0x258/0x720
> [  467.796457]  __d_alloc+0x31/0x960
> [  467.800477]  d_alloc+0x44/0x200
> [  467.804326]  d_alloc_parallel+0xca/0x1490
> [  467.809041]  __lookup_slow+0x17f/0x3d0
> [  467.813495]  lookup_one_len+0x10b/0x130
> [  467.818038]  start_creating.part.0+0xf0/0x220
> [  467.823098]  debugfs_create_dir+0x2f/0x460
> [  467.827901]  blk_mq_debugfs_register_rqos+0x1fe/0x330
Hi,

Sorry that I missed the 'q->rqos_debugfs_dir' which is created under
'q->debugfs_dir'.

Ming, do you think move blk_mq_debugfs_unregister_queue_rqos() to
blk_unregister_queue() is okay?

Thanks,
Kuai
> [  467.833655]  wbt_init+0x35e/0x630
> [  467.837676]  blk_register_queue+0x26c/0x430
> [  467.842565]  device_add_disk+0x639/0xd90
> [  467.847192]  sd_probe+0x93f/0xf50
> [  467.851212]  really_probe+0x3d7/0xa10
> [  467.855581]  __driver_probe_device+0x2ab/0x460
> [  467.860721]  driver_probe_device+0x49/0x120
> [  467.865610]  __device_attach_driver+0x191/0x240
> [  467.870845]  bus_for_each_drv+0x119/0x180
> [  467.875560]  __device_attach_async_helper+0x172/0x210
> [  467.881314]  async_run_entry_fn+0x95/0x500
> [  467.886115]  process_one_work+0x7cf/0x12d0
> [  467.890915]  worker_thread+0x5ac/0xec0
> [  467.895369]  kthread+0x2a7/0x350
> [  467.899305]  ret_from_fork+0x22/0x30