From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Yu Kuai <yukuai3@huawei.com>, Jan Kara <jack@suse.cz>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
tj@kernel.org, josef@toxicpanda.com, paolo.valente@linaro.org,
cgroups@vger.kernel.org, linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 6.0 28/44] block, bfq: fix null pointer dereference in bfq_bio_bfqg()
Date: Fri, 18 Nov 2022 21:11:08 -0500 [thread overview]
Message-ID: <20221119021124.1773699-28-sashal@kernel.org> (raw)
In-Reply-To: <20221119021124.1773699-1-sashal@kernel.org>
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit f02be9002c480cd3ec0fcf184ad27cf531bd6ece ]
Out test found a following problem in kernel 5.10, and the same problem
should exist in mainline:
BUG: kernel NULL pointer dereference, address: 0000000000000094
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 7 PID: 155 Comm: kworker/7:1 Not tainted 5.10.0-01932-g19e0ace2ca1d-dirty 4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-b4
Workqueue: kthrotld blk_throtl_dispatch_work_fn
RIP: 0010:bfq_bio_bfqg+0x52/0xc0
Code: 94 00 00 00 00 75 2e 48 8b 40 30 48 83 05 35 06 c8 0b 01 48 85 c0 74 3d 4b
RSP: 0018:ffffc90001a1fba0 EFLAGS: 00010002
RAX: ffff888100d60400 RBX: ffff8881132e7000 RCX: 0000000000000000
RDX: 0000000000000017 RSI: ffff888103580a18 RDI: ffff888103580a18
RBP: ffff8881132e7000 R08: 0000000000000000 R09: ffffc90001a1fe10
R10: 0000000000000a20 R11: 0000000000034320 R12: 0000000000000000
R13: ffff888103580a18 R14: ffff888114447000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88881fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000094 CR3: 0000000100cdb000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
bfq_bic_update_cgroup+0x3c/0x350
? ioc_create_icq+0x42/0x270
bfq_init_rq+0xfd/0x1060
bfq_insert_requests+0x20f/0x1cc0
? ioc_create_icq+0x122/0x270
blk_mq_sched_insert_requests+0x86/0x1d0
blk_mq_flush_plug_list+0x193/0x2a0
blk_flush_plug_list+0x127/0x170
blk_finish_plug+0x31/0x50
blk_throtl_dispatch_work_fn+0x151/0x190
process_one_work+0x27c/0x5f0
worker_thread+0x28b/0x6b0
? rescuer_thread+0x590/0x590
kthread+0x153/0x1b0
? kthread_flush_work+0x170/0x170
ret_from_fork+0x1f/0x30
Modules linked in:
CR2: 0000000000000094
---[ end trace e2e59ac014314547 ]---
RIP: 0010:bfq_bio_bfqg+0x52/0xc0
Code: 94 00 00 00 00 75 2e 48 8b 40 30 48 83 05 35 06 c8 0b 01 48 85 c0 74 3d 4b
RSP: 0018:ffffc90001a1fba0 EFLAGS: 00010002
RAX: ffff888100d60400 RBX: ffff8881132e7000 RCX: 0000000000000000
RDX: 0000000000000017 RSI: ffff888103580a18 RDI: ffff888103580a18
RBP: ffff8881132e7000 R08: 0000000000000000 R09: ffffc90001a1fe10
R10: 0000000000000a20 R11: 0000000000034320 R12: 0000000000000000
R13: ffff888103580a18 R14: ffff888114447000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88881fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000094 CR3: 0000000100cdb000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Root cause is quite complex:
1) use bfq elevator for the test device.
2) create a cgroup CG
3) config blk throtl in CG
blkg_conf_prep
blkg_create
4) create a thread T1 and issue async io in CG:
bio_init
bio_associate_blkg
...
submit_bio
submit_bio_noacct
blk_throtl_bio -> io is throttled
// io submit is done
5) switch elevator:
bfq_exit_queue
blkcg_deactivate_policy
list_for_each_entry(blkg, &q->blkg_list, q_node)
blkg->pd[] = NULL
// bfq policy is removed
5) thread t1 exist, then remove the cgroup CG:
blkcg_unpin_online
blkcg_destroy_blkgs
blkg_destroy
list_del_init(&blkg->q_node)
// blkg is removed from queue list
6) switch elevator back to bfq
bfq_init_queue
bfq_create_group_hierarchy
blkcg_activate_policy
list_for_each_entry_reverse(blkg, &q->blkg_list)
// blkg is removed from list, hence bfq policy is still NULL
7) throttled io is dispatched to bfq:
bfq_insert_requests
bfq_init_rq
bfq_bic_update_cgroup
bfq_bio_bfqg
bfqg = blkg_to_bfqg(blkg)
// bfqg is NULL because bfq policy is NULL
The problem is only possible in bfq because only bfq can be deactivated and
activated while queue is online, while others can only be deactivated while
the device is removed.
Fix the problem in bfq by checking if blkg is online before calling
blkg_to_bfqg().
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221108103434.2853269-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bfq-cgroup.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index 30b15a9a47c4..249f489d115f 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -615,6 +615,10 @@ struct bfq_group *bfq_bio_bfqg(struct bfq_data *bfqd, struct bio *bio)
struct bfq_group *bfqg;
while (blkg) {
+ if (!blkg->online) {
+ blkg = blkg->parent;
+ continue;
+ }
bfqg = blkg_to_bfqg(blkg);
if (bfqg->online) {
bio_associate_blkg_from_css(bio, &blkg->blkcg->css);
--
2.35.1
next prev parent reply other threads:[~2022-11-19 2:14 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-19 2:10 [PATCH AUTOSEL 6.0 01/44] wifi: mac80211: fix memory free error when registering wiphy fail Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 02/44] wifi: cfg80211: Fix bitrates overflow issue Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 03/44] wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 04/44] spi: tegra210-quad: Don't initialise DMA if not supported Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 05/44] riscv: dts: sifive unleashed: Add PWM controlled LEDs Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 06/44] audit: fix undefined behavior in bit shift for AUDIT_BIT Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 07/44] wifi: airo: do not assign -1 to unsigned char Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 08/44] wifi: mac80211: Fix ack frame idr leak when mesh has no route Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 09/44] selftests/net: don't tests batched TCP io_uring zc Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 10/44] wifi: ath11k: Fix QCN9074 firmware boot on x86 Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 11/44] s390/zcrypt: fix warning about field-spanning write Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 12/44] spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 13/44] clocksource/drivers/hyperv: add data structure for reference TSC MSR Sasha Levin
2022-11-19 5:37 ` Michael Kelley (LINUX)
2022-11-24 15:51 ` Sasha Levin
2022-11-25 15:39 ` Wei Liu
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 14/44] x86/hyperv: fix invalid writes to MSRs during root partition kexec Sasha Levin
2022-11-19 5:37 ` Michael Kelley (LINUX)
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 15/44] selftests/bpf: Add verifier test for release_reference() Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 16/44] selftests/net: give more time to udpgro bg processes to complete startup Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 17/44] Revert "net: macsec: report real_dev features when HW offloading is enabled" Sasha Levin
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 18/44] ACPI: video: Add backlight=native DMI quirk for Dell G15 5515 Sasha Levin
2022-11-19 13:31 ` Daniel Dadap
2022-11-19 2:10 ` [PATCH AUTOSEL 6.0 19/44] platform/x86: ideapad-laptop: Disable touchpad_switch Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 20/44] platform/x86: touchscreen_dmi: Add info for the RCA Cambio W101 v2 2-in-1 Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 21/44] platform/x86/intel/pmt: Sapphire Rapids PMT errata fix Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 22/44] platform/x86/intel/hid: Add some ACPI device IDs Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 23/44] scsi: ibmvfc: Avoid path failures during live migration Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 24/44] scsi: scsi_debug: Make the READ CAPACITY response compliant with ZBC Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 25/44] drm: panel-orientation-quirks: Add quirk for Nanote UMPC-01 Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 26/44] drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017) Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 27/44] drm/amdgpu: Fix the lpfn checking condition in drm buddy Sasha Levin
2022-11-19 2:11 ` Sasha Levin [this message]
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 29/44] s390: always build relocatable kernel Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 30/44] arm64/syscall: Include asm/ptrace.h in syscall_wrapper header Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 31/44] nvme: quiet user passthrough command errors Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 32/44] nvmet: fix memory leak in nvmet_subsys_attr_model_store_locked Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 33/44] net: wwan: iosm: fix kernel test robot reported errors Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 34/44] drm/amd/display: Zeromem mypipe heap struct before using it Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 35/44] drm/amd/display: Fix FCLK deviation and tool compile issues Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 36/44] drm/amd/display: Fix gpio port mapping issue Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 37/44] Revert "drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly"" Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 38/44] drm/amdgpu: Unlock bo_list_mutex after error handling Sasha Levin
2022-11-21 9:57 ` Michel Dänzer
2022-11-21 11:07 ` Christian König
2022-11-24 16:50 ` Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 39/44] drm/amdgpu: Drop eviction lock when allocating PT BO Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 40/44] drm/amd/display: only fill dirty rectangles when PSR is enabled Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 41/44] ALSA: usb-audio: add quirk to fix Hamedal C20 disconnect issue Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 42/44] RISC-V: vdso: Do not add missing symbols to version section in linker script Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 43/44] MIPS: pic32: treat port as signed integer Sasha Levin
2022-11-19 2:11 ` [PATCH AUTOSEL 6.0 44/44] io_uring/poll: lockdep annote io_poll_req_insert_locked Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221119021124.1773699-28-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=cgroups@vger.kernel.org \
--cc=jack@suse.cz \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paolo.valente@linaro.org \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox