Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp2176988ybm; Thu, 23 May 2019 12:37:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqyOen/p2X2/KQyXdKYIHBwSmCXZJgrx+/maUoG1bWry5jiz27SvBW2BIiGWR0LlMs5qh9pz X-Received: by 2002:a62:5cc6:: with SMTP id q189mr75668410pfb.114.1558640246496; Thu, 23 May 2019 12:37:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558640246; cv=none; d=google.com; s=arc-20160816; b=tS6bwSMyHcIVdVd1AvrHgJRaqUdvjx7mEgdd8x2O2PkS8E1CTkh1RtAqaL6nFkBhGg qJBHkerEqIQUQ6fKdBgiGT367kGAjr8EHFV/A8lLpP2LyE1eIh2pXNX3u9bi7F1bGd6F pKopYowWpZsh2RZxdPvzHRViI7zB2ZDhYSJnU12Wpsy+tzB/AB9Ka65I23dq40DDyv4w e3/uqFzYvLr1T+o4T0JPNWuW970eaOJkFb0yVV0LRR3fkK7y37u9wRHOnJdYlITLPuMK AQv9KA/UQy6IXFy/vYdxb8C9nAVe4TnD3YXMcotUhXJM9DhvbgeXQltM6CoqnGoeJ2Ag gzvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=bJGr6ez3jpaCt671m5ssWLcc7v/owDviB2nHIbyfil4=; b=T2U5Sp3pmucVmbQZ/8p7xxsGdbpdVhAHFqYZWE2hEMCnggYmStcdmUCFjbpVV6RGRI ibZJKJj7kK0jXbLeiaYdT6nwJ5LUl7q+7mfLmJJuGLIHjqX+J5VJ9eRqnZbIEs6CAAHQ 25Hx3WLpoW/+CaMn4rUU7NlRlRqqZruKJZmUPSVtjtIHLmzEaCS+rMufE1rEDDhfMHR+ MCIuY3tGXlz07mvpk50AV6qCD0yyel4FzSyMY3PF3hgLuOeCBvRESVn6bfGe+3MAejyA UT5RnE8l1w9dyxC520KPnc83bbsT8CKO4JhwN55xjijYmoXBEEoS1mRIdQxFFc5z3Lqb D8rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RX6hb7wS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a66si363098pje.2.2019.05.23.12.37.11; Thu, 23 May 2019 12:37:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RX6hb7wS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391499AbfEWT1C (ORCPT + 99 others); Thu, 23 May 2019 15:27:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:39050 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391486AbfEWT1A (ORCPT ); Thu, 23 May 2019 15:27:00 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6670320868; Thu, 23 May 2019 19:26:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558639618; bh=PXnCjs8j+JetXEPaNFWEecv9BivgufsuIGkzGDl9ea8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RX6hb7wSylbUUEeOJclaRlqZ9RBWIK3ruFSD/erM0JsnWs/CoJUQciaX5nGk8gpuQ HZMMCe674JyjBig4+UsTzOSiQh0ItvCQMCOUtst1/AatEEmGsBd0YfS2HLmeCcGUDN UBytcB8WcVZ8Lt19SJo40GZzzNUG6fcX0usZFtlE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dongli Zhang , James Smart , Bart Van Assche , Hannes Reinecke , Christoph Hellwig , Ming Lei , Jens Axboe , linux-scsi@vger.kernel.org, "Martin K . Petersen" , "James E . J . Bottomley" Subject: [PATCH 5.1 024/122] blk-mq: free hw queues resource in hctxs release handler Date: Thu, 23 May 2019 21:05:46 +0200 Message-Id: <20190523181707.943993176@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190523181705.091418060@linuxfoundation.org> References: <20190523181705.091418060@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ming Lei commit c7e2d94b3d1634988a95ac4d77a72dc7487ece06 upstream. Once blk_cleanup_queue() returns, tags shouldn't be used any more, because blk_mq_free_tag_set() may be called. Commit 45a9c9d909b2 ("blk-mq: Fix a use-after-free") fixes this issue exactly. However, that commit introduces another issue. Before 45a9c9d909b2, we are allowed to run queue during cleaning up queue if the queue's kobj refcount is held. After that commit, queue can't be run during queue cleaning up, otherwise oops can be triggered easily because some fields of hctx are freed by blk_mq_free_queue() in blk_cleanup_queue(). We have invented ways for addressing this kind of issue before, such as: 8dc765d438f1 ("SCSI: fix queue cleanup race before queue initialization is done") c2856ae2f315 ("blk-mq: quiesce queue before freeing queue") But still can't cover all cases, recently James reports another such kind of issue: https://marc.info/?l=linux-scsi&m=155389088124782&w=2 This issue can be quite hard to address by previous way, given scsi_run_queue() may run requeues for other LUNs. Fixes the above issue by freeing hctx's resources in its release handler, and this way is safe becasue tags isn't needed for freeing such hctx resource. This approach follows typical design pattern wrt. kobject's release handler. Cc: Dongli Zhang Cc: James Smart Cc: Bart Van Assche Cc: linux-scsi@vger.kernel.org, Cc: Martin K . Petersen , Cc: Christoph Hellwig , Cc: James E . J . Bottomley , Reported-by: James Smart Fixes: 45a9c9d909b2 ("blk-mq: Fix a use-after-free") Cc: stable@vger.kernel.org Reviewed-by: Hannes Reinecke Reviewed-by: Christoph Hellwig Tested-by: James Smart Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- block/blk-core.c | 2 +- block/blk-mq-sysfs.c | 6 ++++++ block/blk-mq.c | 8 ++------ block/blk-mq.h | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) --- a/block/blk-core.c +++ b/block/blk-core.c @@ -375,7 +375,7 @@ void blk_cleanup_queue(struct request_qu blk_exit_queue(q); if (queue_is_mq(q)) - blk_mq_free_queue(q); + blk_mq_exit_queue(q); percpu_ref_exit(&q->q_usage_counter); --- a/block/blk-mq-sysfs.c +++ b/block/blk-mq-sysfs.c @@ -10,6 +10,7 @@ #include #include +#include "blk.h" #include "blk-mq.h" #include "blk-mq-tag.h" @@ -33,6 +34,11 @@ static void blk_mq_hw_sysfs_release(stru { struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj); + + if (hctx->flags & BLK_MQ_F_BLOCKING) + cleanup_srcu_struct(hctx->srcu); + blk_free_flush_queue(hctx->fq); + sbitmap_free(&hctx->ctx_map); free_cpumask_var(hctx->cpumask); kfree(hctx->ctxs); kfree(hctx); --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2267,12 +2267,7 @@ static void blk_mq_exit_hctx(struct requ if (set->ops->exit_hctx) set->ops->exit_hctx(hctx, hctx_idx); - if (hctx->flags & BLK_MQ_F_BLOCKING) - cleanup_srcu_struct(hctx->srcu); - blk_mq_remove_cpuhp(hctx); - blk_free_flush_queue(hctx->fq); - sbitmap_free(&hctx->ctx_map); } static void blk_mq_exit_hw_queues(struct request_queue *q, @@ -2905,7 +2900,8 @@ err_exit: } EXPORT_SYMBOL(blk_mq_init_allocated_queue); -void blk_mq_free_queue(struct request_queue *q) +/* tags can _not_ be used after returning from blk_mq_exit_queue */ +void blk_mq_exit_queue(struct request_queue *q) { struct blk_mq_tag_set *set = q->tag_set; --- a/block/blk-mq.h +++ b/block/blk-mq.h @@ -37,7 +37,7 @@ struct blk_mq_ctx { struct kobject kobj; } ____cacheline_aligned_in_smp; -void blk_mq_free_queue(struct request_queue *q); +void blk_mq_exit_queue(struct request_queue *q); int blk_mq_update_nr_requests(struct request_queue *q, unsigned int nr); void blk_mq_wake_waiters(struct request_queue *q); bool blk_mq_dispatch_rq_list(struct request_queue *, struct list_head *, bool);