Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2859151ybd; Thu, 27 Jun 2019 21:45:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqxfUf2qVYqFYPAiyNYLiu8UZQzS2PoadUeM9dDWMjLLECn7tgYdjgtyrOjMHRFmz7XSciM3 X-Received: by 2002:a17:902:2868:: with SMTP id e95mr8494416plb.319.1561697124681; Thu, 27 Jun 2019 21:45:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561697124; cv=none; d=google.com; s=arc-20160816; b=hICXHiTecGbCujVFjJPoKSU2zVe3WFCX+VkqJmrTCRs+l/6d9xZmFL9TCv+e0d6YEk sDMbPSqdxxtFKKIqUS+B+6B1VsEVKLaxa204VLnj2lB+THYAfx5AUPbd8+bgxnjaGNR8 Q/K01LMmRK6WHZ77bbjXmTi9wnNpoFzomwlI1GNXiL+4cLU1H/neCtawwp3M37T7jDdA FE7pnJ1WnkiE5GR1o+YZ9ydeXq2zzODUcJ4MXSoGFVBe18AWMpMtlkc+Yc1c6uKv72/4 oOfXfV4NNoGlB9TCUpWPq6yIWBHwa98aQeFJnqzW/0oMxUrrdsYxOhCeusyecgwz05CT OZnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Hl6Pnq3xmamo6vmydBFzkBduZblIOAKNn76di+zQvGg=; b=OccmRJBPWsgcaDemAbH3U9FY4zf11A03ngW+c7wrAdAFjXm46aB6wkuzYfF1YMsZkI ndwTahlvcctYzohiEZir42u6SaAbobzIdbGLPyRtaIpKMGwMb4o2Baf7vLw9eVL70U4e rGAhcC7OMVoXUJbJr9F9qBK26hVG7ekCf0/DDZnOduaKgyhW0bWctruOe3udG+WD0+n5 iBYmgbl5Hc71qnTUk8zBAFsjWz1BQ2yoGU2IgsjHU/pXYQnwcBKhlI0ixjpC6V/yY4wL pc8VFz3K4S4E/Q+B3F7i4kx4MLnIckxg8MqyCeht7h0v8sBOPz8OtGlDjRdju65Hi/i/ CQGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ArWvWp5p; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cp14si1061965plb.183.2019.06.27.21.44.53; Thu, 27 Jun 2019 21:45:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ArWvWp5p; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726549AbfF1Eou (ORCPT + 99 others); Fri, 28 Jun 2019 00:44:50 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:33946 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726420AbfF1Eou (ORCPT ); Fri, 28 Jun 2019 00:44:50 -0400 Received: by mail-pl1-f194.google.com with SMTP id i2so2517143plt.1 for ; Thu, 27 Jun 2019 21:44:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Hl6Pnq3xmamo6vmydBFzkBduZblIOAKNn76di+zQvGg=; b=ArWvWp5pND/lULGeiiBYq6FEwP8p5dbr+MdcNPFR2BzY0chrPL6fMADb9DDlqSXbPp nGMaut7nZwa7plZh313G3DdV9Rhdbu8/dnIvEysC8NUXtwTofGM6qYax8bpercPIPKBO Z8sgFuTkhQXgmGDAxn536HqD06p0cEXUtYYnk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Hl6Pnq3xmamo6vmydBFzkBduZblIOAKNn76di+zQvGg=; b=VMefK/qLQMtCYT0csi8r4jsyeop/PyFy9z+8CHHxseUyjB7BCZnRzhkL8DVVnguyjg uFa2BY9k2/ERHpIcae+B3eECy3g4pStdjIYnVrztyaLsp4h9wq5s8K6OP3A1U4LLrBQu +8mOVcOvnKAh838GL4z5g0g24U2sBPONX0GyzkcFUahT+clT6l1C6PDv9FxEzMtgwWng mlqu0caeA312e0O9L3o19MF045aKOmeIZuhya8zxK25rgxGohPt3f24saVwMOaf8TNpU 5ih+rruXEkO8lTHWZrYu3WRjWFMA96pzUoXjPhTqRwP8tYv2BvfdW7YJ618ype7XfVL3 fzBg== X-Gm-Message-State: APjAAAWCGq263mK0wf08CZPo32kiIBCBKwc5YKEcgg5sQtY/URc4OynM p5py+JKqZnv048cZ4C8UjwExvw== X-Received: by 2002:a17:902:301:: with SMTP id 1mr936859pld.323.1561697089853; Thu, 27 Jun 2019 21:44:49 -0700 (PDT) Received: from tictac2.mtv.corp.google.com ([2620:15c:202:1:24fa:e766:52c9:e3b2]) by smtp.gmail.com with ESMTPSA id q13sm675562pgq.90.2019.06.27.21.44.48 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 27 Jun 2019 21:44:49 -0700 (PDT) From: Douglas Anderson To: Paolo Valente , Jens Axboe Cc: groeck@chromium.org, drinkcat@chromium.org, Douglas Anderson , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] block, bfq: NULL out the bic when it's no longer valid Date: Thu, 27 Jun 2019 21:44:09 -0700 Message-Id: <20190628044409.128823-1-dianders@chromium.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In reboot tests on several devices we were seeing a "use after free" when slub_debug or KASAN was enabled. The kernel complained about: Unable to handle kernel paging request at virtual address 6b6b6c2b ...which is a classic sign of use after free under slub_debug. The stack crawl in kgdb looked like: 0 test_bit (addr=, nr=) 1 bfq_bfqq_busy (bfqq=) 2 bfq_select_queue (bfqd=) 3 __bfq_dispatch_request (hctx=) 4 bfq_dispatch_request (hctx=) 5 0xc056ef00 in blk_mq_do_dispatch_sched (hctx=0xed249440) 6 0xc056f728 in blk_mq_sched_dispatch_requests (hctx=0xed249440) 7 0xc0568d24 in __blk_mq_run_hw_queue (hctx=0xed249440) 8 0xc0568d94 in blk_mq_run_work_fn (work=) 9 0xc024c5c4 in process_one_work (worker=0xec6d4640, work=0xed249480) 10 0xc024cff4 in worker_thread (__worker=0xec6d4640) Digging in kgdb, it could be found that, though bfqq looked fine, bfqq->bic had been freed. Through further digging, I postulated that perhaps it is illegal to access a "bic" (AKA an "icq") after bfq_exit_icq() had been called because the "bic" can be freed at some point in time after this call is made. I confirmed that there certainly were cases where the exact crashing code path would access the "bic" after bfq_exit_icq() had been called. Sspecifically I set the "bfqq->bic" to (void *)0x7 and saw that the bic was 0x7 at the time of the crash. To understand a bit more about why this crash was fairly uncommon (I saw it only once in a few hundred reboots), you can see that much of the time bfq_exit_icq_fbqq() fully frees the bfqq and thus it can't access the ->bic anymore. The only case it doesn't is if bfq_put_queue() sees a reference still held. However, even in the case when bfqq isn't freed, the crash is still rare. Why? I tracked what happened to the "bic" after the exit routine. It doesn't get freed right away. Rather, put_io_context_active() eventually called put_io_context() which queued up freeing on a workqueue. The freeing then actually happened later than that through call_rcu(). Despite all these delays, some extra debugging showed that all the hoops could be jumped through in time and the memory could be freed causing the original crash. Phew! To make a long story short, assuming it truly is illegal to access an icq after the "exit_icq" callback is finished, this patch is needed. Signed-off-by: Douglas Anderson --- Most of the testing of this was done on the Chrome OS 4.19 kernel with BFQ backported (thanks to Paolo's help). I did manage to reproduce a crash on mainline Linux (v5.2-rc6) though. To see some of the techniques used to debug this, see and . I'll also note that on linuxnext (next-20190627) I saw some other use-after-frees that seemed related to BFQ but haven't had time to debug. They seemed unrelated. block/bfq-iosched.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index f8d430f88d25..6c0cff03f8f6 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -4584,6 +4584,7 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync) unsigned long flags; spin_lock_irqsave(&bfqd->lock, flags); + bfqq->bic = NULL; bfq_exit_bfqq(bfqd, bfqq); bic_set_bfqq(bic, NULL, is_sync); spin_unlock_irqrestore(&bfqd->lock, flags); -- 2.22.0.410.gd8fdbe21b5-goog