Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2867414ybd;
        Thu, 27 Jun 2019 21:58:19 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwMiEhG2ZUdtJjLuahLqiLb7JCiNYe/69F7lrmgUw5OsImxDWXaSm8MWN9SpYeaWEwTGp5x
X-Received: by 2002:a63:d70b:: with SMTP id d11mr7407342pgg.178.1561697899612;
        Thu, 27 Jun 2019 21:58:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561697899; cv=none;
        d=google.com; s=arc-20160816;
        b=praH500kUnZQ+d0Oysl8YfI10n0tU4tkVYyq1ta+SNj2iPU5uIsOg5Aoj7VJ29lDdc
         5WKgpbgEBMRfiEgo/UQw10H9j3TLfMd+IkGB1thhaoMORFo27Sdzx7g5qpdmQHykOAdj
         5mB7kdEw1LfuRkleE/GQggG5u1BYT75Lv/iD5wHDxGmr9jcWRs1CYtFmeRy5GM+ydNki
         uK8PumSuAzH68oD15KyNSnZ7K1QuvbF1JFbPICQPIbLQfj5DDhRFbcOBqdVESdIYdVvx
         mkuM2O/fdzJMHPbtDG/rk6gwvpawSRcFOM/BELSAas4Jf4zEkdkGiipssDRmYQ+QzInn
         XNlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=OR3h7WVLUUcHv2ZQw3/q57OQjyW+UVNhTLXPtjGCrJ0=;
        b=HNJCl8FlHT1QXpwPQzCWrLcnWRZU/g8IcuWAZ0wV8RcHyOLw3JMVdGXqvJDPi4WkUg
         Mcwd5Sqh+o1LZGqlRQXUn3BuLOrJoAFNBAdIfo1IMVTr9fTi4tr2/fu4TvGVZEgLYy5+
         GX2wFPDIiM1rEBL675hATwcdFxlx92GSRDrBAYoQf68Dm33zp1vXR5w5s1enMGRF1ET1
         w3pjDafdP3q4JPHmGFbH+a+bMIPm7M5sFSoErjTLfJViGhGyBLJh94PdLuBQid4niSIf
         qfRjF0Tj7gnoazNa8pqEywkUpUb+EaKnTDUhf75+ctFtQSfbpqRhL3iyIaUAEWheFVKQ
         gbLA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=ei28byz3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a15si1277524pfi.48.2019.06.27.21.58.03;
        Thu, 27 Jun 2019 21:58:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=ei28byz3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726908AbfF1E5U (ORCPT <rfc822;zeqiangyin@gmail.com>
        + 99 others); Fri, 28 Jun 2019 00:57:20 -0400
Received: from mail-pl1-f195.google.com ([209.85.214.195]:40568 "EHLO
        mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726240AbfF1E5U (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 28 Jun 2019 00:57:20 -0400
Received: by mail-pl1-f195.google.com with SMTP id a93so2533108pla.7;
        Thu, 27 Jun 2019 21:57:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=OR3h7WVLUUcHv2ZQw3/q57OQjyW+UVNhTLXPtjGCrJ0=;
        b=ei28byz3zaf69sNEyIoUnVyolQau6p1sOqIfjBqdwpVsQXxy5XzHcEtcvgFWzsUItj
         GjPTqfpmpzWDeM98iaQq5KvqmOmG/XfTrqheGfDYMhUL+QykDquFlkfhKCodwz2lE/u8
         Krr25RkrF4y2Ga8uPPoyOcsEF7tPdkBuq9QiBPy38UjjQEy91uBKvBmCMFndkrvb4bFd
         DtKwQk+bAMueFtqBBzrsoX7pxxDJSO2aUnwSRkywkC6jQej39VqzqRR71RMyC4+pT3e0
         HT+ulB+mEWC1dIvoy22exsNg5A1aijtcyD16uH3xINMfIvjcLCc0aGEulzpLq4IodNwI
         R96g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=OR3h7WVLUUcHv2ZQw3/q57OQjyW+UVNhTLXPtjGCrJ0=;
        b=CuQnKvQU+nuxRHxB/IXrnOuoAbnmxKTF5TrVIG3koNeSxUOi270vGNDNGv2ZSiZiYG
         U+KpvvcdxU77s4B5tDddIFV09zaRJA3mc1awx8Tar9iuRGVpc69MnOm5qKuRTzxnSmfB
         rsw53LeVS0W/dvWTHI8P+c6q2rLDu/PwpS/xz3dQfy9bOVl+JPuQiAJcW6MdkQyX0RoD
         Mn5+4pPjxEGP2YlHT/gTH2o6iY2QKkPDOt4d3rR+Qa8lJRzYJT2yHwgxHYei8x/va3eU
         p5qvaFDXF91jjHq3Kp37Yx8lzk+QECdTIEpOp3uq9iXFgWbqNQqCE9b7CC5BT7rcVTY8
         iW2w==
X-Gm-Message-State: APjAAAXLlfgmejagTGZahaRya7wKheFW+vEOfBBc868eMWJJErcksnso
        IQnc0/kpeR3DBTZNuX0EJjc=
X-Received: by 2002:a17:902:e512:: with SMTP id ck18mr8694515plb.53.1561697838971;
        Thu, 27 Jun 2019 21:57:18 -0700 (PDT)
Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c])
        by smtp.gmail.com with ESMTPSA id e184sm842745pfa.169.2019.06.27.21.57.17
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 27 Jun 2019 21:57:17 -0700 (PDT)
Date:   Thu, 27 Jun 2019 21:57:16 -0700
From:   Guenter Roeck <linux@roeck-us.net>
To:     Douglas Anderson <dianders@chromium.org>
Cc:     Paolo Valente <paolo.valente@linaro.org>,
        Jens Axboe <axboe@kernel.dk>, groeck@chromium.org,
        drinkcat@chromium.org, linux-block@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] block, bfq: NULL out the bic when it's no longer valid
Message-ID: <20190628045716.GA17274@roeck-us.net>
References: <20190628044409.128823-1-dianders@chromium.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190628044409.128823-1-dianders@chromium.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 27, 2019 at 09:44:09PM -0700, Douglas Anderson wrote:
> In reboot tests on several devices we were seeing a "use after free"
> when slub_debug or KASAN was enabled.  The kernel complained about:
> 
>   Unable to handle kernel paging request at virtual address 6b6b6c2b
> 
> ...which is a classic sign of use after free under slub_debug.  The
> stack crawl in kgdb looked like:
> 
>  0  test_bit (addr=<optimized out>, nr=<optimized out>)
>  1  bfq_bfqq_busy (bfqq=<optimized out>)
>  2  bfq_select_queue (bfqd=<optimized out>)
>  3  __bfq_dispatch_request (hctx=<optimized out>)
>  4  bfq_dispatch_request (hctx=<optimized out>)
>  5  0xc056ef00 in blk_mq_do_dispatch_sched (hctx=0xed249440)
>  6  0xc056f728 in blk_mq_sched_dispatch_requests (hctx=0xed249440)
>  7  0xc0568d24 in __blk_mq_run_hw_queue (hctx=0xed249440)
>  8  0xc0568d94 in blk_mq_run_work_fn (work=<optimized out>)
>  9  0xc024c5c4 in process_one_work (worker=0xec6d4640, work=0xed249480)
>  10 0xc024cff4 in worker_thread (__worker=0xec6d4640)
> 
> Digging in kgdb, it could be found that, though bfqq looked fine,
> bfqq->bic had been freed.
> 
> Through further digging, I postulated that perhaps it is illegal to
> access a "bic" (AKA an "icq") after bfq_exit_icq() had been called
> because the "bic" can be freed at some point in time after this call
> is made.  I confirmed that there certainly were cases where the exact
> crashing code path would access the "bic" after bfq_exit_icq() had
> been called.  Sspecifically I set the "bfqq->bic" to (void *)0x7 and
                ^^^

> saw that the bic was 0x7 at the time of the crash.
> 
> To understand a bit more about why this crash was fairly uncommon (I
> saw it only once in a few hundred reboots), you can see that much of
> the time bfq_exit_icq_fbqq() fully frees the bfqq and thus it can't
> access the ->bic anymore.  The only case it doesn't is if
> bfq_put_queue() sees a reference still held.
> 
> However, even in the case when bfqq isn't freed, the crash is still
> rare.  Why?  I tracked what happened to the "bic" after the exit
> routine.  It doesn't get freed right away.  Rather,
> put_io_context_active() eventually called put_io_context() which
> queued up freeing on a workqueue.  The freeing then actually happened
> later than that through call_rcu().  Despite all these delays, some
> extra debugging showed that all the hoops could be jumped through in
> time and the memory could be freed causing the original crash.  Phew!
> 
> To make a long story short, assuming it truly is illegal to access an
> icq after the "exit_icq" callback is finished, this patch is needed.
> 
> Signed-off-by: Douglas Anderson <dianders@chromium.org>

Nicely done ... thanks!

Reviewed-by: Guenter Roeck <groeck@chromium.org>

> ---
> Most of the testing of this was done on the Chrome OS 4.19 kernel with
> BFQ backported (thanks to Paolo's help).  I did manage to reproduce a
> crash on mainline Linux (v5.2-rc6) though.
> 
> To see some of the techniques used to debug this, see
> <https://crrev.com/c/1679134> and <https://crrev.com/c/1681258/1>.
> 
> I'll also note that on linuxnext (next-20190627) I saw some other
> use-after-frees that seemed related to BFQ but haven't had time to
> debug.  They seemed unrelated.
> 
>  block/bfq-iosched.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
> index f8d430f88d25..6c0cff03f8f6 100644
> --- a/block/bfq-iosched.c
> +++ b/block/bfq-iosched.c
> @@ -4584,6 +4584,7 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
>  		unsigned long flags;
>  
>  		spin_lock_irqsave(&bfqd->lock, flags);
> +		bfqq->bic = NULL;
>  		bfq_exit_bfqq(bfqd, bfqq);
>  		bic_set_bfqq(bic, NULL, is_sync);
>  		spin_unlock_irqrestore(&bfqd->lock, flags);
> -- 
> 2.22.0.410.gd8fdbe21b5-goog
>