Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp832726ybi; Fri, 12 Jul 2019 05:24:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqzo8Bkl6lufLtiViMxasMDisAw/tjzggBz/GQdgtceeg0vXZZybj+xPtoADAngLZyIZjj3b X-Received: by 2002:a63:784c:: with SMTP id t73mr10883602pgc.268.1562934255933; Fri, 12 Jul 2019 05:24:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562934255; cv=none; d=google.com; s=arc-20160816; b=tVqMbQCxIyYKGpvHDJWIZri/mHMIE/CLNy/4rT+vlkORUPnxxutV/DrfJiSVK5hDPV mCtkKr9zmSasPaY1SRVJFqhM19wRUaIU1F/0H0vGwWrJX24vM0XnSkCMCgSbyxVs3vQC issaTBzr0iure+6ZcOVNTCd7nnNmbb5kCwXPXk8dvCe75m+NxZASEys0mA1sTzy+hkQ6 o1PNeafMkLr5N2fH36s3uBl9ZZz4cN4qPz6FN34pcgtm+phaiKG1KH2es2tOzbzpgxdI b8DmubZNoayseVmtOWJzmrv2VN8iKID2RSs3CYvD6lz9YRdmtAWX+Wi2ooOVtSf2om5/ YUgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EAD6v8YJQ2axwTrbi0ZPvcCF+6/UdCVUM6p3j2s4bbw=; b=h69Kyiudt8bvqnkHFMdEqTLE0dxR2bbt5l+4dojdcrBBuSAPhiAY7I6/PakvSUFrqt W8SxR5ADBqBw4ndJRUA50xtaDDvyQdrNffEgBYBUGSEDqZGEd6ePsvKC4ktGkvZPnwZp Ri2C6uO+18tOCn45gVpCAEX1x77blHFC4M3AI2wzC3rp1aNiaeiU1RZE8zPPqYmCSG2D G6358O5INy7EyIHa3Apz3DhAR7iORh8cWYifaTGaxSnOfgymLlXks7G0XjgTuyKtVVOJ DcIL91oLljHHogdcV2WxveudxBY7ZeRAXWj2ugBA/C0kyyj1La0G3wUAn0qeRumSDUtC JvPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RSSuDbmA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q8si7729873pjp.61.2019.07.12.05.24.00; Fri, 12 Jul 2019 05:24:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RSSuDbmA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727820AbfGLMW7 (ORCPT + 99 others); Fri, 12 Jul 2019 08:22:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:58012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727797AbfGLMW4 (ORCPT ); Fri, 12 Jul 2019 08:22:56 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CA4FD216C8; Fri, 12 Jul 2019 12:22:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562934175; bh=caejsQlaNCrlDBC0X1+3FAOTu6ZlHEoNFTP/ZxOvTP4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RSSuDbmA7s6f1NKW7l07YfFbNdcrDi/1C1nE7LUMQ/wLLrOphPe53kBWynEvXIcwS XCNO6y7IvXvKBEQRcsYRMnCdYB+ypBl1QUfSb1SKDpjfNzTVLn9K25IGavSfpcNlVE wESyZcSdWXjUEQdyA6FvfHu07yd34o2NhDmMfCX8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paolo Valente , Douglas Anderson , Jens Axboe Subject: [PATCH 4.19 61/91] block, bfq: NULL out the bic when its no longer valid Date: Fri, 12 Jul 2019 14:19:04 +0200 Message-Id: <20190712121625.112910691@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190712121621.422224300@linuxfoundation.org> References: <20190712121621.422224300@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Douglas Anderson commit dbc3117d4ca9e17819ac73501e914b8422686750 upstream. In reboot tests on several devices we were seeing a "use after free" when slub_debug or KASAN was enabled. The kernel complained about: Unable to handle kernel paging request at virtual address 6b6b6c2b ...which is a classic sign of use after free under slub_debug. The stack crawl in kgdb looked like: 0 test_bit (addr=, nr=) 1 bfq_bfqq_busy (bfqq=) 2 bfq_select_queue (bfqd=) 3 __bfq_dispatch_request (hctx=) 4 bfq_dispatch_request (hctx=) 5 0xc056ef00 in blk_mq_do_dispatch_sched (hctx=0xed249440) 6 0xc056f728 in blk_mq_sched_dispatch_requests (hctx=0xed249440) 7 0xc0568d24 in __blk_mq_run_hw_queue (hctx=0xed249440) 8 0xc0568d94 in blk_mq_run_work_fn (work=) 9 0xc024c5c4 in process_one_work (worker=0xec6d4640, work=0xed249480) 10 0xc024cff4 in worker_thread (__worker=0xec6d4640) Digging in kgdb, it could be found that, though bfqq looked fine, bfqq->bic had been freed. Through further digging, I postulated that perhaps it is illegal to access a "bic" (AKA an "icq") after bfq_exit_icq() had been called because the "bic" can be freed at some point in time after this call is made. I confirmed that there certainly were cases where the exact crashing code path would access the "bic" after bfq_exit_icq() had been called. Sspecifically I set the "bfqq->bic" to (void *)0x7 and saw that the bic was 0x7 at the time of the crash. To understand a bit more about why this crash was fairly uncommon (I saw it only once in a few hundred reboots), you can see that much of the time bfq_exit_icq_fbqq() fully frees the bfqq and thus it can't access the ->bic anymore. The only case it doesn't is if bfq_put_queue() sees a reference still held. However, even in the case when bfqq isn't freed, the crash is still rare. Why? I tracked what happened to the "bic" after the exit routine. It doesn't get freed right away. Rather, put_io_context_active() eventually called put_io_context() which queued up freeing on a workqueue. The freeing then actually happened later than that through call_rcu(). Despite all these delays, some extra debugging showed that all the hoops could be jumped through in time and the memory could be freed causing the original crash. Phew! To make a long story short, assuming it truly is illegal to access an icq after the "exit_icq" callback is finished, this patch is needed. Cc: stable@vger.kernel.org Reviewed-by: Paolo Valente Signed-off-by: Douglas Anderson Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- block/bfq-iosched.c | 1 + 1 file changed, 1 insertion(+) --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -4116,6 +4116,7 @@ static void bfq_exit_icq_bfqq(struct bfq unsigned long flags; spin_lock_irqsave(&bfqd->lock, flags); + bfqq->bic = NULL; bfq_exit_bfqq(bfqd, bfqq); bic_set_bfqq(bic, NULL, is_sync); spin_unlock_irqrestore(&bfqd->lock, flags);