Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2405555ybi; Sun, 28 Jul 2019 08:20:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqw/uCazI8c7QDWHycdbtCTSqdkbcTTzheT/ZslJe0UZ9L7sIuVH/WOlDUpkfLk4E0Pzt+ZR X-Received: by 2002:a63:ee0c:: with SMTP id e12mr101746254pgi.184.1564327224749; Sun, 28 Jul 2019 08:20:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564327224; cv=none; d=google.com; s=arc-20160816; b=BN2pdGTYt6JER6rPS23YNUx7ob1v10qk8gSvU1UwrkX05V697DhsfP90XV9D/2FcMB x49Zm92WhGXpIfsaRnHID2rC1eOR/7ta3spqhF2r6uJ76Kny9addEZzqw4dosHnWHNnf rL3F5H3TrxU5LuuTkiKQWu1c4c9F40kTAcd4QC1OTAJE7MYJbgf2BH3KTBrwTkZBLpD6 7i79mbTXZMxTpaK8CvZWErKHWV8nZJW4Puj74naPQYXeCFvLpTV3f8L3k9kMbXww9xFn xj4dzfAMnbX8YysvYpq8NdXIQKulvqJU88Eg2POk4J2XLRl7+x1uSaAniaOPxqTTPDVh Ne9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=zC+eHzdf8hhsaPyyiK2zg/tZEjENQIF8MncCCS04hoE=; b=kIqDrLKni3ROZ8crLMf4BFhO4gA+B3E+QOChqENqzt4NZy4K0ckN9K87heCiKSAeE7 rlMk4IRP9yFZvRoGCih/bCYXc5GEVLeEnBjpW5jPp0Xn+ehoB8L5SOueAkn3rJJgnYDO K93MxTS8hk8EXkm6TlmA/D7tfvTPS8pEVH+53lphunDcOkVyS/cqAaLoxABeXo6D+KxZ W5LTpbNzluc2OP10vgGQVVXmOsXZdTDZUS8J3geDykSZLQWvhAEN0sIkr1fvOGCZ9JXD 6fNF43l64kM8LKHvwvueS/6qDRlPzeVQtSvbmNUB/GIGCztD11zx8vTq6PqdRCjbm0F0 zaNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b="vCZ4/XvW"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z19si25668382pfa.19.2019.07.28.08.20.08; Sun, 28 Jul 2019 08:20:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b="vCZ4/XvW"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726111AbfG1PTf (ORCPT + 99 others); Sun, 28 Jul 2019 11:19:35 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:40008 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726082AbfG1PTe (ORCPT ); Sun, 28 Jul 2019 11:19:34 -0400 Received: by mail-pf1-f195.google.com with SMTP id p184so26710302pfp.7; Sun, 28 Jul 2019 08:19:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=zC+eHzdf8hhsaPyyiK2zg/tZEjENQIF8MncCCS04hoE=; b=vCZ4/XvWCb3QBAMC+5Re3UXPmj5tgPid5AiHYRrnPJ6/iWM4GgyHJyaUiT2AXhnzte ZxrZYJ6T7yNY0vZwdm+9HancWCXjiArMrjo7aqds7ULBGABrPavGcDQhjBPrfuK6DcHJ RfVcEjamNYaSsaS32UNoykImfArJLLBiWjPja3wFiBoo+dwq7zvLuLy5LDBVzUXIvz02 f3oyem/By5ScuawfF8r0TRbLsSaoXD9OezeF+oN/NfXXiXRS3cJ5wRg6aIrJNPgG2o2h gcWY3v9d7HvYEv6GfDE/PlW2tCsNGkdNdU2x+swtOgKI/Ooxb0nspaD/l3tfXY4wsHV9 CIeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=zC+eHzdf8hhsaPyyiK2zg/tZEjENQIF8MncCCS04hoE=; b=FX7i9kRgmv2rpCHYyLcYHLQI1CnntR65oZj1nK7ErC+PQcCXmMrPeuQP58X66MRU+3 HpyCGjlOL0iAH76mgdLN6qJVDkTcWtzzlCxunuf9dX2fngkXIfNP2ChHNymz3hoepYPV kHOcGg/QBjwO7qeXlteC7OWBiN26RAE5iV3AkrKV7RpnEY6F29twRM8WIqp1+LLweTSH VjS4w1r4B5L0zOIdbY1YyebyT9E11PEoRrZxvdFqs0BT8A9JAuoni/V+IUVP1eOXphSW GBsEzjON1esZPakzpZClA/he4gKvqSGZbcBJTOru2ipM8Rmxse7JJnchSikq+71OARG5 Ze/A== X-Gm-Message-State: APjAAAXwdLlekqYfMDCtyeFlKNzfW3reboAtP8afVKjEa8T2nuSgnLnI QWyETi0z/G8dix7x44EiG5k= X-Received: by 2002:a63:f857:: with SMTP id v23mr75251344pgj.228.1564327173930; Sun, 28 Jul 2019 08:19:33 -0700 (PDT) Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c]) by smtp.gmail.com with ESMTPSA id l4sm59616033pff.50.2019.07.28.08.19.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Jul 2019 08:19:32 -0700 (PDT) Date: Sun, 28 Jul 2019 08:19:31 -0700 From: Guenter Roeck To: Paolo Valente , Jens Axboe Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, Hsin-Yi Wang , Nicolas Boichat , Doug Anderson Subject: Re: [PATCH] bfq: Check if bfqq is NULL in bfq_insert_request Message-ID: <20190728151931.GA29181@roeck-us.net> References: <1563816648-12057-1-git-send-email-linux@roeck-us.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1563816648-12057-1-git-send-email-linux@roeck-us.net> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ping ... just in case this patch got lost in Paolo's queue. Guenter On Mon, Jul 22, 2019 at 10:30:48AM -0700, Guenter Roeck wrote: > In bfq_insert_request(), bfqq is initialized with: > bfqq = bfq_init_rq(rq); > In bfq_init_rq(), we find: > if (unlikely(!rq->elv.icq)) > return NULL; > Indeed, rq->elv.icq can be NULL if the memory allocation in > create_task_io_context() failed. > > A comment in bfq_insert_request() suggests that bfqq is supposed to be > non-NULL if 'at_head || blk_rq_is_passthrough(rq)' is false. Yet, as > debugging and practical experience shows, this is not the case in the > above situation. > > This results in the following crash. > > Unable to handle kernel NULL pointer dereference > at virtual address 00000000000001b0 > ... > Call trace: > bfq_setup_cooperator+0x44/0x134 > bfq_insert_requests+0x10c/0x630 > blk_mq_sched_insert_requests+0x60/0xb4 > blk_mq_flush_plug_list+0x290/0x2d4 > blk_flush_plug_list+0xe0/0x230 > blk_finish_plug+0x30/0x40 > generic_writepages+0x60/0x94 > blkdev_writepages+0x24/0x30 > do_writepages+0x74/0xac > __filemap_fdatawrite_range+0x94/0xc8 > file_write_and_wait_range+0x44/0xa0 > blkdev_fsync+0x38/0x68 > vfs_fsync_range+0x68/0x80 > do_fsync+0x44/0x80 > > The problem is relatively easy to reproduce by running an image with > failslab enabled, such as with: > > cd /sys/kernel/debug/failslab > echo 10 > probability > echo 300 > times > > Avoid the problem by checking if bfqq is NULL before using it. With the > NULL check in place, requests with missing io context are queued > immediately, and the crash is no longer seen. > > Fixes: 18e5a57d79878 ("block, bfq: postpone rq preparation to insert or merge") > Reported-by: Hsin-Yi Wang > Cc: Hsin-Yi Wang > Cc: Nicolas Boichat > Cc: Doug Anderson > Signed-off-by: Guenter Roeck > --- > block/bfq-iosched.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c > index 72860325245a..56f3f4227010 100644 > --- a/block/bfq-iosched.c > +++ b/block/bfq-iosched.c > @@ -5417,7 +5417,7 @@ static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq, > > spin_lock_irq(&bfqd->lock); > bfqq = bfq_init_rq(rq); > - if (at_head || blk_rq_is_passthrough(rq)) { > + if (!bfqq || at_head || blk_rq_is_passthrough(rq)) { > if (at_head) > list_add(&rq->queuelist, &bfqd->dispatch); > else > -- > 2.7.4 >