Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4821357ybc; Fri, 15 Nov 2019 10:35:12 -0800 (PST) X-Google-Smtp-Source: APXvYqyvfOlSpOKnXpXU9tjpX8xpyTrjSlH5Fek+UCxe0X9olEH+YTSrpVvWSUXXmMCx765g0nkt X-Received: by 2002:a5d:40d0:: with SMTP id b16mr3829443wrq.232.1573842912419; Fri, 15 Nov 2019 10:35:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573842912; cv=none; d=google.com; s=arc-20160816; b=I7KDvkq+e+pg4WRC27ZczhaNmL9COwLIqAh9fFjuj6Ol+btc1q+jPqOxQk0HsQB5y3 GBI6DlV4fX4ybkTrF8PfPF/jzt0AFp8w+MJrLSI1/PM3zNKJoukv32Bw5m8gboHA9qYJ 5uhKQbH6mmlaZJrD9sE2Xewy0eYAJF+ljH2EelORDK4TJwhq7KbgE+HwCjfnsluIdJfj rgNAAdohQxF4h9OIKhMEBOrr+7tnYHYpKXbAWxsYNw2F3b7p9RUlE8BFhcqpvLcc8+it pqlKQCVNoAarj+ED6OIICKPL61Mb28vR1qh1wwsSOpOpmV0ONakglGUs+3ge+Tcx2Tpf Tqzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject; bh=Wg3Iq54y5K/6RI7LisOMgfvYtCH8fJbFUtZKVOOYjaQ=; b=gUSdF2RhXEwReCnM0df8ih/vPp5h4QBMgarb1eNtMAdUSjwVr6OllYjPTyd67FTb+4 RQ0LkKWKBEOoTHzG6p4WT5dgKBwrNScWaUpO6tcyawqXOf9eNlPGMjTSOip+LBIGiFH1 3USRREFmsZCfqcaF/BV1oqYTEoYG6q0lxE9amgoa1BgepRrymA3wNtFB+iASaHnRuHsC NTjctooRVdLGTwbi3SicXE/onLXgMoTawklxvm41Vieq2eQMs2VM8HKH3fWSIlkBCCwi Qxxb6qkUm+XTG2MMRPn/lfspDa/xq3NZS4VAxqS08/UpzqSqllSoRjT4qIA11kKGDbiq mpbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e22si6329838edy.0.2019.11.15.10.34.47; Fri, 15 Nov 2019 10:35:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726812AbfKOScy (ORCPT + 99 others); Fri, 15 Nov 2019 13:32:54 -0500 Received: from mail.itouring.de ([188.40.134.68]:43298 "EHLO mail.itouring.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726075AbfKOScx (ORCPT ); Fri, 15 Nov 2019 13:32:53 -0500 Received: from tux.wizards.de (p5B07EF98.dip0.t-ipconnect.de [91.7.239.152]) by mail.itouring.de (Postfix) with ESMTPSA id 52D3B4160141; Fri, 15 Nov 2019 19:32:51 +0100 (CET) Received: from [192.168.100.223] (ragnarok.applied-asynchrony.com [192.168.100.223]) by tux.wizards.de (Postfix) with ESMTP id D47175F04C2; Fri, 15 Nov 2019 19:32:50 +0100 (CET) Subject: Re: [PATCH BUGFIX V2 1/1] block, bfq: deschedule empty bfq_queues not referred by any process To: Paolo Valente , Jens Axboe Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, ulf.hansson@linaro.org, linus.walleij@linaro.org, bfq-iosched@googlegroups.com, oleksandr@natalenko.name, tschubert@bafh.org, patdung100@gmail.com, cevich@redhat.com References: <20191114093311.47877-1-paolo.valente@linaro.org> <20191114093311.47877-2-paolo.valente@linaro.org> From: =?UTF-8?Q?Holger_Hoffst=c3=a4tte?= Organization: Applied Asynchrony, Inc. Message-ID: <89dde326-fc76-10cc-5ec9-ec5fd4dae4ac@applied-asynchrony.com> Date: Fri, 15 Nov 2019 19:32:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191114093311.47877-2-paolo.valente@linaro.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/14/19 10:33 AM, Paolo Valente wrote: > Since commit 3726112ec731 ("block, bfq: re-schedule empty queues if > they deserve I/O plugging"), to prevent the service guarantees of a > bfq_queue from being violated, the bfq_queue may be left busy, i.e., > scheduled for service, even if empty (see comments in > __bfq_bfqq_expire() for details). But, if no process will send > requests to the bfq_queue any longer, then there is no point in > keeping the bfq_queue scheduled for service. > > In addition, keeping the bfq_queue scheduled for service, but with no > process reference any longer, may cause the bfq_queue to be freed when > descheduled from service. But this is assumed to never happen, and > causes a UAF if it happens. This, in turn, caused crashes [1, 2]. > > This commit fixes this issue by descheduling an empty bfq_queue when > it remains with not process reference. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1767539 > [2] https://bugzilla.kernel.org/show_bug.cgi?id=205447 > > Fixes: 3726112ec731 ("block, bfq: re-schedule empty queues if they deserve I/O plugging") > Reported-by: Chris Evich > Reported-by: Patrick Dung > Reported-by: Thorsten Schubert > Tested-by: Thorsten Schubert > Tested-by: Oleksandr Natalenko > Signed-off-by: Paolo Valente Jens, can you please also tag this for stable-5.3 before the next push? The original problem was found on 5.3 after all, and hoping for the stable-bot to pick it up automagically is a bit unreliable. Thanks, Holger