Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4811067pxv; Tue, 27 Jul 2021 17:40:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCDRNl6288aQy2Y8I8eRNth5F637tits2bgX9Xzni03wZQscshUaq+maRUfxI29KCyAjDb X-Received: by 2002:a92:db4c:: with SMTP id w12mr19636576ilq.306.1627432832602; Tue, 27 Jul 2021 17:40:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627432832; cv=none; d=google.com; s=arc-20160816; b=M/t9zRsrEul6BPiDCPbce0drlO0ZdEQ0rYqEpRL/KvJ9gl0ayxAMmHZ9ht15KMzOQa U2k7xMhS+pdKmzhxLIgNf3h8xZ4Kap4wmT4xtUi/Cj+8x2KFfLLb2NBnVpsF/AOy90Au 4V5ys9xeonVKqGKtxYfj/Cf3knwzC6HBzNUHCcz09VlcxJVNbqAPtHdJqI1p023RN+QH 4f50hdnW6RgVDxHQQAA/Noy+38VHqgsHveA0bg2lo3zefmoCPv2+3+ZgiYD4hOr9OmKb emiB1BwKdaDmA6FRzQVqYJA8Je7PBX7uzgyfZk20Io5iswcpsJHqWfss2toq9NFGh/GV UztA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:sender:dkim-signature; bh=b72Mqy89B2Ts98E37aqCi1/9GXkKJ3If2NuRSfThl+o=; b=NsGJSIbjFcEgnnz1A2k/T7jwrjx29mOr0D3Ifo0A7scJSFDHocbOv+Lc38kWhhB0IL U+4WTRiam8gp8+FLswuXc99lspeR1Fd1yYshvdHxmt1kRbpqxrj7UiHDZHEVjgOAE1YI Ol/CfuSu70qBotPrUY6cetWgFV4xWK26zZ0ba0Y1ZN65X5wHrfbnehARxPxghfPKlwDs OUzkz8XLrpHlSgvrvKdXAfKOM7Wu/LxoD6/V5TSYOQnLGuBca0eHy4wLLa4irVbyJ9OW 8XZ+bNr6d4+PdQXVXXV1kCVHkSxWea0D+Hfak6w9kjBor/JYLFWa5OQMOYw00qiCMOod 0cyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RxkjKWb6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o14si4484249ioo.4.2021.07.27.17.40.11; Tue, 27 Jul 2021 17:40:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RxkjKWb6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232978AbhG1AiO (ORCPT + 99 others); Tue, 27 Jul 2021 20:38:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232883AbhG1AiN (ORCPT ); Tue, 27 Jul 2021 20:38:13 -0400 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64EE9C061757; Tue, 27 Jul 2021 17:38:12 -0700 (PDT) Received: by mail-pj1-x1036.google.com with SMTP id g23-20020a17090a5797b02901765d605e14so1712733pji.5; Tue, 27 Jul 2021 17:38:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=b72Mqy89B2Ts98E37aqCi1/9GXkKJ3If2NuRSfThl+o=; b=RxkjKWb6vyuBj8jWOTjy79JqnSnwpNXwKIU1Il9ltbcinklyLudxGTiBHX1qO3LvhE euT7itrHJfxo4ciPDcJDRzAxrrPonqCyfjmFuAqTMkvwIUdQwe1sAbTXRF07PdKWqL9e 84MpOioni1oX/HXPLnOg7JVWLjP9L23W2yYd6Z9dV/iIuttKbOGY1iekWpKRalagZd9W fbI8EZJU90Y5DJBy3rufvh33gSVRgACIr4mU0MXP5Yp0FB+Bmj3dyQ6fFsnPmsHLfN2P LmjJy+/Ly99xsk1YEIAWnT8BgPT5W7ZNuiNyRyUn9bX/Vae3NeVM3EBwj2w4LHt6X8t1 UKwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mime-version:content-disposition; bh=b72Mqy89B2Ts98E37aqCi1/9GXkKJ3If2NuRSfThl+o=; b=ioZaI3sdXC7qVtJ66U8YzAYePZ129ougmkHUbVduJ3e3AZKfeOvWY2l3k57959Tfsz pvfBtsY1ML5LSHpHiehwVEZaDaQItGaP06kbMXlSGzlywq3Au2qsqNGkO+cxRyWk6sO9 xayoqnwuTPZygJkgsPxOtXaJVbAOoeFjX5fNcJ8EZCBT1/5RbHUGHHZUfq3Nii1CtQDd Vi0XSc6EaTWNoDy/wrSk9azORfVn0bjYY9JQGGRdiMexXOJ/vLLkL7+2fzFUBrjgaIMi latJqSkISIG1XQA42EqawZUi9gYTZR+OzmKJerhen+vAeeYPf78qbAhxZFuHcKUHTGLW VM6Q== X-Gm-Message-State: AOAM533uhPnGAPB5ioGiBS6tesU0zgH6U64+G7fHuiVybWfN59KM5LvG Wzb/6EmUIHm44E/Rnyn7NjM= X-Received: by 2002:a63:510d:: with SMTP id f13mr22759796pgb.308.1627432691794; Tue, 27 Jul 2021 17:38:11 -0700 (PDT) Received: from localhost (udp264798uds.hawaiiantel.net. [72.253.242.87]) by smtp.gmail.com with ESMTPSA id m19sm5088551pfa.135.2021.07.27.17.38.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jul 2021 17:38:11 -0700 (PDT) Sender: Tejun Heo Date: Tue, 27 Jul 2021 14:38:09 -1000 From: Tejun Heo To: Jens Axboe Cc: linux-block@vger.kernel.org, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, Rik van Riel Subject: [PATCH block/for-5.14-fixes] blk-iocost: fix operation ordering in iocg_wake_fn() Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From aae4e1b4e26c3c671fc19aed2fb2ee19f7438707 Mon Sep 17 00:00:00 2001 From: Tejun Heo Date: Tue, 27 Jul 2021 14:21:30 -1000 iocg_wake_fn() open-codes wait_queue_entry removal and wakeup because it wants the wq_entry to be always removed whether it ended up waking the task or not. finish_wait() tests whether wq_entry needs removal without grabbing the wait_queue lock and expects the waker to use list_del_init_careful() after all waking operations are complete, which iocg_wake_fn() didn't do. The operation order was wrong and the regular list_del_init() was used. The result is that if a watier wakes up racing the waker, it can free pop the wq_entry off stack before the waker is still looking at it, which can lead to a backtrace like the following. [7312084.588951] general protection fault, probably for non-canonical address 0x586bf4005b2b88: 0000 [#1] SMP ... [7312084.647079] RIP: 0010:queued_spin_lock_slowpath+0x171/0x1b0 ... [7312084.858314] Call Trace: [7312084.863548] _raw_spin_lock_irqsave+0x22/0x30 [7312084.872605] try_to_wake_up+0x4c/0x4f0 [7312084.880444] iocg_wake_fn+0x71/0x80 [7312084.887763] __wake_up_common+0x71/0x140 [7312084.895951] iocg_kick_waitq+0xe8/0x2b0 [7312084.903964] ioc_rqos_throttle+0x275/0x650 [7312084.922423] __rq_qos_throttle+0x20/0x30 [7312084.930608] blk_mq_make_request+0x120/0x650 [7312084.939490] generic_make_request+0xca/0x310 [7312084.957600] submit_bio+0x173/0x200 [7312084.981806] swap_readpage+0x15c/0x240 [7312084.989646] read_swap_cache_async+0x58/0x60 [7312084.998527] swap_cluster_readahead+0x201/0x320 [7312085.023432] swapin_readahead+0x2df/0x450 [7312085.040672] do_swap_page+0x52f/0x820 [7312085.058259] handle_mm_fault+0xa16/0x1420 [7312085.066620] do_page_fault+0x2c6/0x5c0 [7312085.074459] page_fault+0x2f/0x40 Fix it by switching to list_del_init_careful() and putting it at the end. Signed-off-by: Tejun Heo Reported-by: Rik van Riel Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") Cc: stable@vger.kernel.org # v5.4+ --- block/blk-iocost.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/block/blk-iocost.c b/block/blk-iocost.c index c2d6bc88d3f15..5fac3757e6e05 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -1440,16 +1440,17 @@ static int iocg_wake_fn(struct wait_queue_entry *wq_entry, unsigned mode, return -1; iocg_commit_bio(ctx->iocg, wait->bio, wait->abs_cost, cost); + wait->committed = true; /* * autoremove_wake_function() removes the wait entry only when it - * actually changed the task state. We want the wait always - * removed. Remove explicitly and use default_wake_function(). + * actually changed the task state. We want the wait always removed. + * Remove explicitly and use default_wake_function(). Note that the + * order of operations is important as finish_wait() tests whether + * @wq_entry is removed without grabbing the lock. */ - list_del_init(&wq_entry->entry); - wait->committed = true; - default_wake_function(wq_entry, mode, flags, key); + list_del_init_careful(&wq_entry->entry); return 0; } -- 2.32.0