Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2153102iof; Tue, 7 Jun 2022 21:31:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyLeCWyZy3m/8XeXNhsg03A5+T49vzWppZ8a7KvWyeYvmYUbHI2Sxu4dyzA/1h8Cwn2ToHG X-Received: by 2002:a17:90a:5a48:b0:1e3:4180:a218 with SMTP id m8-20020a17090a5a4800b001e34180a218mr44159798pji.182.1654662707837; Tue, 07 Jun 2022 21:31:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654662707; cv=none; d=google.com; s=arc-20160816; b=QV7t8FgDKS9wu89J0ri7FwxFCpzS7G1oTeTwBmoK2tFAc2NW+a3AQ+Cr6vA5V1IYsC E+tcQVnNLoM36z4u1BqP7Q/hVtWnKjru1xv/SfM9/Hy3F7MQk74t6L7Ni8zlKHSiRyji FqI6nGSOvla/WHBZa6zgWusbeSWfTjCLuTzJxHVgCD3F2ZIkNDC21bz8oZWn5wmAF5sM xeDkkqJ6+jAQmJv0J6qHOHcHGuXf18Ik6qekWoyEk/rlwy05ykCagInCbN9eBmTjzvke Y1gDlcXPVK1WwnCo5MZTJ/s1RKNuFRWrG2yl/VykYUHFK33fn+Bc973cUvrpFVVPjVhz azqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=c9tSd8bjWEPoYQAiwKoZdT2oiwXJqfMDjGcs56KZpvk=; b=q4a/puBmNSa3OA4n6hTq8lHEFK3YrHLLoo8d7ZqbSBTpVds+atPOYgMOgiF4CQhwng tzQF5Plzjg+KqSVgXtAqKrXZlr1+NOuy2KHMj9TTWkJfv0GbKkr7HkVBnkOzMiRGSRg/ EpXFoecQxuZ7gTpxpz/8/RcWDMgnrCYsuqiImuTvlGTHlHNq/ggezxlo/1uwabjKeTZa mAK5FDj7qgsvOy4oDLsxD/lg/jBg8uMS8g574AnvFmmwv9y2rv4ZoQ9AMOqMkfCQvejc qk3iT8BAIIj7hSr7x70OX2Jpq2SSW/63s/HBRaF6c3r4qkqBX41l3U3k1DFkYliTgVJ5 RyGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WIIBfbjh; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id 206-20020a6301d7000000b003fd60345d13si16539981pgb.693.2022.06.07.21.31.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 21:31:47 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WIIBfbjh; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 29CCA256965; Tue, 7 Jun 2022 21:01:06 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350198AbiFGSKk (ORCPT + 99 others); Tue, 7 Jun 2022 14:10:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349856AbiFGRvj (ORCPT ); Tue, 7 Jun 2022 13:51:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C05EC13F1F5; Tue, 7 Jun 2022 10:39:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3383BB81F38; Tue, 7 Jun 2022 17:38:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 81488C34115; Tue, 7 Jun 2022 17:38:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654623502; bh=eZLploCWWHaF/e5TfqlvMEdXoL+bQn3oW0qOysb6+OM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WIIBfbjhPoRSg/hgIhW9/yxODX/jRAytPCEM+fwndQDHqF8yuDP60nbWNS2g3+Scd DD8xVrvIwq2L/WOQfKv1iy0gLkRfmNIh0Q2czbeJiIVOptyW73na6xWAHse1UvdcEL F0HwPGYxTzRikGd8paTSfFwzMZjxbvWOoIH7gusA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , "yukuai (C)" , Jan Kara , Christoph Hellwig , Jens Axboe Subject: [PATCH 5.10 441/452] bfq: Avoid merging queues with different parents Date: Tue, 7 Jun 2022 19:04:58 +0200 Message-Id: <20220607164921.704862201@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607164908.521895282@linuxfoundation.org> References: <20220607164908.521895282@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Kara commit c1cee4ab36acef271be9101590756ed0c0c374d9 upstream. It can happen that the parent of a bfqq changes between the moment we decide two queues are worth to merge (and set bic->stable_merge_bfqq) and the moment bfq_setup_merge() is called. This can happen e.g. because the process submitted IO for a different cgroup and thus bfqq got reparented. It can even happen that the bfqq we are merging with has parent cgroup that is already offline and going to be destroyed in which case the merge can lead to use-after-free issues such as: BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50 Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544 CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x46/0x5a print_address_description.constprop.0+0x1f/0x140 ? __bfq_deactivate_entity+0x9cb/0xa50 kasan_report.cold+0x7f/0x11b ? __bfq_deactivate_entity+0x9cb/0xa50 __bfq_deactivate_entity+0x9cb/0xa50 ? update_curr+0x32f/0x5d0 bfq_deactivate_entity+0xa0/0x1d0 bfq_del_bfqq_busy+0x28a/0x420 ? resched_curr+0x116/0x1d0 ? bfq_requeue_bfqq+0x70/0x70 ? check_preempt_wakeup+0x52b/0xbc0 __bfq_bfqq_expire+0x1a2/0x270 bfq_bfqq_expire+0xd16/0x2160 ? try_to_wake_up+0x4ee/0x1260 ? bfq_end_wr_async_queues+0xe0/0xe0 ? _raw_write_unlock_bh+0x60/0x60 ? _raw_spin_lock_irq+0x81/0xe0 bfq_idle_slice_timer+0x109/0x280 ? bfq_dispatch_request+0x4870/0x4870 __hrtimer_run_queues+0x37d/0x700 ? enqueue_hrtimer+0x1b0/0x1b0 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_update_offsets_now+0x6f/0x280 hrtimer_interrupt+0x2c8/0x740 Fix the problem by checking that the parent of the two bfqqs we are merging in bfq_setup_merge() is the same. Link: https://lore.kernel.org/linux-block/20211125172809.GC19572@quack2.suse.cz/ CC: stable@vger.kernel.org Fixes: 430a67f9d616 ("block, bfq: merge bursts of newly-created queues") Tested-by: "yukuai (C)" Signed-off-by: Jan Kara Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220401102752.8599-2-jack@suse.cz Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- block/bfq-iosched.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -2509,6 +2509,14 @@ bfq_setup_merge(struct bfq_queue *bfqq, if (process_refs == 0 || new_process_refs == 0) return NULL; + /* + * Make sure merged queues belong to the same parent. Parents could + * have changed since the time we decided the two queues are suitable + * for merging. + */ + if (new_bfqq->entity.parent != bfqq->entity.parent) + return NULL; + bfq_log_bfqq(bfqq->bfqd, bfqq, "scheduling merge with queue %d", new_bfqq->pid);