Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp826226lqp; Thu, 23 May 2024 00:39:22 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXvItt4kA1BkJMVA2TjOoIikAxaivSE/qLFyWojXUFRR8I6wxjqbix2tRLSPylKdYfXQfN5Cx1rMl44nn/y6wXqkJKWPs2f3LRhaDvA4A== X-Google-Smtp-Source: AGHT+IF3xjhQa9H+Tb+guuFJzbpKYu3ZBOMMTxzv7kq6JqzFKtd5NYVzJZ0P+YmMsVmkRq92Qal6 X-Received: by 2002:a05:622a:14ce:b0:43d:f335:425b with SMTP id d75a77b69052e-43f9e1af188mr58664801cf.44.1716449962608; Thu, 23 May 2024 00:39:22 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716449962; cv=pass; d=google.com; s=arc-20160816; b=NGP8t0ub5idPVZ0K/o18ce8wtHdBlcYNhsnknxP7bey9kHmIQYpkTmCVvvmSU2N5qe Lw/jNbmsyd8Uf7Aorx/z0WcDdt0ahdGgsgYqoFbdki5SK6cEPLpIKrzpq9h6B4Ih6/NW QSLE15YiiJF+O2nfRrwY0JkuCjHL5wLh7NC8BKC/w35vbMaGHhrU+pRud1kQ+EjhBAP1 3Gjo1JPkWtminJYSBg5uucYzgYFxKQDgC2CPBWtS3Gt+Yf/AMg09heXUy7+ceeZSA8+k H1OQ3sFx20vmcvSyDnRuz9MoJNdstgLpQPAZ82rpm421bh/YxYQ/BKah7uPpJj8fEFde xdOQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:date:message-id:from :references:cc:to:subject; bh=q3k1y9/hU5I6thIiTJnwvie//0FOksWwfh3oqwtyuwc=; fh=hmC/xN1eVi31MADEqU9CITB+hchkMXwaT54lRHVU/48=; b=Y7GcNr3bktoM9uZXDeYVZl+099Zx9fFJ8ICS/YV2ae+LCre7mwl5NiPD7h9XnwJgrK 4B67yooRGrpGOUoP0N9hOqqQXRB6ezJqatKYGDolM05RGpch4PrgFC1B446S44W4AVCa 4GzumpYNZWdlU41ceOgFRf01SEfVidN+HpdzyO1SdH2I+42NpQIe1dOH3Jbg5x1Xq5pe NqPlBPAC8alfqLGn4tZ9Kup+BLqmSqVaKkbzHe3I4xs4uHD8Gkosn/iwTxQU+BbQI9G9 f9RxOo3bHGTqUh0SQs3p4P3xuesIEuKqvKv9qsQp+IjpD0amVa79TODuXZGnIsCrMwr+ 8TnA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-187104-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187104-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id d75a77b69052e-43df56d0596si73989981cf.642.2024.05.23.00.39.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 00:39:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-187104-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-187104-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187104-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 222831C20CA8 for ; Thu, 23 May 2024 07:39:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C630513CAA2; Thu, 23 May 2024 07:39:13 +0000 (UTC) Received: from dggsgout11.his.huawei.com (unknown [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C68CE3B29D; Thu, 23 May 2024 07:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716449953; cv=none; b=djWcaasql6qeF++EM/vqElg93Pkoo3KbeX2am9PthL32HnoZtTS709B0uGrHFdHk1fcIzFrhLXYrVR8QmKHFUw17hXTNVKH4G9esBNq+YSVV5w8LTxrXb0Z4ooA18PrzCyIzp8SFOCKTa1y/SOE9W+XbpxKbaIc6NJ8r4KHkrQs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716449953; c=relaxed/simple; bh=XINoD2jDM7KnhgAunmyNnPEZhhA7jX+YzC5sUZ14+fg=; h=Subject:To:Cc:References:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type; b=npVWS43xfE4jLyRrokpcwXTjV33HR3uBPWTeyf9KHPDgLDHuRlS4+yQ7TQOMOKmGcR5wizbCAjYUtHRYrRdpMNA6h1AdxCoiLNjOC2biAOtPDslneNm23TBup7jy70PEVulgmchoJdBEAB1kb7jERG7HUh/7yVwPt4pmBilRk7Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.93.142]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4VlKmZ0TTTz4f3jZD; Thu, 23 May 2024 15:38:54 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.112]) by mail.maildlp.com (Postfix) with ESMTP id DD2381A017F; Thu, 23 May 2024 15:38:59 +0800 (CST) Received: from [10.174.176.73] (unknown [10.174.176.73]) by APP1 (Coremail) with SMTP id cCh0CgAX5g6Q8k5mIvzCNQ--.53707S3; Thu, 23 May 2024 15:38:58 +0800 (CST) Subject: Re: [PATCH RESEND] null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' To: Zhu Yanjun , Yu Kuai , axboe@kernel.dk, yi.zhang@redhat.com, dlemoal@kernel.org, hare@suse.de, johannes.thumshirn@wdc.com, kch@nvidia.com, zhouchengming@bytedance.com, bvanassche@acm.org Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, yi.zhang@huawei.com, yangerkun@huawei.com, "yukuai (C)" References: <20240523144536.1376904-1-yukuai1@huaweicloud.com> From: Yu Kuai Message-ID: Date: Thu, 23 May 2024 15:38:56 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID:cCh0CgAX5g6Q8k5mIvzCNQ--.53707S3 X-Coremail-Antispam: 1UD129KBjvJXoW3Ar1DJr18XF4rGry3AFW3trb_yoW3JF1UpF 4kGFWUGryjgF1kJw1Utr1UGFy5Jr1UZ3WDGr1xJFyUJr4UZr1jqr1UXryYgr1UJ3y8Gr4U XF1UXrsrZF1UXrUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9214x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka 0xkIwI1lc7I2V7IY0VAS07AlzVAYIcxG8wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rWUJVWr Zr1UMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYx BIdaVFxhVjvjDU0xZFpf9x0JUdHUDUUUUU= X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ Hi, 在 2024/05/23 15:34, Zhu Yanjun 写道: > > On 23.05.24 16:45, Yu Kuai wrote: >> From: Yu Kuai >> >> Writing 'power' and 'submit_queues' concurrently will trigger kernel >> panic: >> >> Test script: >> >> modprobe null_blk nr_devices=0 >> mkdir -p /sys/kernel/config/nullb/nullb0 >> while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & >> while true; do echo 1 > power; echo 0 > power; done >> >> Test result: >> >> BUG: kernel NULL pointer dereference, address: 0000000000000148 >> Oops: 0000 [#1] PREEMPT SMP >> RIP: 0010:__lock_acquire+0x41d/0x28f0 >> Call Trace: >>   >>   lock_acquire+0x121/0x450 >>   down_write+0x5f/0x1d0 >>   simple_recursive_removal+0x12f/0x5c0 >>   blk_mq_debugfs_unregister_hctxs+0x7c/0x100 >>   blk_mq_update_nr_hw_queues+0x4a3/0x720 >>   nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] >>   nullb_device_submit_queues_store+0x79/0xf0 [null_blk] >>   configfs_write_iter+0x119/0x1e0 >>   vfs_write+0x326/0x730 >>   ksys_write+0x74/0x150 >> >> This is because del_gendisk() can concurrent with >> blk_mq_update_nr_hw_queues(): >> >> nullb_device_power_store    nullb_apply_submit_queues >>   null_del_dev >>   del_gendisk >>                  nullb_update_nr_hw_queues >>                   if (!dev->nullb) >>                   // still set while gendisk is deleted >>                    return 0 >>                   blk_mq_update_nr_hw_queues >>   dev->nullb = NULL >> >> Fix this problem by resuing the global mutex to protect >> nullb_device_power_store() and nullb_update_nr_hw_queues() from configs. >> >> Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after >> an instance has been configured") >> Reported-and-tested-by: Yi Zhang >> Closes: >> https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjStuwZA@mail.gmail.com/ >> >> Signed-off-by: Yu Kuai >> --- >>   drivers/block/loop.c          |  2 +- >>   drivers/block/null_blk/main.c | 40 +++++++++++++++++++++++------------ >>   2 files changed, 27 insertions(+), 15 deletions(-) >> >> diff --git a/drivers/block/loop.c b/drivers/block/loop.c >> index 28a95fd366fe..3e1c4f5ef714 100644 >> --- a/drivers/block/loop.c >> +++ b/drivers/block/loop.c >> @@ -2140,7 +2140,7 @@ static int loop_control_remove(int idx) >>           pr_warn_once("deleting an unspecified loop device is not >> supported.\n"); >>           return -EINVAL; >>       } >> - >> + > > This snippet changes nothing. Can we remove it? Of course this should be removed... it's tail space here, however, it's not related to this patch, and I somehow merged into this patch... Will send a v2. Thanks, Kuai > > Zhu Yanjun > >>       /* Hide this loop device for serialization. */ >>       ret = mutex_lock_killable(&loop_ctl_mutex); >>       if (ret) >> diff --git a/drivers/block/null_blk/main.c >> b/drivers/block/null_blk/main.c >> index 5d56ad4ce01a..eb023d267369 100644 >> --- a/drivers/block/null_blk/main.c >> +++ b/drivers/block/null_blk/main.c >> @@ -413,13 +413,25 @@ static int nullb_update_nr_hw_queues(struct >> nullb_device *dev, >>   static int nullb_apply_submit_queues(struct nullb_device *dev, >>                        unsigned int submit_queues) >>   { >> -    return nullb_update_nr_hw_queues(dev, submit_queues, >> dev->poll_queues); >> +    int ret; >> + >> +    mutex_lock(&lock); >> +    ret = nullb_update_nr_hw_queues(dev, submit_queues, >> dev->poll_queues); >> +    mutex_unlock(&lock); >> + >> +    return ret; >>   } >>   static int nullb_apply_poll_queues(struct nullb_device *dev, >>                      unsigned int poll_queues) >>   { >> -    return nullb_update_nr_hw_queues(dev, dev->submit_queues, >> poll_queues); >> +    int ret; >> + >> +    mutex_lock(&lock); >> +    ret = nullb_update_nr_hw_queues(dev, dev->submit_queues, >> poll_queues); >> +    mutex_unlock(&lock); >> + >> +    return ret; >>   } >>   NULLB_DEVICE_ATTR(size, ulong, NULL); >> @@ -468,28 +480,31 @@ static ssize_t nullb_device_power_store(struct >> config_item *item, >>       if (ret < 0) >>           return ret; >> +    ret = count; >> +    mutex_lock(&lock); >>       if (!dev->power && newp) { >>           if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags)) >> -            return count; >> +            goto out; >> + >>           ret = null_add_dev(dev); >>           if (ret) { >>               clear_bit(NULLB_DEV_FL_UP, &dev->flags); >> -            return ret; >> +            goto out; >>           } >>           set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); >>           dev->power = newp; >>       } else if (dev->power && !newp) { >>           if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) { >> -            mutex_lock(&lock); >>               dev->power = newp; >>               null_del_dev(dev->nullb); >> -            mutex_unlock(&lock); >>           } >>           clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); >>       } >> -    return count; >> +out: >> +    mutex_unlock(&lock); >> +    return ret; >>   } >>   CONFIGFS_ATTR(nullb_device_, power); >> @@ -1932,15 +1947,12 @@ static int null_add_dev(struct nullb_device *dev) >>       nullb->q->queuedata = nullb; >>       blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q); >> -    mutex_lock(&lock); >>       rv = ida_alloc(&nullb_indexes, GFP_KERNEL); >> -    if (rv < 0) { >> -        mutex_unlock(&lock); >> +    if (rv < 0) >>           goto out_cleanup_disk; >> -    } >> + >>       nullb->index = rv; >>       dev->index = rv; >> -    mutex_unlock(&lock); >>       if (config_item_name(&dev->group.cg_item)) { >>           /* Use configfs dir name as the device name */ >> @@ -1969,9 +1981,7 @@ static int null_add_dev(struct nullb_device *dev) >>       if (rv) >>           goto out_ida_free; >> -    mutex_lock(&lock); >>       list_add_tail(&nullb->list, &nullb_list); >> -    mutex_unlock(&lock); >>       pr_info("disk %s created\n", nullb->disk_name); >> @@ -2020,7 +2030,9 @@ static int null_create_dev(void) >>       if (!dev) >>           return -ENOMEM; >> +    mutex_lock(&lock); >>       ret = null_add_dev(dev); >> +    mutex_unlock(&lock); >>       if (ret) { >>           null_free_dev(dev); >>           return ret; >