From: Bart Van Assche <bart.vanassche@sandisk.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: <linux-block@vger.kernel.org>, Christoph Hellwig <hch@lst.de>,
"Bart Van Assche" <bart.vanassche@sandisk.com>,
Jens Axboe <axboe@fb.com>, Jan Kara <jack@suse.cz>,
<stable@vger.kernel.org>
Subject: [PATCH 01/19] block: Avoid that blk_exit_rl() triggers a use-after-free
Date: Thu, 25 May 2017 11:43:09 -0700 [thread overview]
Message-ID: <20170525184327.23570-2-bart.vanassche@sandisk.com> (raw)
In-Reply-To: <20170525184327.23570-1-bart.vanassche@sandisk.com>
Since the introduction of the .init_rq_fn() and .exit_rq_fn() it
is essential that the memory allocated for struct request_queue
stays around until all blk_exit_rl() calls have finished. Hence
make blk_init_rl() take a reference on struct request_queue.
This patch fixes the following crash:
general protection fault: 0000 [#2] SMP
CPU: 3 PID: 28 Comm: ksoftirqd/3 Tainted: G D 4.12.0-rc2-dbg+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
task: ffff88013a108040 task.stack: ffffc9000071c000
RIP: 0010:free_request_size+0x1a/0x30
RSP: 0018:ffffc9000071fd38 EFLAGS: 00010202
RAX: 6b6b6b6b6b6b6b6b RBX: ffff880067362a88 RCX: 0000000000000003
RDX: ffff880067464178 RSI: ffff880067362a88 RDI: ffff880135ea4418
RBP: ffffc9000071fd40 R08: 0000000000000000 R09: 0000000100180009
R10: ffffc9000071fd38 R11: ffffffff81110800 R12: ffff88006752d3d8
R13: ffff88006752d3d8 R14: ffff88013a108040 R15: 000000000000000a
FS: 0000000000000000(0000) GS:ffff88013fd80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa8ec1edb00 CR3: 0000000138ee8000 CR4: 00000000001406e0
Call Trace:
mempool_destroy.part.10+0x21/0x40
mempool_destroy+0xe/0x10
blk_exit_rl+0x12/0x20
blkg_free+0x4d/0xa0
__blkg_release_rcu+0x59/0x170
rcu_process_callbacks+0x260/0x4e0
__do_softirq+0x116/0x250
smpboot_thread_fn+0x123/0x1e0
kthread+0x109/0x140
ret_from_fork+0x31/0x40
Fixes: commit e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Cc: Jens Axboe <axboe@fb.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jan Kara <jack@suse.cz>
Cc: <stable@vger.kernel.org> # v4.11+
---
block/blk-cgroup.c | 2 +-
block/blk-core.c | 10 ++++++++--
block/blk-sysfs.c | 2 +-
block/blk.h | 2 +-
4 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 7c2947128f58..0480892e97e5 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -74,7 +74,7 @@ static void blkg_free(struct blkcg_gq *blkg)
blkcg_policy[i]->pd_free_fn(blkg->pd[i]);
if (blkg->blkcg != &blkcg_root)
- blk_exit_rl(&blkg->rl);
+ blk_exit_rl(blkg->q, &blkg->rl);
blkg_rwstat_exit(&blkg->stat_ios);
blkg_rwstat_exit(&blkg->stat_bytes);
diff --git a/block/blk-core.c b/block/blk-core.c
index c580b0138a7f..9416f6f495d4 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -648,13 +648,19 @@ int blk_init_rl(struct request_list *rl, struct request_queue *q,
if (!rl->rq_pool)
return -ENOMEM;
+ if (rl != &q->root_rl)
+ WARN_ON_ONCE(!blk_get_queue(q));
+
return 0;
}
-void blk_exit_rl(struct request_list *rl)
+void blk_exit_rl(struct request_queue *q, struct request_list *rl)
{
- if (rl->rq_pool)
+ if (rl->rq_pool) {
mempool_destroy(rl->rq_pool);
+ if (rl != &q->root_rl)
+ blk_put_queue(q);
+ }
}
struct request_queue *blk_alloc_queue(gfp_t gfp_mask)
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index 504fee940052..2ff8842f0dc1 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -809,7 +809,7 @@ static void blk_release_queue(struct kobject *kobj)
blk_free_queue_stats(q->stats);
- blk_exit_rl(&q->root_rl);
+ blk_exit_rl(q, &q->root_rl);
if (q->queue_tags)
__blk_queue_free_tags(q);
diff --git a/block/blk.h b/block/blk.h
index 2ed70228e44f..83c8e1100525 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -59,7 +59,7 @@ void blk_free_flush_queue(struct blk_flush_queue *q);
int blk_init_rl(struct request_list *rl, struct request_queue *q,
gfp_t gfp_mask);
-void blk_exit_rl(struct request_list *rl);
+void blk_exit_rl(struct request_queue *q, struct request_list *rl);
void blk_rq_bio_prep(struct request_queue *q, struct request *rq,
struct bio *bio);
void blk_queue_bypass_start(struct request_queue *q);
--
2.12.2
next prev parent reply other threads:[~2017-05-25 18:43 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-25 18:43 [PATCH 00/19] Block layer patches for kernel v4.13 Bart Van Assche
2017-05-25 18:43 ` Bart Van Assche [this message]
2017-05-26 6:01 ` [PATCH 01/19] block: Avoid that blk_exit_rl() triggers a use-after-free Christoph Hellwig
2017-05-25 18:43 ` [PATCH 02/19] block: Introduce queue flag QUEUE_FLAG_SCSI_PDU Bart Van Assche
2017-05-26 6:02 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 03/19] bsg: Check queue type before attaching to a queue Bart Van Assche
2017-05-26 6:02 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 04/19] pktcdvd: " Bart Van Assche
2017-05-26 6:03 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 05/19] cdrom: Check private request size " Bart Van Assche
2017-05-26 6:08 ` Christoph Hellwig
2017-05-26 15:50 ` Bart Van Assche
2017-05-28 8:32 ` hch
2017-05-25 18:43 ` [PATCH 06/19] nfsd: Check private request size before submitting a SCSI request Bart Van Assche
2017-05-25 18:48 ` J . Bruce Fields
2017-05-25 20:19 ` Bart Van Assche
2017-05-26 6:10 ` hch
2017-05-26 15:47 ` bfields
2017-05-26 6:10 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 07/19] scsi: Make scsi_ioctl_reset() pass the request queue pointer to blk_rq_init() Bart Van Assche
2017-05-25 18:43 ` [PATCH 08/19] block: Introduce request_queue.initialize_rq_fn() Bart Van Assche
2017-05-26 6:34 ` Christoph Hellwig
2017-05-26 23:56 ` Bart Van Assche
2017-05-28 8:34 ` hch
2017-05-28 16:12 ` Bart Van Assche
2017-05-28 8:37 ` Christoph Hellwig
2017-05-30 17:54 ` Bart Van Assche
2017-05-25 18:43 ` [PATCH 09/19] block: Make scsi_req_init() calls implicit Bart Van Assche
2017-05-28 8:38 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 10/19] blk-mq: Change blk_mq_hw_ctx.queue_rq_srcu into an array Bart Van Assche
2017-05-28 8:39 ` Christoph Hellwig
2017-05-28 16:36 ` Bart Van Assche
2017-05-25 18:43 ` [PATCH 11/19] blk-mq: Reduce blk_mq_hw_ctx size Bart Van Assche
2017-05-28 8:40 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 12/19] blk-mq: Initialize a request before assigning a tag Bart Van Assche
2017-05-28 8:42 ` Christoph Hellwig
2017-05-28 16:17 ` Bart Van Assche
2017-05-25 18:43 ` [PATCH 13/19] blk-mq: Fix the comment above blk_mq_quiesce_queue() Bart Van Assche
2017-05-28 8:42 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 14/19] block: Add a comment above queue_lockdep_assert_held() Bart Van Assche
2017-05-28 8:42 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 15/19] block: Check locking assumptions at runtime Bart Van Assche
2017-05-25 18:43 ` [PATCH 16/19] block: Document what queue type each function is intended for Bart Van Assche
2017-05-25 18:43 ` [PATCH 17/19] blk-mq: Document locking assumptions Bart Van Assche
2017-05-25 18:43 ` [PATCH 18/19] block: Constify disk_type Bart Van Assche
2017-05-28 8:43 ` Christoph Hellwig
2017-05-25 18:43 ` [PATCH 19/19] block: Make request operation type argument declarations consistent Bart Van Assche
2017-05-28 8:43 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170525184327.23570-2-bart.vanassche@sandisk.com \
--to=bart.vanassche@sandisk.com \
--cc=axboe@fb.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.