linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] block: mtip32xx: set the pointer of queue to null after cleaning
@ 2021-06-20 12:19 Zheyu Ma
  2021-06-21  6:16 ` Christoph Hellwig
  0 siblings, 1 reply; 3+ messages in thread
From: Zheyu Ma @ 2021-06-20 12:19 UTC (permalink / raw)
  To: axboe, liushixin2, bhelgaas, lee.jones, ulf.hansson, guoqing.jiang
  Cc: linux-block, linux-kernel, Zheyu Ma

When 'mtip_block_initialize' fails at 'mtip_hw_get_identify', a series
of cleanup operations will be performed. But when the execution reaches
'put_disk', it will cause refcount underflow. The reason for this error
is that after cleaning 'dd->queue', 'dd->disk->queue' was not set to
null at the same time, which caused repeated cleanup work.

Fix this by set 'dd->disk->queue' to null after cleaning

This log reveals it:

[   59.590163] refcount_t: underflow; use-after-free.
[   59.591650] Modules linked in:
[   59.591867] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #137
[   59.592407] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   59.593178] RIP: 0010:refcount_warn_saturate+0x140/0x150
[   59.593551] Code: 05 d1 3b dd 04 01 e8 af d4 5f ff 0f 0b e9 13 ff ff ff e8 b3 75 73 ff 48 c7 c7 30 31 df 85 c6 05 b4 3b dd 04 01 e8 90 d4 5f ff <0f> 0b e9 f4 fe ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55
[   59.594942] RSP: 0000:ffffc90000017918 EFLAGS: 00010286
[   59.595357] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
[   59.595858] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
[   59.596346] RBP: ffffc90000017928 R08: 0000000000000001 R09: 0000000000000001
[   59.596926] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888105494270
[   59.597429] R13: ffff888105494270 R14: ffffffff82498b30 R15: 0000000000000000
[   59.597931] FS:  0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000
[   59.598500] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.598899] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
[   59.599401] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   59.599900] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   59.600400] Call Trace:
[   59.600579]  kobject_put+0x1b0/0x2e0
[   59.600839]  ? dev_attr_show+0x70/0x70
[   59.601112]  blk_put_queue+0x19/0x20
[   59.601372]  disk_release+0xb7/0xf0
[   59.601628]  ? show_partition_start+0x80/0x80
[   59.601943]  device_release+0x40/0xd0
[   59.602207]  kobject_put+0x10b/0x2e0
[   59.602468]  put_device+0x1f/0x30
[   59.602708]  put_disk+0x2a/0x40
[   59.602938]  mtip_block_initialize+0x35f/0x1570
[   59.603264]  ? __pci_enable_msi_range+0x32c/0x470
[   59.603606]  mtip_pci_probe+0x92a/0xc80
[   59.603899]  local_pci_probe+0x4a/0xb0
[   59.604173]  pci_device_probe+0x126/0x1d0
[   59.604478]  ? pci_device_remove+0x100/0x100
[   59.604790]  really_probe+0x27e/0x650
[   59.605059]  driver_probe_device+0x84/0x1d0
[   59.605359]  ? mutex_lock_nested+0x16/0x20
[   59.605660]  device_driver_attach+0x63/0x70
[   59.605963]  __driver_attach+0x117/0x1a0
[   59.606247]  ? device_driver_attach+0x70/0x70
[   59.606607]  bus_for_each_dev+0xb6/0x110
[   59.606919]  ? rdinit_setup+0x40/0x40
[   59.607177]  driver_attach+0x22/0x30
[   59.607431]  bus_add_driver+0x1e6/0x2a0
[   59.607703]  driver_register+0xa4/0x180
[   59.607974]  __pci_register_driver+0x77/0x80
[   59.608273]  ? drbd_debugfs_init+0x78/0x78
[   59.608560]  mtip_init+0x15c/0x18f
[   59.608820]  do_one_initcall+0x7a/0x3d0
[   59.609140]  ? rdinit_setup+0x40/0x40
[   59.609464]  ? rcu_read_lock_sched_held+0x4a/0x70
[   59.609879]  kernel_init_freeable+0x2a7/0x2f9
[   59.610268]  ? rest_init+0x2c0/0x2c0
[   59.610561]  kernel_init+0x13/0x180
[   59.610807]  ? rest_init+0x2c0/0x2c0
[   59.611058]  ? rest_init+0x2c0/0x2c0
[   59.611312]  ret_from_fork+0x1f/0x30
[   59.611574] Kernel panic - not syncing: panic_on_warn set ...
[   59.611973] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #137
[   59.612514] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   59.613303] Call Trace:
[   59.613476]  dump_stack+0xba/0xf5
[   59.613718]  ? refcount_warn_saturate+0x140/0x150
[   59.614055]  panic+0x155/0x3ed
[   59.614281]  ? __warn+0xed/0x150
[   59.614468]  ? refcount_warn_saturate+0x140/0x150
[   59.614468]  __warn+0x103/0x150
[   59.614468]  ? refcount_warn_saturate+0x140/0x150
[   59.614468]  report_bug+0x119/0x1c0
[   59.614468]  handle_bug+0x3b/0x80
[   59.614468]  exc_invalid_op+0x18/0x70
[   59.614468]  asm_exc_invalid_op+0x12/0x20
[   59.614468] RIP: 0010:refcount_warn_saturate+0x140/0x150
[   59.614468] Code: 05 d1 3b dd 04 01 e8 af d4 5f ff 0f 0b e9 13 ff ff ff e8 b3 75 73 ff 48 c7 c7 30 31 df 85 c6 05 b4 3b dd 04 01 e8 90 d4 5f ff <0f> 0b e9 f4 fe ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55
[   59.614468] RSP: 0000:ffffc90000017918 EFLAGS: 00010286
[   59.614468] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
[   59.614468] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
[   59.614468] RBP: ffffc90000017928 R08: 0000000000000001 R09: 0000000000000001
[   59.614468] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888105494270
[   59.614468] R13: ffff888105494270 R14: ffffffff82498b30 R15: 0000000000000000
[   59.614468]  ? dev_attr_show+0x70/0x70
[   59.614468]  ? vprintk_func+0x71/0x110
[   59.614468]  ? refcount_warn_saturate+0x140/0x150
[   59.614468]  kobject_put+0x1b0/0x2e0
[   59.614468]  ? dev_attr_show+0x70/0x70
[   59.614468]  blk_put_queue+0x19/0x20
[   59.614468]  disk_release+0xb7/0xf0
[   59.614468]  ? show_partition_start+0x80/0x80
[   59.614468]  device_release+0x40/0xd0
[   59.614468]  kobject_put+0x10b/0x2e0
[   59.614468]  put_device+0x1f/0x30
[   59.614468]  put_disk+0x2a/0x40
[   59.614468]  mtip_block_initialize+0x35f/0x1570
[   59.614468]  ? __pci_enable_msi_range+0x32c/0x470
[   59.614468]  mtip_pci_probe+0x92a/0xc80
[   59.614468]  local_pci_probe+0x4a/0xb0
[   59.614468]  pci_device_probe+0x126/0x1d0
[   59.614468]  ? pci_device_remove+0x100/0x100
[   59.614468]  really_probe+0x27e/0x650
[   59.614468]  driver_probe_device+0x84/0x1d0
[   59.614468]  ? mutex_lock_nested+0x16/0x20
[   59.614468]  device_driver_attach+0x63/0x70
[   59.614468]  __driver_attach+0x117/0x1a0
[   59.614468]  ? device_driver_attach+0x70/0x70
[   59.614468]  bus_for_each_dev+0xb6/0x110
[   59.614468]  ? rdinit_setup+0x40/0x40
[   59.614468]  driver_attach+0x22/0x30
[   59.614468]  bus_add_driver+0x1e6/0x2a0
[   59.614468]  driver_register+0xa4/0x180
[   59.614468]  __pci_register_driver+0x77/0x80
[   59.614468]  ? drbd_debugfs_init+0x78/0x78
[   59.614468]  mtip_init+0x15c/0x18f
[   59.614468]  do_one_initcall+0x7a/0x3d0
[   59.614468]  ? rdinit_setup+0x40/0x40
[   59.614468]  ? rcu_read_lock_sched_held+0x4a/0x70
[   59.614468]  kernel_init_freeable+0x2a7/0x2f9
[   59.614468]  ? rest_init+0x2c0/0x2c0
[   59.614468]  kernel_init+0x13/0x180
[   59.614468]  ? rest_init+0x2c0/0x2c0
[   59.614468]  ? rest_init+0x2c0/0x2c0
[   59.614468]  ret_from_fork+0x1f/0x30
[   59.614468] Dumping ftrace buffer:
[   59.614468]    (ftrace buffer empty)
[   59.614468] Kernel Offset: disabled
[   59.614468] Rebooting in 1 seconds..

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
 drivers/block/mtip32xx/mtip32xx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 589cb0f1e030..305be06868df 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -3726,6 +3726,7 @@ static int mtip_block_initialize(struct driver_data *dd)
 read_capacity_error:
 init_hw_cmds_error:
 	blk_cleanup_queue(dd->queue);
+	dd->disk->queue = NULL;
 block_queue_alloc_init_error:
 	blk_mq_free_tag_set(&dd->tags);
 block_queue_alloc_tag_error:
-- 
2.17.6


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] block: mtip32xx: set the pointer of queue to null after cleaning
  2021-06-20 12:19 [PATCH] block: mtip32xx: set the pointer of queue to null after cleaning Zheyu Ma
@ 2021-06-21  6:16 ` Christoph Hellwig
  2021-06-21  7:50   ` Zheyu Ma
  0 siblings, 1 reply; 3+ messages in thread
From: Christoph Hellwig @ 2021-06-21  6:16 UTC (permalink / raw)
  To: Zheyu Ma
  Cc: axboe, liushixin2, bhelgaas, lee.jones, ulf.hansson,
	guoqing.jiang, linux-block, linux-kernel

On Sun, Jun 20, 2021 at 12:19:17PM +0000, Zheyu Ma wrote:
> When 'mtip_block_initialize' fails at 'mtip_hw_get_identify', a series
> of cleanup operations will be performed. But when the execution reaches
> 'put_disk', it will cause refcount underflow. The reason for this error
> is that after cleaning 'dd->queue', 'dd->disk->queue' was not set to
> null at the same time, which caused repeated cleanup work.
> 
> Fix this by set 'dd->disk->queue' to null after cleaning

This should all be fixed by the switch to blk_cleanup_disk and the
preparation for it in linux-next.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] block: mtip32xx: set the pointer of queue to null after cleaning
  2021-06-21  6:16 ` Christoph Hellwig
@ 2021-06-21  7:50   ` Zheyu Ma
  0 siblings, 0 replies; 3+ messages in thread
From: Zheyu Ma @ 2021-06-21  7:50 UTC (permalink / raw)
  To: Christoph Hellwig
  Cc: axboe, liushixin2, Bjorn Helgaas, Lee Jones, Ulf Hansson,
	guoqing.jiang, linux-block, Linux Kernel Mailing List

On Mon, Jun 21, 2021 at 2:16 PM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Sun, Jun 20, 2021 at 12:19:17PM +0000, Zheyu Ma wrote:
> > When 'mtip_block_initialize' fails at 'mtip_hw_get_identify', a series
> > of cleanup operations will be performed. But when the execution reaches
> > 'put_disk', it will cause refcount underflow. The reason for this error
> > is that after cleaning 'dd->queue', 'dd->disk->queue' was not set to
> > null at the same time, which caused repeated cleanup work.
> >
> > Fix this by set 'dd->disk->queue' to null after cleaning
>
> This should all be fixed by the switch to blk_cleanup_disk and the
> preparation for it in linux-next.

Thanks for your reply, I have switched to the linux-next branch.

Best regards,
Zheyu Ma

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-06-21  7:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-20 12:19 [PATCH] block: mtip32xx: set the pointer of queue to null after cleaning Zheyu Ma
2021-06-21  6:16 ` Christoph Hellwig
2021-06-21  7:50   ` Zheyu Ma

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).