linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 5.10 5/8] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit()
       [not found] <20210917023437.816574-1-sashal@kernel.org>
@ 2021-09-17  2:34 ` Sasha Levin
  2021-09-17  2:34 ` [PATCH AUTOSEL 5.10 6/8] blk-mq: allow 4x BLK_MAX_REQUEST_COUNT at blk_plug for multiple_queues Sasha Levin
  1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2021-09-17  2:34 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Li Jinlin, Jens Axboe, Sasha Levin, tj, cgroups, linux-block

From: Li Jinlin <lijinlin3@huawei.com>

[ Upstream commit 884f0e84f1e3195b801319c8ec3d5774e9bf2710 ]

The pending timer has been set up in blk_throtl_init(). However, the
timer is not deleted in blk_throtl_exit(). This means that the timer
handler may still be running after freeing the timer, which would
result in a use-after-free.

Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit().

Signed-off-by: Li Jinlin <lijinlin3@huawei.com>
Link: https://lore.kernel.org/r/20210907121242.2885564-1-lijinlin3@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-throttle.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index b771c4299982..7ada49a174bf 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -2420,6 +2420,7 @@ int blk_throtl_init(struct request_queue *q)
 void blk_throtl_exit(struct request_queue *q)
 {
 	BUG_ON(!q->td);
+	del_timer_sync(&q->td->service_queue.pending_timer);
 	throtl_shutdown_wq(q);
 	blkcg_deactivate_policy(q, &blkcg_policy_throtl);
 	free_percpu(q->td->latency_buckets[READ]);
-- 
2.30.2


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH AUTOSEL 5.10 6/8] blk-mq: allow 4x BLK_MAX_REQUEST_COUNT at blk_plug for multiple_queues
       [not found] <20210917023437.816574-1-sashal@kernel.org>
  2021-09-17  2:34 ` [PATCH AUTOSEL 5.10 5/8] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() Sasha Levin
@ 2021-09-17  2:34 ` Sasha Levin
  1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2021-09-17  2:34 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Song Liu, Marcin Wanat, Jens Axboe, Sasha Levin, linux-block

From: Song Liu <songliubraving@fb.com>

[ Upstream commit 7f2a6a69f7ced6db8220298e0497cf60482a9d4b ]

Limiting number of request to BLK_MAX_REQUEST_COUNT at blk_plug hurts
performance for large md arrays. [1] shows resync speed of md array drops
for md array with more than 16 HDDs.

Fix this by allowing more request at plug queue. The multiple_queue flag
is used to only apply higher limit to multiple queue cases.

[1] https://lore.kernel.org/linux-raid/CAFDAVznS71BXW8Jxv6k9dXc2iR3ysX3iZRBww_rzA8WifBFxGg@mail.gmail.com/
Tested-by: Marcin Wanat <marcin.wanat@gmail.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-mq.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 9e3fedbaa644..6dcb86c1c985 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2109,6 +2109,18 @@ static void blk_add_rq_to_plug(struct blk_plug *plug, struct request *rq)
 	}
 }
 
+/*
+ * Allow 4x BLK_MAX_REQUEST_COUNT requests on plug queue for multiple
+ * queues. This is important for md arrays to benefit from merging
+ * requests.
+ */
+static inline unsigned short blk_plug_max_rq_count(struct blk_plug *plug)
+{
+	if (plug->multiple_queues)
+		return BLK_MAX_REQUEST_COUNT * 4;
+	return BLK_MAX_REQUEST_COUNT;
+}
+
 /**
  * blk_mq_submit_bio - Create and send a request to block device.
  * @bio: Bio pointer.
@@ -2202,7 +2214,7 @@ blk_qc_t blk_mq_submit_bio(struct bio *bio)
 		else
 			last = list_entry_rq(plug->mq_list.prev);
 
-		if (request_count >= BLK_MAX_REQUEST_COUNT || (last &&
+		if (request_count >= blk_plug_max_rq_count(plug) || (last &&
 		    blk_rq_bytes(last) >= BLK_PLUG_FLUSH_SIZE)) {
 			blk_flush_plug_list(plug, false);
 			trace_block_plug(q);
-- 
2.30.2


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-09-17  2:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210917023437.816574-1-sashal@kernel.org>
2021-09-17  2:34 ` [PATCH AUTOSEL 5.10 5/8] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() Sasha Levin
2021-09-17  2:34 ` [PATCH AUTOSEL 5.10 6/8] blk-mq: allow 4x BLK_MAX_REQUEST_COUNT at blk_plug for multiple_queues Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).