From: Jens Axboe <axboe@kernel.dk>
To: Linux regressions mailing list <regressions@lists.linux.dev>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
io-uring@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
"Sergey V." <truesmb@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5
Date: Mon, 16 Jan 2023 07:13:40 -0700 [thread overview]
Message-ID: <a862915b-66f3-9ad8-77d4-4b9ce7044037@kernel.dk> (raw)
In-Reply-To: <c5632908-1b0f-af1f-4754-bf1d0027a6dc@kernel.dk>
[-- Attachment #1: Type: text/plain, Size: 1217 bytes --]
On 1/16/23 6:42 AM, Jens Axboe wrote:
> On 1/16/23 6:17?AM, Linux kernel regression tracking (Thorsten Leemhuis) wrote:
>> Hi, this is your Linux kernel regression tracker.
>>
>> I noticed a regression report in bugzilla.kernel.org. As many (most?)
>> kernel developer don't keep an eye on it, I decided to forward it by
>> mail. Quoting from https://bugzilla.kernel.org/show_bug.cgi?id=216932 :
>
> Looks like:
>
> commit 6d47e0f6a535701134d950db65eb8fe1edf0b575
> Author: Jens Axboe <axboe@kernel.dk>
> Date: Wed Jan 4 08:52:06 2023 -0700
>
> block: don't allow splitting of a REQ_NOWAIT bio
>
> got picked up by stable, but not the required prep patch:
>
>
> commit 613b14884b8595e20b9fac4126bf627313827fbe
> Author: Jens Axboe <axboe@kernel.dk>
> Date: Wed Jan 4 08:51:19 2023 -0700
>
> block: handle bio_split_to_limits() NULL return
>
> Greg/team, can you pick the latter too? It'll pick cleanly for
> 6.1-stable, not sure how far back the other patch has gone yet.
Looked back, and 5.15 has it too, but the cherry-pick won't work
on that kernel.
Here's one for 5.15-stable that I verified crashes before this one,
and works with it. Haven't done an allmodconfig yet...
--
Jens Axboe
[-- Attachment #2: 0001-block-handle-bio_split_to_limits-NULL-return.patch --]
[-- Type: text/x-patch, Size: 4561 bytes --]
From 850091593128cdbc72ce0f06ff35665d7d708a5f Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Mon, 16 Jan 2023 07:11:04 -0700
Subject: [PATCH] block: handle bio_split_to_limits() NULL return
commit 613b14884b8595e20b9fac4126bf627313827fbe upstream.
This can't happen right now, but in preparation for allowing
bio_split_to_limits() returning NULL if it ended the bio, check for it
in all the callers.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
block/blk-merge.c | 4 +++-
block/blk-mq.c | 2 ++
drivers/block/drbd/drbd_req.c | 2 ++
drivers/block/pktcdvd.c | 2 ++
drivers/block/ps3vram.c | 2 ++
drivers/block/rsxx/dev.c | 2 ++
drivers/md/md.c | 2 ++
drivers/nvme/host/multipath.c | 2 ++
drivers/s390/block/dcssblk.c | 2 ++
9 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/block/blk-merge.c b/block/blk-merge.c
index bb26db93ad1d..d1435b657297 100644
--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -348,11 +348,13 @@ void __blk_queue_split(struct bio **bio, unsigned int *nr_segs)
break;
}
split = blk_bio_segment_split(q, *bio, &q->bio_split, nr_segs);
+ if (IS_ERR(split))
+ *bio = split = NULL;
break;
}
if (split) {
- /* there isn't chance to merge the splitted bio */
+ /* there isn't chance to merge the split bio */
split->bi_opf |= REQ_NOMERGE;
bio_chain(split, *bio);
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 1a28ba9017ed..9f53b4caf977 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2193,6 +2193,8 @@ blk_qc_t blk_mq_submit_bio(struct bio *bio)
blk_queue_bounce(q, &bio);
__blk_queue_split(&bio, &nr_segs);
+ if (!bio)
+ goto queue_exit;
if (!bio_integrity_prep(bio))
goto queue_exit;
diff --git a/drivers/block/drbd/drbd_req.c b/drivers/block/drbd/drbd_req.c
index 47e0d105b462..4281dc847bc2 100644
--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -1602,6 +1602,8 @@ blk_qc_t drbd_submit_bio(struct bio *bio)
struct drbd_device *device = bio->bi_bdev->bd_disk->private_data;
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
/*
* what we "blindly" assume:
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index 0f26b2510a75..ca2ab977ef8e 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2407,6 +2407,8 @@ static blk_qc_t pkt_submit_bio(struct bio *bio)
struct bio *split;
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
pd = bio->bi_bdev->bd_disk->queue->queuedata;
if (!pd) {
diff --git a/drivers/block/ps3vram.c b/drivers/block/ps3vram.c
index c7b19e128b03..c79aa4d8ccf7 100644
--- a/drivers/block/ps3vram.c
+++ b/drivers/block/ps3vram.c
@@ -587,6 +587,8 @@ static blk_qc_t ps3vram_submit_bio(struct bio *bio)
dev_dbg(&dev->core, "%s\n", __func__);
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
spin_lock_irq(&priv->lock);
busy = !bio_list_empty(&priv->list);
diff --git a/drivers/block/rsxx/dev.c b/drivers/block/rsxx/dev.c
index 1cc40b0ea761..6b253d99bc48 100644
--- a/drivers/block/rsxx/dev.c
+++ b/drivers/block/rsxx/dev.c
@@ -127,6 +127,8 @@ static blk_qc_t rsxx_submit_bio(struct bio *bio)
blk_status_t st = BLK_STS_IOERR;
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
might_sleep();
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 59ab99844df8..9e54b865f30d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -458,6 +458,8 @@ static blk_qc_t md_submit_bio(struct bio *bio)
}
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
if (mddev->ro == 1 && unlikely(rw == WRITE)) {
if (bio_sectors(bio) != 0)
diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
index fe199d568a4a..8d97b942de01 100644
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -329,6 +329,8 @@ static blk_qc_t nvme_ns_head_submit_bio(struct bio *bio)
* pool from the original queue to allocate the bvecs from.
*/
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
srcu_idx = srcu_read_lock(&head->srcu);
ns = nvme_find_path(head);
diff --git a/drivers/s390/block/dcssblk.c b/drivers/s390/block/dcssblk.c
index 5be3d1c39a78..54176c073547 100644
--- a/drivers/s390/block/dcssblk.c
+++ b/drivers/s390/block/dcssblk.c
@@ -866,6 +866,8 @@ dcssblk_submit_bio(struct bio *bio)
unsigned long bytes_done;
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;
bytes_done = 0;
dev_info = bio->bi_bdev->bd_disk->private_data;
--
2.39.0
next prev parent reply other threads:[~2023-01-16 14:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 13:17 [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5 Linux kernel regression tracking (Thorsten Leemhuis)
2023-01-16 13:42 ` Jens Axboe
2023-01-16 13:54 ` Linux kernel regression tracking (#update)
2023-01-16 14:13 ` Jens Axboe [this message]
2023-01-16 14:49 ` Greg Kroah-Hartman
2023-01-16 15:44 ` Jens Axboe
2023-01-16 15:50 ` Jens Axboe
2023-02-03 9:17 ` Greg Kroah-Hartman
2023-02-03 14:25 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a862915b-66f3-9ad8-77d4-4b9ce7044037@kernel.dk \
--to=axboe@kernel.dk \
--cc=gregkh@linuxfoundation.org \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=truesmb@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).