github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
7d172b9dc9
linux/block
History
Jan Kara 7d172b9dc9 bfq: Avoid merging queues with different parents 
commit c1cee4ab36 upstream.

It can happen that the parent of a bfqq changes between the moment we
decide two queues are worth to merge (and set bic->stable_merge_bfqq)
and the moment bfq_setup_merge() is called. This can happen e.g. because
the process submitted IO for a different cgroup and thus bfqq got
reparented. It can even happen that the bfqq we are merging with has
parent cgroup that is already offline and going to be destroyed in which
case the merge can lead to use-after-free issues such as:

BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50
Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544

CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G            E     5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x46/0x5a
 print_address_description.constprop.0+0x1f/0x140
 ? __bfq_deactivate_entity+0x9cb/0xa50
 kasan_report.cold+0x7f/0x11b
 ? __bfq_deactivate_entity+0x9cb/0xa50
 __bfq_deactivate_entity+0x9cb/0xa50
 ? update_curr+0x32f/0x5d0
 bfq_deactivate_entity+0xa0/0x1d0
 bfq_del_bfqq_busy+0x28a/0x420
 ? resched_curr+0x116/0x1d0
 ? bfq_requeue_bfqq+0x70/0x70
 ? check_preempt_wakeup+0x52b/0xbc0
 __bfq_bfqq_expire+0x1a2/0x270
 bfq_bfqq_expire+0xd16/0x2160
 ? try_to_wake_up+0x4ee/0x1260
 ? bfq_end_wr_async_queues+0xe0/0xe0
 ? _raw_write_unlock_bh+0x60/0x60
 ? _raw_spin_lock_irq+0x81/0xe0
 bfq_idle_slice_timer+0x109/0x280
 ? bfq_dispatch_request+0x4870/0x4870
 __hrtimer_run_queues+0x37d/0x700
 ? enqueue_hrtimer+0x1b0/0x1b0
 ? kvm_clock_get_cycles+0xd/0x10
 ? ktime_get_update_offsets_now+0x6f/0x280
 hrtimer_interrupt+0x2c8/0x740

Fix the problem by checking that the parent of the two bfqqs we are
merging in bfq_setup_merge() is the same.

Link: https://lore.kernel.org/linux-block/20211125172809.GC19572@quack2.suse.cz/
CC: stable@vger.kernel.org
Fixes: 430a67f9d6 ("block, bfq: merge bursts of newly-created queues")
Tested-by: "yukuai (C)" <yukuai3@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20220401102752.8599-2-jack@suse.cz
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-06-09 10:21:30 +02:00
..
partitions partitions: msdos: fix one-byte get_unaligned() 2021-07-20 16:05:39 +02:00
badblocks.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
bfq-cgroup.c bfq: Track whether bfq_group is still online 2022-06-09 10:21:22 +02:00
bfq-iosched.c bfq: Avoid merging queues with different parents 2022-06-09 10:21:30 +02:00
bfq-iosched.h bfq: Track whether bfq_group is still online 2022-06-09 10:21:22 +02:00
bfq-wf2q.c bfq: fix blkio cgroup leakage v4 2020-08-18 07:48:08 -07:00
bio-integrity.c block: bio-integrity: Advance seed correctly for larger interval sizes 2022-02-08 18:30:35 +01:00
bio.c block: Fix wrong offset in bio_truncate() 2022-02-01 17:25:48 +01:00
blk-cgroup-rwstat.c blk-cgroup: Fix the recursive blkg rwstat 2021-03-30 14:31:48 +02:00
blk-cgroup-rwstat.h
blk-cgroup.c blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd 2021-09-30 10:11:07 +02:00
blk-core.c blkcg: Remove extra blkcg_bio_issue_init 2021-11-26 10:39:13 +01:00
blk-crypto-fallback.c
blk-crypto-internal.h block: make blk_crypto_rq_bio_prep() able to fail 2020-10-05 10:47:43 -06:00
blk-crypto.c blk-crypto: fix check for too-large dun_bytes 2021-09-15 09:50:30 +02:00
blk-exec.c
blk-flush.c block: Fix fsync always failed if once failed 2022-01-27 10:54:30 +01:00
blk-integrity.c block: flush the integrity workqueue in blk_integrity_unregister 2021-09-30 10:11:06 +02:00
blk-ioc.c
blk-iocost.c iocost: don't reset the inuse weight of under-weighted debtors 2022-05-09 09:05:00 +02:00
blk-iolatency.c blk-iolatency: Fix inflight count imbalances and IO hangs on offline 2022-06-09 10:21:29 +02:00
blk-lib.c block: add a bdev_is_partition helper 2020-09-25 08:18:57 -06:00
blk-map.c block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern 2022-05-12 12:25:45 +02:00
blk-merge.c block: don't merge across cgroup boundaries if blkcg is enabled 2022-04-08 14:39:55 +02:00
blk-mq-cpumap.c blk-mq: remove the calling of local_memory_node() 2020-10-20 07:08:17 -06:00
blk-mq-debugfs-zoned.c
blk-mq-debugfs.c block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output 2021-10-27 09:56:46 +02:00
blk-mq-debugfs.h
blk-mq-pci.c
blk-mq-rdma.c
blk-mq-sched.c block: limit request dispatch loop duration 2022-04-08 14:39:55 +02:00
blk-mq-sched.h block-5.10-2020-10-12 2020-10-13 12:12:44 -07:00
blk-mq-sysfs.c blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue 2020-10-09 12:46:28 -06:00
blk-mq-tag.c blk-mq: avoid to iterate over stale request 2021-09-30 10:11:05 +02:00
blk-mq-tag.h blk-mq: clear stale request in tags->rq[] before freeing one request pool 2021-07-14 16:55:58 +02:00
blk-mq-virtio.c
blk-mq.c block: remove inaccurate requeue check 2021-11-18 14:03:58 +01:00
blk-mq.h blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter 2021-07-14 16:55:58 +02:00
blk-pm.c scsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume() 2022-01-27 10:54:08 +01:00
blk-pm.h scsi: block: Do not accept any requests while suspended 2021-01-12 20:18:17 +01:00
blk-rq-qos.c rq-qos: fix missed wake-ups in rq_qos_throttle try two 2021-07-19 09:45:00 +02:00
blk-rq-qos.h block: fix race between adding/removing rq qos and normal IO 2021-07-14 16:56:00 +02:00
blk-settings.c blk-settings: align max_sectors on "logical_block_size" boundary 2021-03-04 11:38:22 +01:00
blk-stat.c blk-stat: make q->stats->lock irqsafe 2020-09-01 16:48:46 -06:00
blk-stat.h
blk-sysfs.c block: don't delete queue kobject before its children 2022-04-08 14:40:00 +02:00
blk-throttle.c blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() 2021-09-26 14:09:01 +02:00
blk-timeout.c
blk-wbt.c blk-wbt: make sure throttle is enabled properly 2021-07-14 16:56:12 +02:00
blk-wbt.h blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() 2021-07-14 16:56:12 +02:00
blk-zoned.c blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN 2021-09-18 13:40:06 +02:00
blk.h block: bump max plugged deferred size from 16 to 32 2021-11-18 14:03:57 +01:00
bounce.c block: make bio_crypt_clone() able to fail 2020-10-05 10:47:43 -06:00
bsg-lib.c block: drop double zeroing 2020-09-23 09:18:13 -06:00
bsg.c scsi: bsg: Remove support for SCSI_IOCTL_SEND_COMMAND 2021-09-18 13:40:11 +02:00
cmdline-parser.c
elevator.c block/wbt: fix negative inflight counter when remove scsi device 2022-02-23 12:01:04 +01:00
genhd.c block: Suppress uevent for hidden device when removed 2021-03-30 14:31:52 +02:00
ioctl.c block/compat_ioctl: fix range check in BLKGETSIZE 2022-04-27 13:53:57 +02:00
ioprio.c block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) 2021-12-14 11:32:40 +01:00
Kconfig blk-wbt: Remove obsolete multiqueue I/O scheduling comment 2020-09-01 16:49:26 -06:00
Kconfig.iosched
keyslot-manager.c block/keyslot-manager: prevent crash when num_slots=1 2020-11-20 11:52:52 -07:00
kyber-iosched.c kyber: fix out of bounds access when preempted 2021-05-19 10:13:13 +02:00
Makefile
mq-deadline.c block: return ELEVATOR_DISCARD_MERGE if possible 2021-09-15 09:50:28 +02:00
opal_proto.h
scsi_ioctl.c drivers-5.10-2020-10-12 2020-10-13 13:04:41 -07:00
sed-opal.c
t10-pi.c