From e7fceb35f255831edd789d5c0a2a9e11d97df007 Mon Sep 17 00:00:00 2001 From: Cen Zhang Date: Sun, 21 Jun 2026 21:59:16 +0800 Subject: [PATCH] blk-iolatency: flush enable work after policy deactivation A blk-iolatency rq-qos teardown can free struct blk_iolatency while a freshly queued enable_work callback still references it. The observed failure is: blkcg_iolatency_exit() flushes enable_work before deactivating the iolatency policy. However, blkcg_deactivate_policy() calls iolatency_pd_offline() for online policy data, and iolatency_pd_offline() clears min_lat_nsec through iolatency_set_min_lat_nsec(). If this clears the last nonzero latency target, enable_cnt reaches zero and schedules enable_work again after the flush has already returned. The buggy scenario involves two paths, with each column showing the order within that path: blkcg_iolatency_exit() path: system_wq worker path: 1. Flush old enable_work. 1. enable_work is idle. 2. Deactivate the policy. 2. no worker owns it. 3. Offline queues new enable_work. 3. work item becomes pending. 4. Free blkiolat. 4. worker later runs the item. 5. Owner storage is gone. 5. worker dereferences blkiolat. Flush enable_work again after blkcg_deactivate_policy() returns and before freeing blkiolat. Policy offline callbacks have completed at that point, so the second drain covers the late queueing path without changing the normal enable/disable accounting rules. Validation reproduced this kernel report: BUG: KASAN: slab-use-after-free in assign_work+0x2a/0x150 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xd0/0x630 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? __virt_addr_valid+0xea/0x1a0 ? assign_work+0x2a/0x150 kasan_report+0xce/0x100 ? assign_work+0x2a/0x150 assign_work+0x2a/0x150 worker_thread+0x1b7/0x500 ? __pfx_worker_thread+0x10/0x10 kthread+0x192/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2ac/0x3c0 ? __pfx_ret_from_fork+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? __switch_to+0x2d5/0x6e0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Allocated by task 470: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 iolatency_set_limit+0x301/0x450 cgroup_file_write+0x178/0x2e0 kernfs_fop_write_iter+0x1ef/0x290 vfs_write+0x446/0x6f0 ksys_write+0xc7/0x160 do_syscall_64+0xf9/0x540 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 611: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x131/0x390 rq_qos_exit+0x5d/0x90 __del_gendisk+0x394/0x490 del_gendisk+0xa1/0xe0 virtblk_remove+0x41/0xd0 virtio_dev_remove+0x63/0xe0 device_release_driver_internal+0x246/0x2e0 unbind_store+0xa9/0xb0 kernfs_fop_write_iter+0x1ef/0x290 vfs_write+0x446/0x6f0 ksys_write+0xc7/0x160 do_syscall_64+0xf9/0x540 entry_SYSCALL_64_after_hwframe+0x77/0x7f Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __queue_work+0x42a/0x800 queue_work_on+0x5d/0x70 iolatency_set_min_lat_nsec+0x196/0x230 iolatency_pd_offline+0x1f/0x40 blkcg_deactivate_policy+0x194/0x270 blkcg_iolatency_exit+0x33/0x40 rq_qos_exit+0x5d/0x90 __del_gendisk+0x394/0x490 del_gendisk+0xa1/0xe0 virtblk_remove+0x41/0xd0 virtio_dev_remove+0x63/0xe0 device_release_driver_internal+0x246/0x2e0 unbind_store+0xa9/0xb0 kernfs_fop_write_iter+0x1ef/0x290 vfs_write+0x446/0x6f0 ksys_write+0xc7/0x160 do_syscall_64+0xf9/0x540 entry_SYSCALL_64_after_hwframe+0x77/0x7f Second to last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __queue_work+0x42a/0x800 queue_work_on+0x5d/0x70 iolatency_set_min_lat_nsec+0x196/0x230 iolatency_set_limit+0x3f1/0x450 cgroup_file_write+0x178/0x2e0 kernfs_fop_write_iter+0x1ef/0x290 vfs_write+0x446/0x6f0 ksys_write+0xc7/0x160 do_syscall_64+0xf9/0x540 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 8a177a36da6c ("blk-iolatency: Fix inflight count imbalances and IO hangs on offline") Assisted-by: Codex:gpt-5.5 Signed-off-by: Cen Zhang --- block/blk-iolatency.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c index 1aaee6fb0f59f..a0bdd8a5c94c9 100644 --- a/block/blk-iolatency.c +++ b/block/blk-iolatency.c @@ -639,6 +639,11 @@ static void blkcg_iolatency_exit(struct rq_qos *rqos) timer_shutdown_sync(&blkiolat->timer); flush_work(&blkiolat->enable_work); blkcg_deactivate_policy(rqos->disk, &blkcg_policy_iolatency); + /* + * blkcg_deactivate_policy() invokes iolatency_pd_offline(), which may + * queue enable_work again when it clears the last latency target. + */ + flush_work(&blkiolat->enable_work); kfree(blkiolat); }