fix two issues in blkg_create() error path#984
Open
blktests-ci[bot] wants to merge 2 commits into
Open
Conversation
Author
|
Upstream branch: 66affa3 |
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
e6d9eb8 to
7d8604f
Compare
When radix_tree_insert() fails in blkg_create(), the error path calls blkg_put() to release the blkg. This was correct when blkg->refcnt was an atomic_t: blkg_put() dropped it to 0 and triggered the release path. But commit 7fcf2b0 ("blkcg: change blkg reference counting to use percpu_ref") switched refcnt to a percpu_ref. In percpu mode percpu_ref_put() never checks for zero, so the release callback is never invoked. This blkg is on neither blkcg->blkg_list nor queue->blkg_list, so blkg_destroy_all() / blkcg_destroy_blkgs() can never reach it to call blkg_destroy()->percpu_ref_kill() either, cause the leak. Fix it by killing the percpu_ref instead, which switches it to atomic mode and drops the initial ref. Fixes: 7fcf2b0 ("blkcg: change blkg reference counting to use percpu_ref") Signed-off-by: Zizhi Wo <wozizhi@huaweicloud.com> Signed-off-by: Zizhi Wo <wozizhi@huawei.com>
…r path When blkg_create() fails before the blkg is linked onto blkcg->blkg_list and q->blkg_list (e.g. radix_tree_insert() fails or the blkg_lookup() returns NULL), the blkg is freed asynchronously via blkg_free_workfn(). Since such a blkg was never linked, it is invisible to blkcg_deactivate_policy(), so its blkg->pd[] entries can not be cleared in it. blkg_free_workfn() then calls blkcg_policy->pd_free_fn() on them, which can race with bfq module exit (bfq_exit() -> blkcg_policy_unregister()) clearing the blkcg_policy[] slot, leading to a NULL pointer dereference: [ 72.597786] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 72.598690] CPU: 35 UID: 0 PID: 458 Comm: kworker/35:1 Not tainted 7.1.0+ #33 PREEMPT(full) [ 72.599518] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 [ 72.600342] Workqueue: events blkg_free_workfn [ 72.600991] RIP: 0010:blkg_free_workfn+0x115/0x3d0 ...... [ 72.613278] Call Trace: [ 72.613988] <TASK> [ 72.614357] process_one_work+0x6b4/0xff0 [ 72.615251] ? __pfx_blkg_free_workfn+0x10/0x10 [ 72.616041] ? assign_work+0x131/0x3f0 [ 72.616962] worker_thread+0x4eb/0xd50 [ 72.617599] ? __kthread_parkme+0x8d/0x170 [ 72.618565] ? __pfx_worker_thread+0x10/0x10 [ 72.619566] ? __pfx_worker_thread+0x10/0x10 [ 72.620213] kthread+0x327/0x410 ...... Fix this by introducing blkg_free_pd() to synchronously free the pd and clear blkg->pd[] in the blkg_create() error path, while the blkcg_policy is still valid. Signed-off-by: Zizhi Wo <wozizhi@huawei.com>
Author
|
Upstream branch: bade58e |
blktests-ci
Bot
force-pushed
the
series/1114548=>linus-master
branch
from
4287f4f to
b1b04ac
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: fix two issues in blkg_create() error path
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1114548