null_blk: cancel bw_timer on add-device error unwind#992
Open
blktests-ci[bot] wants to merge 1 commit into
Open
null_blk: cancel bw_timer on add-device error unwind#992blktests-ci[bot] wants to merge 1 commit into
blktests-ci[bot] wants to merge 1 commit into
Conversation
null_blk starts the bandwidth hrtimer before the later add_disk/device_add failure points. If setup fails after the timer is queued, the shared error unwind frees struct nullb without draining bw_timer, so the callback can run on freed owner state. The buggy scenario involves two paths, with each column showing the order within that path: null_add_dev() error unwind: nullb_bwtimer_fn() callback path: 1. Start bw_timer for a throttled 1. The hrtimer expires after the free. device. 2. nullb_bwtimer_fn() recovers the 2. Hit a later add_disk/device_add embedded owner. failure. 3. The callback reads nullb->dev and 3. Free struct nullb. nullb->q. 4. Release the remaining queue and 4. The stale owner storage is used disk resources. after free. Cancel bw_timer in the shared error unwind before put_disk() and the remaining frees. The normal delete path already uses the same hrtimer_cancel() drain. Validation reproduced this kernel report: BUG: KASAN: slab-use-after-free in nullb_bwtimer_fn+0x13f/0x170 [null_blk] Call Trace: <IRQ> dump_stack_lvl+0x66/0xa0 print_report+0xce/0x630 ? nullb_bwtimer_fn+0x13f/0x170 [null_blk] ? srso_alias_return_thunk+0x5/0xfbef5 ? __virt_addr_valid+0x20d/0x410 ? nullb_bwtimer_fn+0x13f/0x170 [null_blk] kasan_report+0xe0/0x110 ? nullb_bwtimer_fn+0x13f/0x170 [null_blk] ? __pfx_nullb_bwtimer_fn+0x10/0x10 [null_blk] nullb_bwtimer_fn+0x13f/0x170 [null_blk] __hrtimer_run_queues+0x172/0x810 hrtimer_interrupt+0x377/0x7f0 __sysvec_apic_timer_interrupt+0xc3/0x390 sysvec_apic_timer_interrupt+0x67/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 Allocated by task 529: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 null_add_dev+0x4f9/0x1d10 [null_blk] nullb_device_power_store+0x25f/0x320 [null_blk] configfs_write_iter+0x2be/0x4a0 vfs_write+0x604/0x11f0 ksys_write+0xf9/0x1d0 do_syscall_64+0x115/0x6a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 529: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x5f/0x80 kfree+0x307/0x580 null_add_dev+0x1272/0x1d10 [null_blk] nullb_device_power_store+0x25f/0x320 [null_blk] configfs_write_iter+0x2be/0x4a0 vfs_write+0x604/0x11f0 ksys_write+0xf9/0x1d0 do_syscall_64+0x115/0x6a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: eff2c4f ("nullb: bandwidth control") Assisted-by: Codex:gpt-5.5 Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Author
|
Upstream branch: bade58e |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: null_blk: cancel bw_timer on add-device error unwind
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1115733