From patchwork Tue Oct 10 03:13:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiufei Xue X-Patchwork-Id: 9994929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id ED51560216 for ; Tue, 10 Oct 2017 03:13:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D4BE124603 for ; Tue, 10 Oct 2017 03:13:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C966624BFE; Tue, 10 Oct 2017 03:13:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E478624603 for ; Tue, 10 Oct 2017 03:13:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755908AbdJJDNj (ORCPT ); Mon, 9 Oct 2017 23:13:39 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:33506 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755853AbdJJDNi (ORCPT ); Mon, 9 Oct 2017 23:13:38 -0400 Received: by mail-oi0-f68.google.com with SMTP id 14so2700634oii.0 for ; Mon, 09 Oct 2017 20:13:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:references:to:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=z3WvOvLBFoZkiU+41laKgPAn7Dt90E9NBgxO2ArxTj4=; b=clZfo83O1nB6aOsUQd+pBX46JyPQcgmhQcDL979GxwJldy2WXMHM+2JftgDHclp4YJ Ew5BmvIhiJgq6SxVgTXQEqAUmO88SU0hYe5ZNzZRr6FnfDydYLvFOOtMsYjwmFYGgdE0 sfibWDeOif3OBDUDKys6wik1Wks0N7FTPI1qoo0I9jn+bY7hLM6gfNH2TkxnZfJ9+P49 c3eOzmoQHHz1QkCpshDv32N2xtJpLIEyOWV2rnPPpOugEGxPc4Ggc6taZg1A2ve/el7Z 1SmP94UWZZf9Aszh6WAeLrZP9JZ9E6C7lVY/K1IMVHlVaiJ51GtloG5TfckxVXNdLMWG C9Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=z3WvOvLBFoZkiU+41laKgPAn7Dt90E9NBgxO2ArxTj4=; b=eEr2WrziBozSvu+vM6kEtwjHhLpd0Dh4yNFEUgBza5S33y4mkUoQNNLI0Tm1CyO3/L epa+Zki2gtd8x/nn812/RNk3c4qp+I4viRRBBRGjzkw0eT9j+FePk1rroiW4HGJ9QAva VfoP8FSrLA06oVzGFJ4kthtoxFsYs3Inm0uroJC1bVJAYDtndha8pZFVpyHyktgmammX Ym6l+pIpLuAsI5rTNOCPTKj5viKee7WkIu6iC24wfjn1XU2+Nx+aRsyb/2kKv666d1Ct AFOki/2XcJgIrBG97nOBl3IgPtYK/wxda2/xeVb61lw/3lekTRG6H3tOYzGHKphuyIQs D4oA== X-Gm-Message-State: AMCzsaUNpQHR9vJPRUvSxwjHa64dPN2n/1dvTsMrErGlh7eP1oxBu83W schzsqxlDyO+qo/gPB8y9YY= X-Google-Smtp-Source: AOwi7QAnc9ir2LFxlB+b3AstimAeUFGXbRoY2NQK9i7H6ZpVaqQMmnxX3Bc3SR/HaTNapKCruPtpRA== X-Received: by 10.157.46.67 with SMTP id c3mr720278otd.26.1507605217853; Mon, 09 Oct 2017 20:13:37 -0700 (PDT) Received: from ali-186590e05fa3.local ([205.204.117.3]) by smtp.gmail.com with ESMTPSA id p205sm4034532oib.33.2017.10.09.20.13.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Oct 2017 20:13:37 -0700 (PDT) Subject: [PATCH] blk-throttle: fix null pointer dereference while throttling writeback IOs References: <9fdd7f4b-91b5-7612-bf91-7b18defffb58@gmail.com> To: linux-block@vger.kernel.org Cc: Shaohua Li , Jens Axboe , wenqing.lz@taobao.com, boyu.mt@taobao.com, jiufei.xjf@alibaba-inc.com From: xuejiufei X-Forwarded-Message-Id: <9fdd7f4b-91b5-7612-bf91-7b18defffb58@gmail.com> Message-ID: <5e5b83db-6f78-9869-fe9c-b1f6a09281ca@gmail.com> Date: Tue, 10 Oct 2017 11:13:32 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <9fdd7f4b-91b5-7612-bf91-7b18defffb58@gmail.com> Content-Language: en-US Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Jiufei Xue A null pointer dereference can occur when blkcg is removed manually with writeback IOs inflight. This is caused by the following case: Writeback kworker submit the bio and set bio->bi_cg_private to tg in blk_throtl_assoc_bio. Then we remove the block cgroup manually, the blkg and tg would be freed if there is no request inflight. When the submitted bio come back, blk_throtl_bio_endio() fetch the tg which was already freed. Fix this by increasing the refcount of blkg in funcion blk_throtl_assoc_bio() so that the blkg will not be freed until the bio_endio called. Signed-off-by: Jiufei Xue Reviewed-by: Shaohua Li --- block/blk-throttle.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/block/blk-throttle.c b/block/blk-throttle.c index 17816a0..d80c3f0 100644 --- a/block/blk-throttle.c +++ b/block/blk-throttle.c @@ -2112,8 +2112,12 @@ static inline void throtl_update_latency_buckets(struct throtl_data *td) static void blk_throtl_assoc_bio(struct throtl_grp *tg, struct bio *bio) { #ifdef CONFIG_BLK_DEV_THROTTLING_LOW - if (bio->bi_css) + if (bio->bi_css) { + if (bio->bi_cg_private) + blkg_put(tg_to_blkg(bio->bi_cg_private)); bio->bi_cg_private = tg; + blkg_get(tg_to_blkg(tg)); + } blk_stat_set_issue(&bio->bi_issue_stat, bio_sectors(bio)); #endif } @@ -2283,8 +2287,10 @@ void blk_throtl_bio_endio(struct bio *bio) start_time = blk_stat_time(&bio->bi_issue_stat) >> 10; finish_time = __blk_stat_time(finish_time_ns) >> 10; - if (!start_time || finish_time <= start_time) + if (!start_time || finish_time <= start_time) { + blkg_put(tg_to_blkg(tg)); return; + } lat = finish_time - start_time; /* this is only for bio based driver */ @@ -2314,6 +2320,8 @@ void blk_throtl_bio_endio(struct bio *bio) tg->bio_cnt /= 2; tg->bad_bio_cnt /= 2; } + + blkg_put(tg_to_blkg(tg)); } #endif