From patchwork Wed Jun  7 03:36:14 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joseph Qi <jiangqi903@gmail.com>
X-Patchwork-Id: 9770515
Return-Path: <linux-block-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	59DDF60234 for <patchwork-linux-block@patchwork.kernel.org>;
	Wed,  7 Jun 2017 03:36:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 495A027F9A
	for <patchwork-linux-block@patchwork.kernel.org>;
	Wed,  7 Jun 2017 03:36:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3E23928522; Wed,  7 Jun 2017 03:36:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6537527F9A
	for <patchwork-linux-block@patchwork.kernel.org>;
	Wed,  7 Jun 2017 03:36:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751492AbdFGDgW (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Tue, 6 Jun 2017 23:36:22 -0400
Received: from mail-ot0-f195.google.com ([74.125.82.195]:34975 "EHLO
	mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751252AbdFGDgV (ORCPT
	<rfc822; linux-block@vger.kernel.org>); Tue, 6 Jun 2017 23:36:21 -0400
Received: by mail-ot0-f195.google.com with SMTP id t31so116234ota.2
	for <linux-block@vger.kernel.org>;
	Tue, 06 Jun 2017 20:36:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:subject:to:cc:message-id:date:user-agent:mime-version
	:content-language:content-transfer-encoding;
	bh=lfmN/rO5KVsCofGU7VXigjPVtBk+NFRE0Iw/rUoDen0=;
	b=eAmwjn/EGp6QzlMt7y6hp8x+4ox/g5o6sahHDl4aBvG6IrNe79rYMashsk4lGH3vCF
	hURv646telp3XHLdDqTogCAN6++erJgmpO/sB1GV8O9LpyRoeCH+oukTcCD2Pask07iF
	aydkOf7uF/zXujdBbfHWhYOfmZQSswUtIjS8gjpVhjkYQqBIUD56d8wkO0mxRjLWWEM0
	laITCKRAOtYdkqXzWPYqyWvGMvzScz6aMyFdHwd9T4VS2W0B5qMGHH2T1q/5us5+ZNt1
	KliWXXY0jbiQKFY0djMlYxcF2nl63nKpjCwi7Ck0Oe74eD+5nocbXluiXlId7cof883q
	LeIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:cc:message-id:date:user-agent
	:mime-version:content-language:content-transfer-encoding;
	bh=lfmN/rO5KVsCofGU7VXigjPVtBk+NFRE0Iw/rUoDen0=;
	b=CzSpA5NX88YP2XvzIIAOzqHAM5NSBDdZ/0B89CrpFTfhaKa5uY/n4+2SjkkU+tyQhB
	h+q4oECBiirWZqOadkbqS0TiUxvob5OVZqnN9mKCayOXsBbj4Lj0yV93p+3usSfu2IeF
	riBFHN/IqdLT4jGgtwT4pmxCzU2cZxRlIvp+50cVBOMURezW9HLYizJMWql3OqVrroLx
	nyZdFsYzPdPsVxAa/cUiVzhAHNMfqZ8kygwCYM2sLu+nl4Kxm+bqbwj0I1FTwc+4neqe
	9yr3erspedW54dJC32k8ZhGdVDlefZ9o+WHQEd4L0/1OPz//laSIv7CDBcMl9u5m7rd1
	ObXg==
X-Gm-Message-State: AODbwcAkggyprYeDN7M4VsEN69c4MtjvF+aewC9zvmSwapkd/kH80aAH
	v/hTljGgLv4U9Q==
X-Received: by 10.157.37.194 with SMTP id q60mr14840789ota.213.1496806581165;
	Tue, 06 Jun 2017 20:36:21 -0700 (PDT)
Received: from JosephdeMacBook-Pro.local ([205.204.117.21])
	by smtp.gmail.com with ESMTPSA id 2sm257702otr.44.2017.06.06.20.36.17
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 06 Jun 2017 20:36:20 -0700 (PDT)
From: Joseph Qi <jiangqi903@gmail.com>
Subject: [PATCH] blk-throttle: fix NULL pointer dereference in
	throtl_schedule_pending_timer
To: linux-block@vger.kernel.org
Cc: axboe@fb.com, Shaohua Li <shli@fb.com>, boyu.mt@taobao.com,
	wenqing.lz@taobao.com, qijiang.qj@alibaba-inc.com
Message-ID: <ba25ffe3-9db7-2311-51c7-91fce0ce8cfa@gmail.com>
Date: Wed, 7 Jun 2017 11:36:14 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0)
	Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
Content-Language: en-US
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Joseph Qi <qijiang.qj@alibaba-inc.com>

I have encountered a NULL pointer dereference in
throtl_schedule_pending_timer:
  [  413.735396] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
  [  413.735535] IP: [<ffffffff812ebbbf>] throtl_schedule_pending_timer+0x3f/0x210
  [  413.735643] PGD 22c8cf067 PUD 22cb34067 PMD 0
  [  413.735713] Oops: 0000 [#1] SMP
  ......

This is caused by the following case:
  blk_throtl_bio
    throtl_schedule_next_dispatch  <= sq is top level one without parent
      throtl_schedule_pending_timer
        sq_to_tg(sq)->td->throtl_slice  <= sq_to_tg(sq) returns NULL

Fix it by using sq_to_td instead of sq_to_tg(sq)->td, which will always
return a valid td.

Fixes: 297e3d854784 ("blk-throttle: make throtl_slice tunable")
Signed-off-by: Joseph Qi <qijiang.qj@alibaba-inc.com>
Reviewed-by: Shaohua Li <shli@fb.com>
---
 block/blk-throttle.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index fc13dd0..3b751f7 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -698,7 +698,7 @@ static void throtl_dequeue_tg(struct throtl_grp *tg)
 static void throtl_schedule_pending_timer(struct throtl_service_queue *sq,
 					  unsigned long expires)
 {
-	unsigned long max_expire = jiffies + 8 * sq_to_tg(sq)->td->throtl_slice;
+	unsigned long max_expire = jiffies + 8 * sq_to_td(sq)->throtl_slice;
 
 	/*
 	 * Since we are adjusting the throttle limit dynamically, the sleep