From patchwork Mon Oct 21 19:56:27 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josef Bacik <josef@toxicpanda.com>
X-Patchwork-Id: 11202977
Return-Path: <SRS0=zBYI=YO=vger.kernel.org=linux-block-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B8E9F1515
	for <patchwork-linux-block@patchwork.kernel.org>;
 Mon, 21 Oct 2019 19:56:34 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 9759120882
	for <patchwork-linux-block@patchwork.kernel.org>;
 Mon, 21 Oct 2019 19:56:34 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=toxicpanda-com.20150623.gappssmtp.com
 header.i=@toxicpanda-com.20150623.gappssmtp.com header.b="uy4N5ISy"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727264AbfJUT4e (ORCPT
        <rfc822;patchwork-linux-block@patchwork.kernel.org>);
        Mon, 21 Oct 2019 15:56:34 -0400
Received: from mail-qt1-f196.google.com ([209.85.160.196]:45040 "EHLO
        mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726672AbfJUT4d (ORCPT
        <rfc822;linux-block@vger.kernel.org>);
        Mon, 21 Oct 2019 15:56:33 -0400
Received: by mail-qt1-f196.google.com with SMTP id z22so2503976qtq.11
        for <linux-block@vger.kernel.org>;
 Mon, 21 Oct 2019 12:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=toxicpanda-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:subject:date:message-id:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=PB32g4c6uKsJKr+PshalNj6YK9p7R+K1426kl66/DD4=;
        b=uy4N5ISyRi+PhtI1WNJWJ7K6UqSihuB5UunAhvOdCs1SjLfbLhTi94WgWgcE0iZWI9
         y4bDw9Ca8dmLVo3/9eonX2k+/QJmAuYcK9UbGRtCMXutiU5hQJvB2xOmkZbFlHnkh8Fx
         O0RqlDbX7g6k/bGGh+SA9wWYKTkVEMvONZJZaX6DFrlxQc3HkvkyuJZOjaqnZSWxHQ4z
         9qzMTFEbeIkwo+Eh4jqklsFvhgl79a9LM6dr+ztWikzl4E8vvguPvj4OcSPc9qNnlGbX
         BgfmUsEnA0RAFfv8PTStrOZ2w1LdKHfWGmCsHjHnRZ5OMWilRv+EXSc8YB6mH2LNg7/r
         rAcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=PB32g4c6uKsJKr+PshalNj6YK9p7R+K1426kl66/DD4=;
        b=J5n9Ajes4ezNxXi4MfBmiwXrK8xs0cnmx9XoAZzcRhfY79y+28aP0nHzPaTvD4bvVf
         u3tkXfuzOiYx4khcBM+8UF2FkHqtO3GnfnzJdg8XBXo6PZh4P3eqOxg+SAArnqP8/ijZ
         ulxIO3oufaUAYuE18JJpJ7W8qFxJXf+lOQcONnojkIKcdqODiZsovlGo+9tcyTlnu8fv
         zYMFXTYsSbdDzLiRERpF4eBuAODFVpCsTevV1vXn48ir7Aow//ShAM8ODo3Lh1d6aitg
         2j/BQ1v2F5mjERk6hJQSH/n0Ax/Er+3LbeEshbmGZLUYgyiYBhyFgtMZYd2O71U6YVZM
         6gLw==
X-Gm-Message-State: APjAAAURgWFEgT2enOQcRLGeVGS/oLynQwBMEsYE03IJtOU5LeNcViz9
        v5tGcuri+XZq89ueX7ZSg1DDg5KqN+qoiw==
X-Google-Smtp-Source: 
 APXvYqxBxLQO23FtAwkOCqWxxqVcL90+WPiI9CK+WkYrNq1ytchniQH3endTRmyibP7ecZPdyxIE/w==
X-Received: by 2002:ad4:5004:: with SMTP id s4mr4812140qvo.87.1571687792790;
        Mon, 21 Oct 2019 12:56:32 -0700 (PDT)
Received: from localhost ([107.15.81.208])
        by smtp.gmail.com with ESMTPSA id
 r29sm7985889qtb.63.2019.10.21.12.56.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 21 Oct 2019 12:56:32 -0700 (PDT)
From: Josef Bacik <josef@toxicpanda.com>
To: axboe@kernel.dk, nbd@other.debian.org, linux-block@vger.kernel.org,
        kernel-team@fb.com, mchristi@redhat.com
Subject: [PATCH 1/2] nbd: protect cmd->status with cmd->lock
Date: Mon, 21 Oct 2019 15:56:27 -0400
Message-Id: <20191021195628.19849-2-josef@toxicpanda.com>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20191021195628.19849-1-josef@toxicpanda.com>
References: <20191021195628.19849-1-josef@toxicpanda.com>
MIME-Version: 1.0
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org

We already do this for the most part, except in timeout and clear_req.
For the timeout case we take the lock after we grab a ref on the config,
but that isn't really necessary because we're safe to touch the cmd at
this point, so just move the order around.

For the clear_req cause this is initiated by the user, so again is safe.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
 drivers/block/nbd.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index a8e3815295fe..8fb8913074b8 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -368,17 +368,16 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req,
 	struct nbd_device *nbd = cmd->nbd;
 	struct nbd_config *config;
 
+	if (!mutex_trylock(&cmd->lock))
+		return BLK_EH_RESET_TIMER;
+
 	if (!refcount_inc_not_zero(&nbd->config_refs)) {
 		cmd->status = BLK_STS_TIMEOUT;
+		mutex_unlock(&cmd->lock);
 		goto done;
 	}
 	config = nbd->config;
 
-	if (!mutex_trylock(&cmd->lock)) {
-		nbd_config_put(nbd);
-		return BLK_EH_RESET_TIMER;
-	}
-
 	if (config->num_connections > 1) {
 		dev_err_ratelimited(nbd_to_dev(nbd),
 				    "Connection timed out, retrying (%d/%d alive)\n",
@@ -775,7 +774,10 @@ static bool nbd_clear_req(struct request *req, void *data, bool reserved)
 {
 	struct nbd_cmd *cmd = blk_mq_rq_to_pdu(req);
 
+	mutex_lock(&cmd->lock);
 	cmd->status = BLK_STS_IOERR;
+	mutex_unlock(&cmd->lock);
+
 	blk_mq_complete_request(req);
 	return true;
 }

From patchwork Mon Oct 21 19:56:28 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josef Bacik <josef@toxicpanda.com>
X-Patchwork-Id: 11202979
Return-Path: <SRS0=zBYI=YO=vger.kernel.org=linux-block-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1383B1515
	for <patchwork-linux-block@patchwork.kernel.org>;
 Mon, 21 Oct 2019 19:56:38 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id E491D2086D
	for <patchwork-linux-block@patchwork.kernel.org>;
 Mon, 21 Oct 2019 19:56:37 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=toxicpanda-com.20150623.gappssmtp.com
 header.i=@toxicpanda-com.20150623.gappssmtp.com header.b="2KVIdo4C"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729869AbfJUT4h (ORCPT
        <rfc822;patchwork-linux-block@patchwork.kernel.org>);
        Mon, 21 Oct 2019 15:56:37 -0400
Received: from mail-qk1-f193.google.com ([209.85.222.193]:46308 "EHLO
        mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726672AbfJUT4h (ORCPT
        <rfc822;linux-block@vger.kernel.org>);
        Mon, 21 Oct 2019 15:56:37 -0400
Received: by mail-qk1-f193.google.com with SMTP id e66so13911403qkf.13
        for <linux-block@vger.kernel.org>;
 Mon, 21 Oct 2019 12:56:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=toxicpanda-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:subject:date:message-id:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=olbMooGjFBayOK7jc5tAferY0kolRn7LFl7EO6n9+Nc=;
        b=2KVIdo4CnFZeezRJGdUURVYAxlQipkL+U3JQu19GH2FVPmUpW8jPkgNcp3A/FaenyN
         YpDIUISBLUO/+NfQpOynPtqRVUzgjeMb6JGpu3nAufBRVmlsqDu2Gnj1qhczeZX0IW+A
         CvdTsJBaFh/ytGNiETeuhrPHtWaI44lFx5DD/EjujMDDu3QpoL1iDFSJIIpESUEecBMb
         a66XPczNy+vrzshaqgkl5bSWZbiTNlSd+v3cv5tREpLsUw8/tiopaJU1VPrwDzu2hXn6
         0p7w0wNOgxCgzaqslc3rcBA7xzbtodnvQl6D28FMZBFtrugTXGfmbzMWwSk8l0NVaT1/
         qAlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=olbMooGjFBayOK7jc5tAferY0kolRn7LFl7EO6n9+Nc=;
        b=lRHvJFmqxSp2AGXxDfkd7kzxkf8aWGCRvREFwp0Zjw5z+jQS6uziCc4OT3tdFLBu/k
         lkpOkXiemhBcMexgYMap+4G+PKWwdPhC3yrnnpQPIQZzsvAw5Vre8oyRh4YpQXVuAKM9
         6iMP1qmIALjFFTZhwjCVDeRAVAxgIr9ShFtH8ZYopxhMWYnug64xhBDKkirNKjlxDpGr
         WxNoG29ehWPoUn/c6mJL3UetmtgUyRv8vINkqohxha0LTsCnjotj+ajXPutl46aiOKzz
         y89zKgD15FauqcpM0VaM2aIkzuF2gjNk7V3AWqM8X3m7Za0qeTxiAr/QQayGD4NJlliJ
         bDFw==
X-Gm-Message-State: APjAAAW4ECee+D9HOmP13TNxVvc3p3+nEvMKUAXCSmj+Li6Torv9RCVs
        9w1tpKAzp/7CAPRBAs/jxoZYtw==
X-Google-Smtp-Source: 
 APXvYqynVLEZMpVVt7pXNA5sBJbHLg8xYpkuKPGZrIRVUI+mw+ub3JJnSUuMdGm6zJgRfz/ULG7k2Q==
X-Received: by 2002:a37:353:: with SMTP id 80mr23331009qkd.439.1571687794781;
        Mon, 21 Oct 2019 12:56:34 -0700 (PDT)
Received: from localhost ([107.15.81.208])
        by smtp.gmail.com with ESMTPSA id
 d2sm7734516qkj.123.2019.10.21.12.56.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 21 Oct 2019 12:56:34 -0700 (PDT)
From: Josef Bacik <josef@toxicpanda.com>
To: axboe@kernel.dk, nbd@other.debian.org, linux-block@vger.kernel.org,
        kernel-team@fb.com, mchristi@redhat.com
Subject: [PATCH 2/2] nbd: handle racing with error'ed out commands
Date: Mon, 21 Oct 2019 15:56:28 -0400
Message-Id: <20191021195628.19849-3-josef@toxicpanda.com>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20191021195628.19849-1-josef@toxicpanda.com>
References: <20191021195628.19849-1-josef@toxicpanda.com>
MIME-Version: 1.0
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org

We hit the following warning in production

print_req_error: I/O error, dev nbd0, sector 7213934408 flags 80700
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 25 PID: 32407 at lib/refcount.c:190 refcount_sub_and_test_checked+0x53/0x60
Workqueue: knbd-recv recv_work [nbd]
RIP: 0010:refcount_sub_and_test_checked+0x53/0x60
Call Trace:
 blk_mq_free_request+0xb7/0xf0
 blk_mq_complete_request+0x62/0xf0
 recv_work+0x29/0xa1 [nbd]
 process_one_work+0x1f5/0x3f0
 worker_thread+0x2d/0x3d0
 ? rescuer_thread+0x340/0x340
 kthread+0x111/0x130
 ? kthread_create_on_node+0x60/0x60
 ret_from_fork+0x1f/0x30
---[ end trace b079c3c67f98bb7c ]---

This was preceded by us timing out everything and shutting down the
sockets for the device.  The problem is we had a request in the queue at
the same time, so we completed the request twice.  This can actually
happen in a lot of cases, we fail to get a ref on our config, we only
have one connection and just error out the command, etc.

Fix this by checking cmd->status in nbd_read_stat.  We only change this
under the cmd->lock, so we are safe to check this here and see if we've
already error'ed this command out, which would indicate that we've
completed it as well.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
 drivers/block/nbd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 8fb8913074b8..e9f5d4e476e7 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -693,6 +693,12 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
 		ret = -ENOENT;
 		goto out;
 	}
+	if (cmd->status != BLK_STS_OK) {
+		dev_err(disk_to_dev(nbd->disk), "Command already handled %p\n",
+			req);
+		ret = -ENOENT;
+		goto out;
+	}
 	if (test_bit(NBD_CMD_REQUEUED, &cmd->flags)) {
 		dev_err(disk_to_dev(nbd->disk), "Raced with timeout on req %p\n",
 			req);