null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

PlaidCat · PlaidCat · commit 7a37f44e74b7 · 2024-10-22T16:12:13.000-04:00
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.40.1.el9_4 commit-author Yu Kuai <yukuai3@huawei.com> commit a2db328 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/a2db328b.failed Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs. Fixes: 45919fb ("null_blk: Enable modifying 'submit_queues' after an instance has been configured") Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com> Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjStuwZA@mail.gmail.com/ Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev> Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit a2db328) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/block/null_blk/main.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/a2db328b.failed b/ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/a2db328b.failed
@@ -0,0 +1,107 @@
+null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'
+
+jira LE-1907
+Rebuild_History Non-Buildable kernel-5.14.0-427.40.1.el9_4
+commit-author Yu Kuai <yukuai3@huawei.com>
+commit a2db328b0839312c169eb42746ec46fc1ab53ed2
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/a2db328b.failed
+
+Writing 'power' and 'submit_queues' concurrently will trigger kernel
+panic:
+
+Test script:
+
+modprobe null_blk nr_devices=0
+mkdir -p /sys/kernel/config/nullb/nullb0
+while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
+while true; do echo 1 > power; echo 0 > power; done
+
+Test result:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000148
+Oops: 0000 [#1] PREEMPT SMP
+RIP: 0010:__lock_acquire+0x41d/0x28f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x121/0x450
+ down_write+0x5f/0x1d0
+ simple_recursive_removal+0x12f/0x5c0
+ blk_mq_debugfs_unregister_hctxs+0x7c/0x100
+ blk_mq_update_nr_hw_queues+0x4a3/0x720
+ nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
+ nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
+ configfs_write_iter+0x119/0x1e0
+ vfs_write+0x326/0x730
+ ksys_write+0x74/0x150
+
+This is because del_gendisk() can concurrent with
+blk_mq_update_nr_hw_queues():
+
+nullb_device_power_store	nullb_apply_submit_queues
+ null_del_dev
+ del_gendisk
+				 nullb_update_nr_hw_queues
+				  if (!dev->nullb)
+				  // still set while gendisk is deleted
+				   return 0
+				  blk_mq_update_nr_hw_queues
+ dev->nullb = NULL
+
+Fix this problem by resuing the global mutex to protect
+nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.
+
+Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured")
+Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjStuwZA@mail.gmail.com/
+	Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+	Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com
+	Signed-off-by: Jens Axboe <axboe@kernel.dk>
+(cherry picked from commit a2db328b0839312c169eb42746ec46fc1ab53ed2)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/block/null_blk/main.c
+diff --cc drivers/block/null_blk/main.c
+index 86b661d289b9,eb023d267369..000000000000
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@@ -2146,28 -1947,13 +2161,34 @@@ static int null_add_dev(struct nullb_de
+  	nullb->q->queuedata = nullb;
+  	blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q);
+  
+++<<<<<<< HEAD
+ +	mutex_lock(&lock);
+ +	rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL);
+ +	if (rv < 0) {
+ +		mutex_unlock(&lock);
+ +		goto out_cleanup_zone;
+ +	}
+++=======
++ 	rv = ida_alloc(&nullb_indexes, GFP_KERNEL);
++ 	if (rv < 0)
++ 		goto out_cleanup_disk;
++ 
+++>>>>>>> a2db328b0839 (null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues')
+  	nullb->index = rv;
+  	dev->index = rv;
+- 	mutex_unlock(&lock);
+  
+ +	blk_queue_logical_block_size(nullb->q, dev->blocksize);
+ +	blk_queue_physical_block_size(nullb->q, dev->blocksize);
+ +	if (!dev->max_sectors)
+ +		dev->max_sectors = queue_max_hw_sectors(nullb->q);
+ +	dev->max_sectors = min(dev->max_sectors, BLK_DEF_MAX_SECTORS);
+ +	blk_queue_max_hw_sectors(nullb->q, dev->max_sectors);
+ +
+ +	if (dev->virt_boundary)
+ +		blk_queue_virt_boundary(nullb->q, PAGE_SIZE - 1);
+ +
+ +	null_config_discard(nullb);
+ +
+  	if (config_item_name(&dev->group.cg_item)) {
+  		/* Use configfs dir name as the device name */
+  		snprintf(nullb->disk_name, sizeof(nullb->disk_name),
+* Unmerged path drivers/block/null_blk/main.c
