Fix oops in blk layer (rhbz 1237136)

2015-09-08 12:07:08 -04:00 · 2015-09-08 12:07:08 -04:00 · a8089a3aba
parent 124d5854ad
commit a8089a3aba
2 changed files with 73 additions and 0 deletions
--- a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
+++ b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
@ -0,0 +1,64 @@
+From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Sat, 5 Sep 2015 15:47:36 -0400
+Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and
+ ->root_rl.blkg
+
+While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always
+create the blkcg_gq for the root blkcg") removed the part which clears
+q->root_blkg and ->root_rl.blkg during q exit.  This leaves the two
+pointers dangling after blkg_destroy_all().  blk-throttle exit path
+performs blkg traversals and dereferences ->root_blkg and can lead to
+the following oops.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000558
+ IP: [<ffffffff81389746>] __blkg_lookup+0x26/0x70
+ ...
+ task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000
+ RIP: 0010:[<ffffffff81389746>]  [<ffffffff81389746>] __blkg_lookup+0x26/0x70
+ ...
+ Call Trace:
+  [<ffffffff8138d14a>] blk_throtl_drain+0x5a/0x110
+  [<ffffffff8138a108>] blkcg_drain_queue+0x18/0x20
+  [<ffffffff81369a70>] __blk_drain_queue+0xc0/0x170
+  [<ffffffff8136a101>] blk_queue_bypass_start+0x61/0x80
+  [<ffffffff81388c59>] blkcg_deactivate_policy+0x39/0x100
+  [<ffffffff8138d328>] blk_throtl_exit+0x38/0x50
+  [<ffffffff8138a14e>] blkcg_exit_queue+0x3e/0x50
+  [<ffffffff8137016e>] blk_release_queue+0x1e/0xc0
+ ...
+
+While the bug is a straigh-forward use-after-free bug, it is tricky to
+reproduce because blkg release is RCU protected and the rest of exit
+path usually finishes before RCU grace period.
+
+This patch fixes the bug by updating blkg_destro_all() to clear
+q->root_blkg and ->root_rl.blkg.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: "Richard W.M. Jones" <rjones@redhat.com>
+Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
+Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com
+Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg")
+Cc: stable@vger.kernel.org # v4.2+
+---
+ block/blk-cgroup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index d6283b3f5db5..9cc48d1d7abb 100644
+--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
+@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
+ 		blkg_destroy(blkg);
+ 		spin_unlock(&blkcg->lock);
+ 	}
+
+	q->root_blkg = NULL;
+	q->root_rl.blkg = NULL;
+ }
+ 
+ /*
+-- 
+2.4.3
+
--- a/kernel.spec
+++ b/kernel.spec
@ -628,6 +628,9 @@ Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
 #rhbz 1259231
 Patch519: make-flush-workqueue-available-to-non-GPL-modules.patch

+#rhbz 1237136
+Patch522: block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1374,6 +1377,9 @@ ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch
 #rhbz 1259231
 ApplyPatch make-flush-workqueue-available-to-non-GPL-modules.patch

+#rhbz 1237136
+ApplyPatch block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2224,6 +2230,9 @@ fi
 #
 # 
 %changelog
+* Tue Sep 08 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix oops in blk layer (rhbz 1237136)
+
 * Fri Sep 04 2015 Justin M. Forbes <jforbes@fedoraproject.org>
 - Bump linux-firmware require for amdgpu (rhbz 1259542)