From a8089a3aba84b389af65493f02fab38c0714cd91 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 8 Sep 2015 12:07:08 -0400 Subject: [PATCH] Fix oops in blk layer (rhbz 1237136) --- ...oy_all-should-clear-q-root_blkg-and-.patch | 64 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 73 insertions(+) create mode 100644 block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch diff --git a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch new file mode 100644 index 000000000..be5eddebc --- /dev/null +++ b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch @@ -0,0 +1,64 @@ +From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sat, 5 Sep 2015 15:47:36 -0400 +Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and + ->root_rl.blkg + +While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always +create the blkcg_gq for the root blkcg") removed the part which clears +q->root_blkg and ->root_rl.blkg during q exit. This leaves the two +pointers dangling after blkg_destroy_all(). blk-throttle exit path +performs blkg traversals and dereferences ->root_blkg and can lead to +the following oops. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000558 + IP: [] __blkg_lookup+0x26/0x70 + ... + task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000 + RIP: 0010:[] [] __blkg_lookup+0x26/0x70 + ... + Call Trace: + [] blk_throtl_drain+0x5a/0x110 + [] blkcg_drain_queue+0x18/0x20 + [] __blk_drain_queue+0xc0/0x170 + [] blk_queue_bypass_start+0x61/0x80 + [] blkcg_deactivate_policy+0x39/0x100 + [] blk_throtl_exit+0x38/0x50 + [] blkcg_exit_queue+0x3e/0x50 + [] blk_release_queue+0x1e/0xc0 + ... + +While the bug is a straigh-forward use-after-free bug, it is tricky to +reproduce because blkg release is RCU protected and the rest of exit +path usually finishes before RCU grace period. + +This patch fixes the bug by updating blkg_destro_all() to clear +q->root_blkg and ->root_rl.blkg. + +Signed-off-by: Tejun Heo +Reported-by: "Richard W.M. Jones" +Reported-by: Josh Boyer +Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com +Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg") +Cc: stable@vger.kernel.org # v4.2+ +--- + block/blk-cgroup.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index d6283b3f5db5..9cc48d1d7abb 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q) + blkg_destroy(blkg); + spin_unlock(&blkcg->lock); + } ++ ++ q->root_blkg = NULL; ++ q->root_rl.blkg = NULL; + } + + /* +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 086fe69c8..2f4e2d949 100644 --- a/kernel.spec +++ b/kernel.spec @@ -628,6 +628,9 @@ Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch #rhbz 1259231 Patch519: make-flush-workqueue-available-to-non-GPL-modules.patch +#rhbz 1237136 +Patch522: block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch + # END OF PATCH DEFINITIONS %endif @@ -1374,6 +1377,9 @@ ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch #rhbz 1259231 ApplyPatch make-flush-workqueue-available-to-non-GPL-modules.patch +#rhbz 1237136 +ApplyPatch block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch + # END OF PATCH APPLICATIONS %endif @@ -2224,6 +2230,9 @@ fi # # %changelog +* Tue Sep 08 2015 Josh Boyer +- Fix oops in blk layer (rhbz 1237136) + * Fri Sep 04 2015 Justin M. Forbes - Bump linux-firmware require for amdgpu (rhbz 1259542)