From patchwork Wed Mar 25 12:38:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yufen Yu X-Patchwork-Id: 11457703 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C382F15AB for ; Wed, 25 Mar 2020 12:40:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AEA642078A for ; Wed, 25 Mar 2020 12:40:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727325AbgCYMkQ (ORCPT ); Wed, 25 Mar 2020 08:40:16 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:12131 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727290AbgCYMkQ (ORCPT ); Wed, 25 Mar 2020 08:40:16 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 7B58A7A9DBC3D34B97C4; Wed, 25 Mar 2020 20:40:09 +0800 (CST) Received: from huawei.com (10.175.124.28) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 25 Mar 2020 20:40:06 +0800 From: Yufen Yu To: , CC: , , , , , Subject: [PATCH v4 1/6] bdi: use bdi_dev_name() to get device name Date: Wed, 25 Mar 2020 20:38:38 +0800 Message-ID: <20200325123843.47452-2-yuyufen@huawei.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20200325123843.47452-1-yuyufen@huawei.com> References: <20200325123843.47452-1-yuyufen@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.124.28] X-CFilter-Loop: Reflected Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Use the common interface bdi_dev_name() to get device name. Signed-off-by: Yufen Yu Reviewed-by: Christoph Hellwig --- block/bfq-iosched.c | 5 +++-- block/blk-cgroup.c | 2 +- fs/ceph/debugfs.c | 2 +- include/trace/events/wbt.h | 8 ++++---- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 8c436abfaf14..94261b7d7181 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -4978,8 +4978,9 @@ bfq_set_next_ioprio_data(struct bfq_queue *bfqq, struct bfq_io_cq *bic) ioprio_class = IOPRIO_PRIO_CLASS(bic->ioprio); switch (ioprio_class) { default: - dev_err(bfqq->bfqd->queue->backing_dev_info->dev, - "bfq: bad prio class %d\n", ioprio_class); + pr_err("bdi %s: bfq: bad prio class %d\n", + bdi_dev_name(bfqq->bfqd->queue->backing_dev_info), + ioprio_class); /* fall through */ case IOPRIO_CLASS_NONE: /* diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c index a229b94d5390..be92405c6547 100644 --- a/block/blk-cgroup.c +++ b/block/blk-cgroup.c @@ -496,7 +496,7 @@ const char *blkg_dev_name(struct blkcg_gq *blkg) { /* some drivers (floppy) instantiate a queue w/o disk registered */ if (blkg->q->backing_dev_info->dev) - return dev_name(blkg->q->backing_dev_info->dev); + return bdi_dev_name(blkg->q->backing_dev_info); return NULL; } diff --git a/fs/ceph/debugfs.c b/fs/ceph/debugfs.c index fb7cabd98e7b..1f8f3b631adb 100644 --- a/fs/ceph/debugfs.c +++ b/fs/ceph/debugfs.c @@ -271,7 +271,7 @@ void ceph_fs_debugfs_init(struct ceph_fs_client *fsc) &congestion_kb_fops); snprintf(name, sizeof(name), "../../bdi/%s", - dev_name(fsc->sb->s_bdi->dev)); + bdi_dev_name(fsc->sb->s_bdi)); fsc->debugfs_bdi = debugfs_create_symlink("bdi", fsc->client->debugfs_dir, diff --git a/include/trace/events/wbt.h b/include/trace/events/wbt.h index 37342a13c9cb..9996420d7ec4 100644 --- a/include/trace/events/wbt.h +++ b/include/trace/events/wbt.h @@ -33,7 +33,7 @@ TRACE_EVENT(wbt_stat, ), TP_fast_assign( - strlcpy(__entry->name, dev_name(bdi->dev), + strlcpy(__entry->name, bdi_dev_name(bdi), ARRAY_SIZE(__entry->name)); __entry->rmean = stat[0].mean; __entry->rmin = stat[0].min; @@ -68,7 +68,7 @@ TRACE_EVENT(wbt_lat, ), TP_fast_assign( - strlcpy(__entry->name, dev_name(bdi->dev), + strlcpy(__entry->name, bdi_dev_name(bdi), ARRAY_SIZE(__entry->name)); __entry->lat = div_u64(lat, 1000); ), @@ -105,7 +105,7 @@ TRACE_EVENT(wbt_step, ), TP_fast_assign( - strlcpy(__entry->name, dev_name(bdi->dev), + strlcpy(__entry->name, bdi_dev_name(bdi), ARRAY_SIZE(__entry->name)); __entry->msg = msg; __entry->step = step; @@ -141,7 +141,7 @@ TRACE_EVENT(wbt_timer, ), TP_fast_assign( - strlcpy(__entry->name, dev_name(bdi->dev), + strlcpy(__entry->name, bdi_dev_name(bdi), ARRAY_SIZE(__entry->name)); __entry->status = status; __entry->step = step; From patchwork Wed Mar 25 12:38:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yufen Yu X-Patchwork-Id: 11457707 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BAB326CA for ; Wed, 25 Mar 2020 12:40:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A4AEF2076A for ; Wed, 25 Mar 2020 12:40:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727328AbgCYMkW (ORCPT ); Wed, 25 Mar 2020 08:40:22 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:12129 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727298AbgCYMkV (ORCPT ); Wed, 25 Mar 2020 08:40:21 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 72D5AFED297F7C42EFE7; Wed, 25 Mar 2020 20:40:09 +0800 (CST) Received: from huawei.com (10.175.124.28) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 25 Mar 2020 20:40:06 +0800 From: Yufen Yu To: , CC: , , , , , Subject: [PATCH v4 2/6] bdi: protect bdi->dev with spinlock Date: Wed, 25 Mar 2020 20:38:39 +0800 Message-ID: <20200325123843.47452-3-yuyufen@huawei.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20200325123843.47452-1-yuyufen@huawei.com> References: <20200325123843.47452-1-yuyufen@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.124.28] X-CFilter-Loop: Reflected Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org We have reported a kernel crash in __blkg_prfill_rwstat() for use-after-free the bdi->dev. It tries to get the device name by 'bdi->dev', while the device and kobj->name has been freed by bdi_unregister(). In fact, similar bug have been reported in wb_workfn when bdi_unregister(). To fix it, commit 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears") has created bdi_dev_name() to handle bdi->dev beening NULL. But, bdi->dev can be freed after bdi_dev_name() return successly, which can cause use-after-free for dev or kobj->name. In this patch, we try to protect the 'bdi->dev' with spinlock to avoid the race. A new helper function bdi_get_dev_name() is defined. Then, the caller can get device name with this helper safely. This patch is prepare for following patch to fix use-after-free bug. Signed-off-by: Yufen Yu --- include/linux/backing-dev-defs.h | 1 + include/linux/backing-dev.h | 28 ++++++++++++++++++++++++++++ mm/backing-dev.c | 9 +++++++-- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h index 4fc87dee005a..c98dac4a7953 100644 --- a/include/linux/backing-dev-defs.h +++ b/include/linux/backing-dev-defs.h @@ -227,6 +227,7 @@ struct backing_dev_info { #ifdef CONFIG_DEBUG_FS struct dentry *debug_dir; #endif + spinlock_t lock; /* protects dev */ }; enum { diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h index f88197c1ffc2..010d80956442 100644 --- a/include/linux/backing-dev.h +++ b/include/linux/backing-dev.h @@ -19,6 +19,8 @@ #include #include +#define BDI_DEV_NAME_LEN 32 + static inline struct backing_dev_info *bdi_get(struct backing_dev_info *bdi) { kref_get(&bdi->refcnt); @@ -514,4 +516,30 @@ static inline const char *bdi_dev_name(struct backing_dev_info *bdi) return dev_name(bdi->dev); } +/** + * bdi_get_dev_name - copy bdi device name into buffer + * @bdi: target bdi + * @dname: Where to copy the device name to + * @len: size of destination buffer + */ +static inline char *bdi_get_dev_name(struct backing_dev_info *bdi, + char *dname, int len) +{ + if (!bdi) + goto unknown; + + spin_lock_irq(&bdi->lock); + if (!bdi->dev) { + spin_unlock_irq(&bdi->lock); + goto unknown; + } + + strlcpy(dname, dev_name(bdi->dev), len); + spin_unlock_irq(&bdi->lock); + return dname; + +unknown: + strlcpy(dname, bdi_unknown_name, len); + return NULL; +} #endif /* _LINUX_BACKING_DEV_H */ diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 62f05f605fb5..aa9ba7dcc2d9 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -859,6 +859,7 @@ static int bdi_init(struct backing_dev_info *bdi) INIT_LIST_HEAD(&bdi->bdi_list); INIT_LIST_HEAD(&bdi->wb_list); init_waitqueue_head(&bdi->wb_waitq); + spin_lock_init(&bdi->lock); ret = cgwb_bdi_init(bdi); @@ -1007,15 +1008,19 @@ static void bdi_remove_from_list(struct backing_dev_info *bdi) void bdi_unregister(struct backing_dev_info *bdi) { + struct device *dev = bdi->dev; + /* make sure nobody finds us on the bdi_list anymore */ bdi_remove_from_list(bdi); wb_shutdown(&bdi->wb); cgwb_bdi_unregister(bdi); - if (bdi->dev) { + if (dev) { bdi_debug_unregister(bdi); - device_unregister(bdi->dev); + spin_lock_irq(&bdi->lock); bdi->dev = NULL; + spin_unlock_irq(&bdi->lock); + device_unregister(dev); } if (bdi->owner) { From patchwork Wed Mar 25 12:38:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yufen Yu X-Patchwork-Id: 11457701 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9F6D26CA for ; Wed, 25 Mar 2020 12:40:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 801C5207FF for ; Wed, 25 Mar 2020 12:40:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727316AbgCYMkN (ORCPT ); Wed, 25 Mar 2020 08:40:13 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:12132 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727280AbgCYMkM (ORCPT ); Wed, 25 Mar 2020 08:40:12 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 83AF2CCC9D1FB7B3DC50; Wed, 25 Mar 2020 20:40:09 +0800 (CST) Received: from huawei.com (10.175.124.28) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 25 Mar 2020 20:40:07 +0800 From: Yufen Yu To: , CC: , , , , , Subject: [PATCH v4 3/6] bfq: fix potential kernel crash when print error info Date: Wed, 25 Mar 2020 20:38:40 +0800 Message-ID: <20200325123843.47452-4-yuyufen@huawei.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20200325123843.47452-1-yuyufen@huawei.com> References: <20200325123843.47452-1-yuyufen@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.124.28] X-CFilter-Loop: Reflected Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Replace bdi_dev_name() with bdi_get_dev_name(). Then, we can fix potential use-after-free or NULL pointer reference for bdi->dev when bdi unregister. Signed-off-by: Yufen Yu --- block/bfq-iosched.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 94261b7d7181..a8a67a95006e 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -4971,6 +4971,7 @@ bfq_set_next_ioprio_data(struct bfq_queue *bfqq, struct bfq_io_cq *bic) struct task_struct *tsk = current; int ioprio_class; struct bfq_data *bfqd = bfqq->bfqd; + char dname[BDI_DEV_NAME_LEN]; if (!bfqd) return; @@ -4978,9 +4979,9 @@ bfq_set_next_ioprio_data(struct bfq_queue *bfqq, struct bfq_io_cq *bic) ioprio_class = IOPRIO_PRIO_CLASS(bic->ioprio); switch (ioprio_class) { default: - pr_err("bdi %s: bfq: bad prio class %d\n", - bdi_dev_name(bfqq->bfqd->queue->backing_dev_info), - ioprio_class); + bdi_get_dev_name(bfqq->bfqd->queue->backing_dev_info, dname, + BDI_DEV_NAME_LEN); + pr_err("bdi %s: bfq: bad prio class %d\n", dname, ioprio_class); /* fall through */ case IOPRIO_CLASS_NONE: /* From patchwork Wed Mar 25 12:38:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yufen Yu X-Patchwork-Id: 11457711 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 170D715AB for ; Wed, 25 Mar 2020 12:40:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id ED9572078A for ; Wed, 25 Mar 2020 12:40:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727290AbgCYMk2 (ORCPT ); Wed, 25 Mar 2020 08:40:28 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:12130 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727279AbgCYMk2 (ORCPT ); Wed, 25 Mar 2020 08:40:28 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 68DFC276D04602731DAD; Wed, 25 Mar 2020 20:40:09 +0800 (CST) Received: from huawei.com (10.175.124.28) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 25 Mar 2020 20:40:07 +0800 From: Yufen Yu To: , CC: , , , , , Subject: [PATCH v4 4/6] memcg: fix crash in wb_workfn when bdi unregister Date: Wed, 25 Mar 2020 20:38:41 +0800 Message-ID: <20200325123843.47452-5-yuyufen@huawei.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20200325123843.47452-1-yuyufen@huawei.com> References: <20200325123843.47452-1-yuyufen@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.124.28] X-CFilter-Loop: Reflected Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Commit 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears") try to handle bdi->dev beening NULL by adding bdi_dev_name(). But, bdi->dev can be freed and set as 'NULL' after bdi_dev_name() think the value is valid. Then it can cause use-after-free for dev or kobj->name. After protecting the bdi->dev with lock, the race can be fixed thoroughly. Here, we just need to replace bdi_dev_name() with bdi_get_dev_name(). Fixes: 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears") Signed-off-by: Yufen Yu --- fs/fs-writeback.c | 4 +++- include/trace/events/writeback.h | 38 ++++++++++++++------------------ 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c index 76ac9c7d32ec..8d36c256560c 100644 --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -2062,8 +2062,10 @@ void wb_workfn(struct work_struct *work) struct bdi_writeback *wb = container_of(to_delayed_work(work), struct bdi_writeback, dwork); long pages_written; + char dname[BDI_DEV_NAME_LEN]; - set_worker_desc("flush-%s", bdi_dev_name(wb->bdi)); + set_worker_desc("flush-%s", + bdi_get_dev_name(wb->bdi, dname, BDI_DEV_NAME_LEN)); current->flags |= PF_SWAPWRITE; if (likely(!current_is_workqueue_rescuer() || diff --git a/include/trace/events/writeback.h b/include/trace/events/writeback.h index d94def25e4dc..4767a5ab5e36 100644 --- a/include/trace/events/writeback.h +++ b/include/trace/events/writeback.h @@ -66,9 +66,8 @@ DECLARE_EVENT_CLASS(writeback_page_template, ), TP_fast_assign( - strscpy_pad(__entry->name, - bdi_dev_name(mapping ? inode_to_bdi(mapping->host) : - NULL), 32); + bdi_get_dev_name(mapping ? inode_to_bdi(mapping->host) : NULL, + __entry->name, 32); __entry->ino = mapping ? mapping->host->i_ino : 0; __entry->index = page->index; ), @@ -111,7 +110,7 @@ DECLARE_EVENT_CLASS(writeback_dirty_inode_template, struct backing_dev_info *bdi = inode_to_bdi(inode); /* may be called for files on pseudo FSes w/ unregistered bdi */ - strscpy_pad(__entry->name, bdi_dev_name(bdi), 32); + bdi_get_dev_name(bdi, __entry->name, 32); __entry->ino = inode->i_ino; __entry->state = inode->i_state; __entry->flags = flags; @@ -192,7 +191,7 @@ TRACE_EVENT(inode_foreign_history, ), TP_fast_assign( - strncpy(__entry->name, bdi_dev_name(inode_to_bdi(inode)), 32); + bdi_get_dev_name(inode_to_bdi(inode), __entry->name, 32); __entry->ino = inode->i_ino; __entry->cgroup_ino = __trace_wbc_assign_cgroup(wbc); __entry->history = history; @@ -221,7 +220,7 @@ TRACE_EVENT(inode_switch_wbs, ), TP_fast_assign( - strncpy(__entry->name, bdi_dev_name(old_wb->bdi), 32); + bdi_get_dev_name(old_wb->bdi, __entry->name, 32); __entry->ino = inode->i_ino; __entry->old_cgroup_ino = __trace_wb_assign_cgroup(old_wb); __entry->new_cgroup_ino = __trace_wb_assign_cgroup(new_wb); @@ -254,7 +253,7 @@ TRACE_EVENT(track_foreign_dirty, struct address_space *mapping = page_mapping(page); struct inode *inode = mapping ? mapping->host : NULL; - strncpy(__entry->name, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->name, 32); __entry->bdi_id = wb->bdi->id; __entry->ino = inode ? inode->i_ino : 0; __entry->memcg_id = wb->memcg_css->id; @@ -287,7 +286,7 @@ TRACE_EVENT(flush_foreign, ), TP_fast_assign( - strncpy(__entry->name, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->name, 32); __entry->cgroup_ino = __trace_wb_assign_cgroup(wb); __entry->frn_bdi_id = frn_bdi_id; __entry->frn_memcg_id = frn_memcg_id; @@ -316,8 +315,7 @@ DECLARE_EVENT_CLASS(writeback_write_inode_template, ), TP_fast_assign( - strscpy_pad(__entry->name, - bdi_dev_name(inode_to_bdi(inode)), 32); + bdi_get_dev_name(inode_to_bdi(inode), __entry->name, 32); __entry->ino = inode->i_ino; __entry->sync_mode = wbc->sync_mode; __entry->cgroup_ino = __trace_wbc_assign_cgroup(wbc); @@ -360,7 +358,7 @@ DECLARE_EVENT_CLASS(writeback_work_class, __field(ino_t, cgroup_ino) ), TP_fast_assign( - strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->name, 32); __entry->nr_pages = work->nr_pages; __entry->sb_dev = work->sb ? work->sb->s_dev : 0; __entry->sync_mode = work->sync_mode; @@ -413,7 +411,7 @@ DECLARE_EVENT_CLASS(writeback_class, __field(ino_t, cgroup_ino) ), TP_fast_assign( - strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->name, 32); __entry->cgroup_ino = __trace_wb_assign_cgroup(wb); ), TP_printk("bdi %s: cgroup_ino=%lu", @@ -435,7 +433,7 @@ TRACE_EVENT(writeback_bdi_register, __array(char, name, 32) ), TP_fast_assign( - strscpy_pad(__entry->name, bdi_dev_name(bdi), 32); + bdi_get_dev_name(bdi, __entry->name, 32); ), TP_printk("bdi %s", __entry->name @@ -460,7 +458,7 @@ DECLARE_EVENT_CLASS(wbc_class, ), TP_fast_assign( - strscpy_pad(__entry->name, bdi_dev_name(bdi), 32); + bdi_get_dev_name(bdi, __entry->name, 32); __entry->nr_to_write = wbc->nr_to_write; __entry->pages_skipped = wbc->pages_skipped; __entry->sync_mode = wbc->sync_mode; @@ -511,7 +509,7 @@ TRACE_EVENT(writeback_queue_io, ), TP_fast_assign( unsigned long *older_than_this = work->older_than_this; - strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->name, 32); __entry->older = older_than_this ? *older_than_this : 0; __entry->age = older_than_this ? (jiffies - *older_than_this) * 1000 / HZ : -1; @@ -597,7 +595,7 @@ TRACE_EVENT(bdi_dirty_ratelimit, ), TP_fast_assign( - strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->bdi, 32); __entry->write_bw = KBps(wb->write_bandwidth); __entry->avg_write_bw = KBps(wb->avg_write_bandwidth); __entry->dirty_rate = KBps(dirty_rate); @@ -662,7 +660,7 @@ TRACE_EVENT(balance_dirty_pages, TP_fast_assign( unsigned long freerun = (thresh + bg_thresh) / 2; - strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32); + bdi_get_dev_name(wb->bdi, __entry->bdi, 32); __entry->limit = global_wb_domain.dirty_limit; __entry->setpoint = (global_wb_domain.dirty_limit + @@ -722,8 +720,7 @@ TRACE_EVENT(writeback_sb_inodes_requeue, ), TP_fast_assign( - strscpy_pad(__entry->name, - bdi_dev_name(inode_to_bdi(inode)), 32); + bdi_get_dev_name(inode_to_bdi(inode), __entry->name, 32); __entry->ino = inode->i_ino; __entry->state = inode->i_state; __entry->dirtied_when = inode->dirtied_when; @@ -796,8 +793,7 @@ DECLARE_EVENT_CLASS(writeback_single_inode_template, ), TP_fast_assign( - strscpy_pad(__entry->name, - bdi_dev_name(inode_to_bdi(inode)), 32); + bdi_get_dev_name(inode_to_bdi(inode), __entry->name, 32); __entry->ino = inode->i_ino; __entry->state = inode->i_state; __entry->dirtied_when = inode->dirtied_when; From patchwork Wed Mar 25 12:38:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yufen Yu X-Patchwork-Id: 11457699 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 20FE115AB for ; Wed, 25 Mar 2020 12:40:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0AF0E207FF for ; Wed, 25 Mar 2020 12:40:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727313AbgCYMkM (ORCPT ); Wed, 25 Mar 2020 08:40:12 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:12128 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727279AbgCYMkM (ORCPT ); Wed, 25 Mar 2020 08:40:12 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 603F2F92AFD04B510924; Wed, 25 Mar 2020 20:40:09 +0800 (CST) Received: from huawei.com (10.175.124.28) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 25 Mar 2020 20:40:08 +0800 From: Yufen Yu To: , CC: , , , , , Subject: [PATCH v4 5/6] blk-wbt: replace bdi_dev_name() with bdi_get_dev_name() Date: Wed, 25 Mar 2020 20:38:42 +0800 Message-ID: <20200325123843.47452-6-yuyufen@huawei.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20200325123843.47452-1-yuyufen@huawei.com> References: <20200325123843.47452-1-yuyufen@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.124.28] X-CFilter-Loop: Reflected Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org wb_timer_fn() can be called after bdi unregister. So, we get bdi device name by bdi_get_dev_name() to avoid use-after-free or null pointer deference for bdi->dev. Signed-off-by: Yufen Yu --- include/trace/events/wbt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/trace/events/wbt.h b/include/trace/events/wbt.h index 9996420d7ec4..3fbf15565962 100644 --- a/include/trace/events/wbt.h +++ b/include/trace/events/wbt.h @@ -33,7 +33,7 @@ TRACE_EVENT(wbt_stat, ), TP_fast_assign( - strlcpy(__entry->name, bdi_dev_name(bdi), + bdi_get_dev_name(bdi, __entry->name, ARRAY_SIZE(__entry->name)); __entry->rmean = stat[0].mean; __entry->rmin = stat[0].min; @@ -68,7 +68,7 @@ TRACE_EVENT(wbt_lat, ), TP_fast_assign( - strlcpy(__entry->name, bdi_dev_name(bdi), + bdi_get_dev_name(bdi, __entry->name, ARRAY_SIZE(__entry->name)); __entry->lat = div_u64(lat, 1000); ), @@ -105,7 +105,7 @@ TRACE_EVENT(wbt_step, ), TP_fast_assign( - strlcpy(__entry->name, bdi_dev_name(bdi), + bdi_get_dev_name(bdi, __entry->name, ARRAY_SIZE(__entry->name)); __entry->msg = msg; __entry->step = step; @@ -141,7 +141,7 @@ TRACE_EVENT(wbt_timer, ), TP_fast_assign( - strlcpy(__entry->name, bdi_dev_name(bdi), + bdi_get_dev_name(bdi, __entry->name, ARRAY_SIZE(__entry->name)); __entry->status = status; __entry->step = step; From patchwork Wed Mar 25 12:38:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yufen Yu X-Patchwork-Id: 11457709 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9E8A515AB for ; Wed, 25 Mar 2020 12:40:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7F9BA2077D for ; Wed, 25 Mar 2020 12:40:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727298AbgCYMkY (ORCPT ); Wed, 25 Mar 2020 08:40:24 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:48034 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727290AbgCYMkX (ORCPT ); Wed, 25 Mar 2020 08:40:23 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 734B69D7FB448A74284C; Wed, 25 Mar 2020 20:40:14 +0800 (CST) Received: from huawei.com (10.175.124.28) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Wed, 25 Mar 2020 20:40:08 +0800 From: Yufen Yu To: , CC: , , , , , Subject: [PATCH v4 6/6] blkcg: fix use-after-free for bdi->dev Date: Wed, 25 Mar 2020 20:38:43 +0800 Message-ID: <20200325123843.47452-7-yuyufen@huawei.com> X-Mailer: git-send-email 2.17.2 In-Reply-To: <20200325123843.47452-1-yuyufen@huawei.com> References: <20200325123843.47452-1-yuyufen@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.124.28] X-CFilter-Loop: Reflected Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org __blkg_prfill_rwstat() tries to get the device name by 'bdi->dev', while the device and kobj->name has been freed by bdi_unregister(). Then, blkg_dev_name() will return an invalid name pointer, resulting in crash on string(). The race as following: CPU1 CPU2 blkg_print_stat_bytes __scsi_remove_device del_gendisk bdi_unregister put_device(bdi->dev) kfree(bdi->dev) __blkg_prfill_rwstat blkg_dev_name //use the freed bdi->dev dev_name(blkg->q->backing_dev_info->dev) bdi->dev = NULL After protecing "bdi->dev" with lock, we just need to use bdi_get_dev_name() to get device name. Then, the race can be fixed. Signed-off-by: Yufen Yu --- block/blk-cgroup-rwstat.c | 6 ++++-- block/blk-cgroup.c | 19 ++++++------------- block/blk-iocost.c | 14 ++++++++------ block/blk-iolatency.c | 5 +++-- block/blk-throttle.c | 6 ++++-- include/linux/blk-cgroup.h | 1 - 6 files changed, 25 insertions(+), 26 deletions(-) diff --git a/block/blk-cgroup-rwstat.c b/block/blk-cgroup-rwstat.c index 85d5790ac49b..2dc260802228 100644 --- a/block/blk-cgroup-rwstat.c +++ b/block/blk-cgroup-rwstat.c @@ -4,6 +4,7 @@ * Do not use in new code. */ #include "blk-cgroup-rwstat.h" +#include int blkg_rwstat_init(struct blkg_rwstat *rwstat, gfp_t gfp) { @@ -49,11 +50,12 @@ u64 __blkg_prfill_rwstat(struct seq_file *sf, struct blkg_policy_data *pd, [BLKG_RWSTAT_ASYNC] = "Async", [BLKG_RWSTAT_DISCARD] = "Discard", }; - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; u64 v; int i; - if (!dname) + if (!bdi_get_dev_name(pd->blkg->q->backing_dev_info, dname, + BDI_DEV_NAME_LEN)) return 0; for (i = 0; i < BLKG_RWSTAT_NR; i++) diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c index be92405c6547..a072ca6141ca 100644 --- a/block/blk-cgroup.c +++ b/block/blk-cgroup.c @@ -492,14 +492,6 @@ static int blkcg_reset_stats(struct cgroup_subsys_state *css, return 0; } -const char *blkg_dev_name(struct blkcg_gq *blkg) -{ - /* some drivers (floppy) instantiate a queue w/o disk registered */ - if (blkg->q->backing_dev_info->dev) - return bdi_dev_name(blkg->q->backing_dev_info); - return NULL; -} - /** * blkcg_print_blkgs - helper for printing per-blkg data * @sf: seq_file to print to @@ -551,9 +543,10 @@ EXPORT_SYMBOL_GPL(blkcg_print_blkgs); */ u64 __blkg_prfill_u64(struct seq_file *sf, struct blkg_policy_data *pd, u64 v) { - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; - if (!dname) + if (!bdi_get_dev_name(pd->blkg->q->backing_dev_info, dname, + BDI_DEV_NAME_LEN)) return 0; seq_printf(sf, "%s %llu\n", dname, (unsigned long long)v); @@ -749,7 +742,7 @@ static int blkcg_print_stat(struct seq_file *sf, void *v) hlist_for_each_entry_rcu(blkg, &blkcg->blkg_list, blkcg_node) { struct blkg_iostat_set *bis = &blkg->iostat; - const char *dname; + char dname[BDI_DEV_NAME_LEN]; char *buf; u64 rbytes, wbytes, rios, wios, dbytes, dios; size_t size = seq_get_buf(sf, &buf), off = 0; @@ -762,8 +755,8 @@ static int blkcg_print_stat(struct seq_file *sf, void *v) if (!blkg->online) goto skip; - dname = blkg_dev_name(blkg); - if (!dname) + if (!bdi_get_dev_name(blkg->q->backing_dev_info, dname, + BDI_DEV_NAME_LEN)) goto skip; /* diff --git a/block/blk-iocost.c b/block/blk-iocost.c index 9a599cc28c29..2ae69d475d60 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -2047,10 +2047,11 @@ static void ioc_pd_free(struct blkg_policy_data *pd) static u64 ioc_weight_prfill(struct seq_file *sf, struct blkg_policy_data *pd, int off) { - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; struct ioc_gq *iocg = pd_to_iocg(pd); - if (dname && iocg->cfg_weight) + if (bdi_get_dev_name(pd->blkg, dname, BDI_DEV_NAME_LEN) && + iocg->cfg_weight) seq_printf(sf, "%s %u\n", dname, iocg->cfg_weight); return 0; } @@ -2133,10 +2134,11 @@ static ssize_t ioc_weight_write(struct kernfs_open_file *of, char *buf, static u64 ioc_qos_prfill(struct seq_file *sf, struct blkg_policy_data *pd, int off) { - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; struct ioc *ioc = pd_to_iocg(pd)->ioc; - if (!dname) + if (!bdi_get_dev_name(pd->blkg->q->backing_dev_info, dname, + BDI_DEV_NAME_LEN)) return 0; seq_printf(sf, "%s enable=%d ctrl=%s rpct=%u.%02u rlat=%u wpct=%u.%02u wlat=%u min=%u.%02u max=%u.%02u\n", @@ -2304,11 +2306,11 @@ static ssize_t ioc_qos_write(struct kernfs_open_file *of, char *input, static u64 ioc_cost_model_prfill(struct seq_file *sf, struct blkg_policy_data *pd, int off) { - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; struct ioc *ioc = pd_to_iocg(pd)->ioc; u64 *u = ioc->params.i_lcoefs; - if (!dname) + if (!bdi_get_dev_name(pd->blkg, dname, BDI_DEV_NAME_LEN)) return 0; seq_printf(sf, "%s ctrl=%s model=linear " diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c index c128d50cb410..2ab49167aea1 100644 --- a/block/blk-iolatency.c +++ b/block/blk-iolatency.c @@ -868,9 +868,10 @@ static u64 iolatency_prfill_limit(struct seq_file *sf, struct blkg_policy_data *pd, int off) { struct iolatency_grp *iolat = pd_to_lat(pd); - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; - if (!dname || !iolat->min_lat_nsec) + if (!bdi_get_dev_name(pd->blkg, dname, BDI_DEV_NAME_LEN) + || !iolat->min_lat_nsec) return 0; seq_printf(sf, "%s target=%llu\n", dname, div_u64(iolat->min_lat_nsec, NSEC_PER_USEC)); diff --git a/block/blk-throttle.c b/block/blk-throttle.c index 98233c9c65a8..f77dc93d4e83 100644 --- a/block/blk-throttle.c +++ b/block/blk-throttle.c @@ -13,6 +13,7 @@ #include #include "blk.h" #include "blk-cgroup-rwstat.h" +#include /* Max dispatch from a group in 1 round */ static int throtl_grp_quantum = 8; @@ -1560,14 +1561,15 @@ static u64 tg_prfill_limit(struct seq_file *sf, struct blkg_policy_data *pd, int off) { struct throtl_grp *tg = pd_to_tg(pd); - const char *dname = blkg_dev_name(pd->blkg); + char dname[BDI_DEV_NAME_LEN]; char bufs[4][21] = { "max", "max", "max", "max" }; u64 bps_dft; unsigned int iops_dft; char idle_time[26] = ""; char latency_time[26] = ""; - if (!dname) + if (!bdi_get_dev_name(pd->blkg->q->backing_dev_info, dname, + BDI_DEV_NAME_LEN)) return 0; if (off == LIMIT_LOW) { diff --git a/include/linux/blk-cgroup.h b/include/linux/blk-cgroup.h index e4a6949fd171..384b3343d5f4 100644 --- a/include/linux/blk-cgroup.h +++ b/include/linux/blk-cgroup.h @@ -198,7 +198,6 @@ int blkcg_activate_policy(struct request_queue *q, void blkcg_deactivate_policy(struct request_queue *q, const struct blkcg_policy *pol); -const char *blkg_dev_name(struct blkcg_gq *blkg); void blkcg_print_blkgs(struct seq_file *sf, struct blkcg *blkcg, u64 (*prfill)(struct seq_file *, struct blkg_policy_data *, int),