From patchwork Mon Jun 8 17:01:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 11593717 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E521B912 for ; Mon, 8 Jun 2020 17:02:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CA85B2053B for ; Mon, 8 Jun 2020 17:02:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591635720; bh=M3Y9qjq1IYVGWHeSUHNlJod1XBpYY7djWBt6/Vj9Qow=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1xlHEc9n6H/cvLtvSY2K1dB+9y+I0ytQHC0sPXBRW/KjkZbR7U5U3j1i+/zqI8rxE gmy3YOTI01vciR80fokBmQlmV41M1g5Psn29wpdrWicNIBjB4ZbPxTpuxY2G5hVMRe OcHgPbBW2CRAlJ9ZqIJaZBgeoIb+afJIgqHqxHfo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730731AbgFHRBm (ORCPT ); Mon, 8 Jun 2020 13:01:42 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:46234 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730712AbgFHRBd (ORCPT ); Mon, 8 Jun 2020 13:01:33 -0400 Received: by mail-pg1-f196.google.com with SMTP id p21so8985108pgm.13; Mon, 08 Jun 2020 10:01:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IR8sE8tegFIZFEE9c+9scyuraOZnu4HrFVBH9bLfdFU=; b=ONKj/SgCOoavM5X1uVQKx0vtnaNkVXxBKTlx3qpecjraPrfkdUa/IDRa84Din9cKfo Lv892KVL4Na0XvwtVOrFZaUe1OgOaUf3wiBnRPJkEVDpU8It883mttR+ksSN5JIp8Vxo Y2lZHFooMNibcHusm0/uFrxVhZSVBgdCZqQZpiYaY/8ikG3O7s+sAGBhXOW8GfJmYKx7 ZKGtGJq42DCHCKUtWWa+qY+Xb/uWn8iwIMyoPG91QosVCdjFD2qw+bYmVrXMc9L5AVgQ xBEKGiCXc9slLG/U8d/G2QxQhIVHcCosqwaQrm6GOj2f2mssXF8CMbqMmDxSNzLYHLjM lcww== X-Gm-Message-State: AOAM532KDrpxccRx/9QM7VC5c8od4XxmZlIseDiyNh9HZkdv2nZhx4bE zdFqnVIQ6FDTh2MZLnLUlto= X-Google-Smtp-Source: ABdhPJxt2pD6W+zmvHH4/qZYFASujPCD7TMwgg/ner/gHNpT88Lk15hCgOpUe+6qMytW01UEwr4DCw== X-Received: by 2002:a63:7e5a:: with SMTP id o26mr21581596pgn.134.1591635692300; Mon, 08 Jun 2020 10:01:32 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id b140sm7542863pfb.119.2020.06.08.10.01.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2020 10:01:28 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id F0A7740945; Mon, 8 Jun 2020 17:01:27 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, martin.petersen@oracle.com, jejb@linux.ibm.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain , Christoph Hellwig Subject: [PATCH v6 1/6] block: add docs for gendisk / request_queue refcount helpers Date: Mon, 8 Jun 2020 17:01:21 +0000 Message-Id: <20200608170127.20419-2-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 In-Reply-To: <20200608170127.20419-1-mcgrof@kernel.org> References: <20200608170127.20419-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org This adds documentation for the gendisk / request_queue refcount helpers. Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche Signed-off-by: Luis Chamberlain --- block/blk-core.c | 13 +++++++++++++ block/genhd.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/block/blk-core.c b/block/blk-core.c index 62a4904db921..a0760aac110a 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -321,6 +321,13 @@ void blk_clear_pm_only(struct request_queue *q) } EXPORT_SYMBOL_GPL(blk_clear_pm_only); +/** + * blk_put_queue - decrement the request_queue refcount + * @q: the request_queue structure to decrement the refcount for + * + * Decrements the refcount of the request_queue kobject. When this reaches 0 + * we'll have blk_release_queue() called. + */ void blk_put_queue(struct request_queue *q) { kobject_put(&q->kobj); @@ -598,6 +605,12 @@ struct request_queue *blk_alloc_queue(make_request_fn make_request, int node_id) } EXPORT_SYMBOL(blk_alloc_queue); +/** + * blk_get_queue - increment the request_queue refcount + * @q: the request_queue structure to increment the refcount for + * + * Increment the refcount of the request_queue kobject. + */ bool blk_get_queue(struct request_queue *q) { if (likely(!blk_queue_dying(q))) { diff --git a/block/genhd.c b/block/genhd.c index 1a7659327664..f741613d731f 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -876,6 +876,20 @@ static void invalidate_partition(struct gendisk *disk, int partno) bdput(bdev); } +/** + * del_gendisk - remove the gendisk + * @disk: the struct gendisk to remove + * + * Removes the gendisk and all its associated resources. This deletes the + * partitions associated with the gendisk, and unregisters the associated + * request_queue. + * + * This is the counter to the respective __device_add_disk() call. + * + * The final removal of the struct gendisk happens when its refcount reaches 0 + * with put_disk(), which should be called after del_gendisk(), if + * __device_add_disk() was used. + */ void del_gendisk(struct gendisk *disk) { struct disk_part_iter piter; @@ -1514,6 +1528,23 @@ int disk_expand_part_tbl(struct gendisk *disk, int partno) return 0; } +/** + * disk_release - releases all allocated resources of the gendisk + * @dev: the device representing this disk + * + * This function releases all allocated resources of the gendisk. + * + * The struct gendisk refcount is incremented with get_gendisk() or + * get_disk_and_module(), and its refcount is decremented with + * put_disk_and_module() or put_disk(). Once the refcount reaches 0 this + * function is called. + * + * Drivers which used __device_add_disk() have a gendisk with a request_queue + * assigned. Since the request_queue sits on top of the gendisk for these + * drivers we also call blk_put_queue() for them, and we expect the + * request_queue refcount to reach 0 at this point, and so the request_queue + * will also be freed prior to the disk. + */ static void disk_release(struct device *dev) { struct gendisk *disk = dev_to_disk(dev); @@ -1727,6 +1758,13 @@ struct gendisk *__alloc_disk_node(int minors, int node_id) } EXPORT_SYMBOL(__alloc_disk_node); +/** + * get_disk_and_module - increments the gendisk and gendisk fops module refcount + * @disk: the struct gendisk to to increment the refcount for + * + * This increments the refcount for the struct gendisk, and the gendisk's + * fops module owner. + */ struct kobject *get_disk_and_module(struct gendisk *disk) { struct module *owner; @@ -1747,6 +1785,13 @@ struct kobject *get_disk_and_module(struct gendisk *disk) } EXPORT_SYMBOL(get_disk_and_module); +/** + * put_disk - decrements the gendisk refcount + * @disk: the struct gendisk to to decrement the refcount for + * + * This decrements the refcount for the struct gendisk. When this reaches 0 + * we'll have disk_release() called. + */ void put_disk(struct gendisk *disk) { if (disk) @@ -1754,7 +1799,10 @@ void put_disk(struct gendisk *disk) } EXPORT_SYMBOL(put_disk); -/* +/** + * put_disk_and_module - decrements the module and gendisk refcount + * @disk: the struct gendisk to to decrement the refcount for + * * This is a counterpart of get_disk_and_module() and thus also of * get_gendisk(). */ From patchwork Mon Jun 8 17:01:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 11593695 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0523592A for ; Mon, 8 Jun 2020 17:01:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DA09720774 for ; Mon, 8 Jun 2020 17:01:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591635692; bh=ezmY6GG7N7R5TA87zG71AETUtzEOHo2C5MHAftMq7+Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=sRiZ1aTTfisFB+YBF1glHTfyW9xL4UoAtEEggRCHdbc+06cfkA6Lj52X5NA/cqSjQ mc60+uihSQFNC5OxBGoXKzZj7kcPD8MKu1BirC6KCtAa8835TqB3a+zbEO8wCPV2ps ut1eeHoiC8xTnZ02Z3W+nVe92ro2tW9SuUeLbq3U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730685AbgFHRBc (ORCPT ); Mon, 8 Jun 2020 13:01:32 -0400 Received: from mail-pj1-f65.google.com ([209.85.216.65]:54175 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730678AbgFHRBc (ORCPT ); Mon, 8 Jun 2020 13:01:32 -0400 Received: by mail-pj1-f65.google.com with SMTP id i12so91506pju.3; Mon, 08 Jun 2020 10:01:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZlpRC/Mpz8aVWhkWOBV4KQndGPE3w8KEQwXgj5xVC8o=; b=aff/EbkvWJkPS7DAFZmAJ5iblzVnr3aahxzDr2JgvOKco/vu9ZDAd1nd8fEfSrQ9GS Jz7CNNnkkNjLM0eZMDDDjlOBcCB9oRipy0KgmNuPQ6CnowyXNRXdoLbiKyvsVl3FXhR0 OQh+Z4i1F18z+01GjsvV+dQkMHrzynbG9x4AAg8OBfImr71UTVAzJea1AzVTw1XLAVbp Z4jOyqD/YjRDEOWtEDtqaaiGJpwOYsS45j/ypRAt8DELTI0HPyVsH8bxHZo5tPElK9Pk iBugA1qKw2qqzGzAw5gV6j+U3r6y4gPImdMlss2BdMsEul/V0tKFQlLgd7jNwb6+SI+F n1Cw== X-Gm-Message-State: AOAM5332KUbHnPLw/5aA6Ovc5evenJOJcyV5LZhNYvug3Ieaq31lKPXB 6jZdIkRkTU98PYDKJTs9KUTMD/Nu5Ac= X-Google-Smtp-Source: ABdhPJwNsBvs+w+3hNLWX1L/WRF8FImqilYKhRJVhUwJyH1Y0WnlC6Bcs7lRahJkSJraRMBfGhoc7w== X-Received: by 2002:a17:902:eb13:: with SMTP id l19mr20105245plb.213.1591635691008; Mon, 08 Jun 2020 10:01:31 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id e124sm7619466pfh.140.2020.06.08.10.01.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2020 10:01:28 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 217B640B6C; Mon, 8 Jun 2020 17:01:28 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, martin.petersen@oracle.com, jejb@linux.ibm.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain , Christoph Hellwig Subject: [PATCH v6 2/6] block: clarify context for refcount increment helpers Date: Mon, 8 Jun 2020 17:01:22 +0000 Message-Id: <20200608170127.20419-3-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 In-Reply-To: <20200608170127.20419-1-mcgrof@kernel.org> References: <20200608170127.20419-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Let us clarify the context under which the helpers to increment the refcount for the gendisk and request_queue can be called under. We make this explicit on the places where we may sleep with might_sleep(). We don't address the decrement context yet, as that needs some extra work and fixes, but will be addressed in the next patch. Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche Signed-off-by: Luis Chamberlain --- block/blk-core.c | 2 ++ block/genhd.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/block/blk-core.c b/block/blk-core.c index a0760aac110a..14c09daf55f3 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -610,6 +610,8 @@ EXPORT_SYMBOL(blk_alloc_queue); * @q: the request_queue structure to increment the refcount for * * Increment the refcount of the request_queue kobject. + * + * Context: Any context. */ bool blk_get_queue(struct request_queue *q) { diff --git a/block/genhd.c b/block/genhd.c index f741613d731f..1be86b1f43ec 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -985,11 +985,15 @@ static ssize_t disk_badblocks_store(struct device *dev, * * This function gets the structure containing partitioning * information for the given device @devt. + * + * Context: can sleep */ struct gendisk *get_gendisk(dev_t devt, int *partno) { struct gendisk *disk = NULL; + might_sleep(); + if (MAJOR(devt) != BLOCK_EXT_MAJOR) { struct kobject *kobj; @@ -1764,6 +1768,8 @@ EXPORT_SYMBOL(__alloc_disk_node); * * This increments the refcount for the struct gendisk, and the gendisk's * fops module owner. + * + * Context: Any context. */ struct kobject *get_disk_and_module(struct gendisk *disk) { From patchwork Mon Jun 8 17:01:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 11593721 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 78D0992A for ; Mon, 8 Jun 2020 17:02:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4E6FB2078C for ; Mon, 8 Jun 2020 17:02:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591635722; bh=8RBttsTc5fxLDzf9UECZE+d7O/Cvr3uZJ1Udu55aNlk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=f2AWCsMo1adPqYCE5uTU5sSQRPXoCCZ3gb4cyOuy6lfFOLZAptCteQVZ65YcXVMyS w9XEkbn8s1Qd57/8hYtRAox7wz7t5X8EiLU7G72Dh+knnpkgzDY93/oFOjP/mQq7sP /tUn97dCuSRHnoavdFqZmxbTPnSS6pgpWu4Vwf10= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730669AbgFHRBi (ORCPT ); Mon, 8 Jun 2020 13:01:38 -0400 Received: from mail-pj1-f65.google.com ([209.85.216.65]:50706 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730680AbgFHRBh (ORCPT ); Mon, 8 Jun 2020 13:01:37 -0400 Received: by mail-pj1-f65.google.com with SMTP id jz3so97581pjb.0; Mon, 08 Jun 2020 10:01:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=czNjXU30rSIShN0VGIH9O9NmGY2Ep4u1wGzVMmo2EPc=; b=DbA4S180WBcETO1870qgiY1tA8q1M3IMQqo5c3oBAsG9KkRRwQUTOTfDDtxF4Ueqwk zZlbpWAekWrqDshBh6vNVqBL7zsJ6VH0bgdrEg+EbE1JqbTwTgm4CYTdp1iQCzBp7lrJ oJKnFIqvqbZGeDWu+dIxeJ758YRdiNghDs5dDwx6eYd0FBgWTr3e+7mQTB2d4TJ0zkTD HqycbOWXFEmTu1ba49qKNkEeTCsmm0RSe0cWwuIUb2+tsry3rMr802A3ln3R9zfENyA7 sKIyYlMbvLoAcRzYTeb/71V7V9iLlXNoYZMSN5BaVVYkAp37lI7pXP9AqTNqUt0lfCpf fQ3A== X-Gm-Message-State: AOAM531Z9U6NlQySENZXwpGHuS01mAdLkF/j7dcKeMKPLmjDCYj3qgRk 6ek/0Vv0mK2hUR9PG43uZTo= X-Google-Smtp-Source: ABdhPJyFWnizLnXRGDBsljYjqN67qm0DZiifB27mOcjtR4o0sSeP8FcBSncD65XYbTy97RXzjGWCKg== X-Received: by 2002:a17:902:7297:: with SMTP id d23mr4713106pll.35.1591635693722; Mon, 08 Jun 2020 10:01:33 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id l3sm6404738pgm.59.2020.06.08.10.01.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2020 10:01:31 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 4A77B41C23; Mon, 8 Jun 2020 17:01:28 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, martin.petersen@oracle.com, jejb@linux.ibm.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain , Omar Sandoval , Hannes Reinecke , Michal Hocko , Christoph Hellwig Subject: [PATCH v6 3/6] block: revert back to synchronous request_queue removal Date: Mon, 8 Jun 2020 17:01:23 +0000 Message-Id: <20200608170127.20419-4-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 In-Reply-To: <20200608170127.20419-1-mcgrof@kernel.org> References: <20200608170127.20419-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Commit dc9edc44de6c ("block: Fix a blk_exit_rl() regression") merged on v4.12 moved the work behind blk_release_queue() into a workqueue after a splat floated around which indicated some work on blk_release_queue() could sleep in blk_exit_rl(). This splat would be possible when a driver called blk_put_queue() or blk_cleanup_queue() (which calls blk_put_queue() as its final call) from an atomic context. blk_put_queue() decrements the refcount for the request_queue kobject, and upon reaching 0 blk_release_queue() is called. Although blk_exit_rl() is now removed through commit db6d9952356 ("block: remove request_list code") on v5.0, we reserve the right to be able to sleep within blk_release_queue() context. The last reference for the request_queue must not be called from atomic context. *When* the last reference to the request_queue reaches 0 varies, and so let's take the opportunity to document when that is expected to happen and also document the context of the related calls as best as possible so we can avoid future issues, and with the hopes that the synchronous request_queue removal sticks. We revert back to synchronous request_queue removal because asynchronous removal creates a regression with expected userspace interaction with several drivers. An example is when removing the loopback driver, one uses ioctls from userspace to do so, but upon return and if successful, one expects the device to be removed. Likewise if one races to add another device the new one may not be added as it is still being removed. This was expected behavior before and it now fails as the device is still present and busy still. Moving to asynchronous request_queue removal could have broken many scripts which relied on the removal to have been completed if there was no error. Document this expectation as well so that this doesn't regress userspace again. Using asynchronous request_queue removal however has helped us find other bugs. In the future we can test what could break with this arrangement by enabling CONFIG_DEBUG_KOBJECT_RELEASE. While at it, update the docs with the context expectations for the request_queue / gendisk refcount decrement, and make these expectations explicit by using might_sleep(). Cc: Bart Van Assche Cc: Omar Sandoval Cc: Hannes Reinecke Cc: Nicolai Stange Cc: Greg Kroah-Hartman Cc: Michal Hocko Cc: yu kuai Suggested-by: Nicolai Stange Fixes: dc9edc44de6c ("block: Fix a blk_exit_rl() regression") Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche Signed-off-by: Luis Chamberlain Reviewed-by: Bart Van Assche --- block/blk-core.c | 8 ++++++++ block/blk-sysfs.c | 43 +++++++++++++++++++++--------------------- block/genhd.c | 17 +++++++++++++++++ include/linux/blkdev.h | 2 -- 4 files changed, 47 insertions(+), 23 deletions(-) diff --git a/block/blk-core.c b/block/blk-core.c index 14c09daf55f3..a5126c0be777 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -327,6 +327,9 @@ EXPORT_SYMBOL_GPL(blk_clear_pm_only); * * Decrements the refcount of the request_queue kobject. When this reaches 0 * we'll have blk_release_queue() called. + * + * Context: Any context, but the last reference must not be dropped from + * atomic context. */ void blk_put_queue(struct request_queue *q) { @@ -359,9 +362,14 @@ EXPORT_SYMBOL_GPL(blk_set_queue_dying); * * Mark @q DYING, drain all pending requests, mark @q DEAD, destroy and * put it. All future requests will be failed immediately with -ENODEV. + * + * Context: can sleep */ void blk_cleanup_queue(struct request_queue *q) { + /* cannot be called from atomic context */ + might_sleep(); + WARN_ON_ONCE(blk_queue_registered(q)); /* mark @q DYING, no new request or merges will be allowed afterwards */ diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index 02643e149d5e..561624d4cc4e 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -873,22 +873,32 @@ static void blk_exit_queue(struct request_queue *q) bdi_put(q->backing_dev_info); } - /** - * __blk_release_queue - release a request queue - * @work: pointer to the release_work member of the request queue to be released + * blk_release_queue - releases all allocated resources of the request_queue + * @kobj: pointer to a kobject, whose container is a request_queue + * + * This function releases all allocated resources of the request queue. + * + * The struct request_queue refcount is incremented with blk_get_queue() and + * decremented with blk_put_queue(). Once the refcount reaches 0 this function + * is called. + * + * For drivers that have a request_queue on a gendisk and added with + * __device_add_disk() the refcount to request_queue will reach 0 with + * the last put_disk() called by the driver. For drivers which don't use + * __device_add_disk() this happens with blk_cleanup_queue(). * - * Description: - * This function is called when a block device is being unregistered. The - * process of releasing a request queue starts with blk_cleanup_queue, which - * set the appropriate flags and then calls blk_put_queue, that decrements - * the reference counter of the request queue. Once the reference counter - * of the request queue reaches zero, blk_release_queue is called to release - * all allocated resources of the request queue. + * Drivers exist which depend on the release of the request_queue to be + * synchronous, it should not be deferred. + * + * Context: can sleep */ -static void __blk_release_queue(struct work_struct *work) +static void blk_release_queue(struct kobject *kobj) { - struct request_queue *q = container_of(work, typeof(*q), release_work); + struct request_queue *q = + container_of(kobj, struct request_queue, kobj); + + might_sleep(); if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags)) blk_stat_remove_callback(q, q->poll_cb); @@ -917,15 +927,6 @@ static void __blk_release_queue(struct work_struct *work) call_rcu(&q->rcu_head, blk_free_queue_rcu); } -static void blk_release_queue(struct kobject *kobj) -{ - struct request_queue *q = - container_of(kobj, struct request_queue, kobj); - - INIT_WORK(&q->release_work, __blk_release_queue); - schedule_work(&q->release_work); -} - static const struct sysfs_ops queue_sysfs_ops = { .show = queue_attr_show, .store = queue_attr_store, diff --git a/block/genhd.c b/block/genhd.c index 1be86b1f43ec..60ae4e1b4d38 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -889,12 +889,19 @@ static void invalidate_partition(struct gendisk *disk, int partno) * The final removal of the struct gendisk happens when its refcount reaches 0 * with put_disk(), which should be called after del_gendisk(), if * __device_add_disk() was used. + * + * Drivers exist which depend on the release of the gendisk to be synchronous, + * it should not be deferred. + * + * Context: can sleep */ void del_gendisk(struct gendisk *disk) { struct disk_part_iter piter; struct hd_struct *part; + might_sleep(); + blk_integrity_del(disk); disk_del_events(disk); @@ -1548,11 +1555,15 @@ int disk_expand_part_tbl(struct gendisk *disk, int partno) * drivers we also call blk_put_queue() for them, and we expect the * request_queue refcount to reach 0 at this point, and so the request_queue * will also be freed prior to the disk. + * + * Context: can sleep */ static void disk_release(struct device *dev) { struct gendisk *disk = dev_to_disk(dev); + might_sleep(); + blk_free_devt(dev->devt); disk_release_events(disk); kfree(disk->random); @@ -1797,6 +1808,9 @@ EXPORT_SYMBOL(get_disk_and_module); * * This decrements the refcount for the struct gendisk. When this reaches 0 * we'll have disk_release() called. + * + * Context: Any context, but the last reference must not be dropped from + * atomic context. */ void put_disk(struct gendisk *disk) { @@ -1811,6 +1825,9 @@ EXPORT_SYMBOL(put_disk); * * This is a counterpart of get_disk_and_module() and thus also of * get_gendisk(). + * + * Context: Any context, but the last reference must not be dropped from + * atomic context. */ void put_disk_and_module(struct gendisk *disk) { diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index 27887bf36d50..2462b78c1013 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -584,8 +584,6 @@ struct request_queue { size_t cmd_size; - struct work_struct release_work; - #define BLK_MAX_WRITE_HINTS 5 u64 write_hints[BLK_MAX_WRITE_HINTS]; }; From patchwork Mon Jun 8 17:01:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 11593705 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3EFFB14E3 for ; Mon, 8 Jun 2020 17:01:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1B4BE2053B for ; Mon, 8 Jun 2020 17:01:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591635705; bh=JIvSaQCuTivG77Ol+r11lGBAkb1PDMgs80TnxNHRlsw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=udODUlYWhDl6TTVR7cCpblFim/BOM8PaRFCEmXhlYrBUzj5UHVgRITSnROB4fxyqv X9HGUN5L8TI3pdcEDgqn+t5lF3AKGB/z51ZnazGoVk/jnEOcQmVvTzkXHhjtRXo+tT /IXeHuUkFrR28Cv2uYIqsJ9U1pzZ/LVKhWlwenM0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730728AbgFHRBk (ORCPT ); Mon, 8 Jun 2020 13:01:40 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:34075 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730723AbgFHRBh (ORCPT ); Mon, 8 Jun 2020 13:01:37 -0400 Received: by mail-pf1-f195.google.com with SMTP id z64so8815044pfb.1; Mon, 08 Jun 2020 10:01:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jH2CPsvsaNzRGDf+QoUv0Reklj4c8N9GM5jBSfoalww=; b=tsevuJV1Iihvy23O3EFYlzKUbVXwb4QEf7Ll3n9XuTNx0NcZXjhBhe13laHD9TIUXG d8UH92DdmnrlmalNeHw/dd5TBYgFFU7PlHt5C/4Lpddl8yE/o8/B4qktqd7gU9ZHHyzd Iu2rFcnaZkHufwgiE0uRlWseXVW7NCUPuM95GLHTT5dcZ+ifGsLU6UZfYCwokWbOeFOu c8WZoi6YeZyGxE6woJSKHmhd6uRE2VfDeuPFIhMirEHILLuIq3Rke7okFLbxPi8Wtz+4 NctwLkQeVG1YuyDJNBJaH6hgXEtAuJKUIZpXZVW8O2wOld/3hhA9ocDXUPjaG3gpfSjH KRjQ== X-Gm-Message-State: AOAM532ygqbZtZhG75G7gCPRc3yIHzTGV/kRabr2AATCCKzNsbNxtrlh Guh0eK0nLgX4fWke6YjtP9sfp92hbZE= X-Google-Smtp-Source: ABdhPJwwBujS3U9PCsomBnrxJDGD76z2zyRa1W/F///y1VSt1LrxETfDgpsHrdXoXXBTG59fZ8Mfyg== X-Received: by 2002:a63:6345:: with SMTP id x66mr20466636pgb.156.1591635694775; Mon, 08 Jun 2020 10:01:34 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id x197sm7671771pfc.13.2020.06.08.10.01.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2020 10:01:32 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 6DF0E41D95; Mon, 8 Jun 2020 17:01:28 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, martin.petersen@oracle.com, jejb@linux.ibm.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain Subject: [PATCH v6 4/6] blktrace: annotate required lock on do_blk_trace_setup() Date: Mon, 8 Jun 2020 17:01:24 +0000 Message-Id: <20200608170127.20419-5-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 In-Reply-To: <20200608170127.20419-1-mcgrof@kernel.org> References: <20200608170127.20419-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Ensure it is clear which lock is required on do_blk_trace_setup(). Suggested-by: Bart Van Assche Signed-off-by: Luis Chamberlain Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche --- kernel/trace/blktrace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c index 7f60029bdaff..7ff2ea5cd05e 100644 --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -483,6 +483,8 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, struct dentry *dir = NULL; int ret; + lockdep_assert_held(&q->blk_trace_mutex); + if (!buts->buf_size || !buts->buf_nr) return -EINVAL; From patchwork Mon Jun 8 17:01:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 11593729 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1CC3F92A for ; Mon, 8 Jun 2020 17:02:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EBDC920810 for ; Mon, 8 Jun 2020 17:02:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591635739; bh=GFDS5ZeXJWKepPtGtYd1p8VC4NzatXMF4WFN56n95Xc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=xqFw7Ta+HSgtVJRQ18agwA3oZsbIXsyvY4JmANN2gDf0h6guaOoS+oCykAPQWQcV/ 3au0qabkdmG6f+RAYeGo6k1lts69OR3oeLhWmf61mFeaqEfj9WR4j0V2BpzHU4u+N0 oyPA4mOPBW5wj7Q1qxkVXuAq6sDJARrb2RjqEPj8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387504AbgFHRCC (ORCPT ); Mon, 8 Jun 2020 13:02:02 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:33115 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730726AbgFHRBj (ORCPT ); Mon, 8 Jun 2020 13:01:39 -0400 Received: by mail-pf1-f196.google.com with SMTP id b201so8822009pfb.0; Mon, 08 Jun 2020 10:01:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=f88bEORI++QIsnJdKm2ca64CmhxGUzC3g+SSrwClYUg=; b=fFY9lOlx1tsbi3CWNCs5HITSv6HGFSS6uQzU2SDIeXdrSs9JSC0cGIGAUKMcznY3uM ZXLpFFlhw+Tjvs56UTnnFK1JykEDSVXDQ3MatEDJ7aTGn7GljYVGtOrNgJxZARHZVi3O dWCa5bI8l/IHKozet5oo9FqZB8sF3hUX650r5yRvyHFRfXknw2SX9WARPjMDiq1RuGfX TsiwrJe1qPx1/J0S9yp7gygBdcZCrPoU2OC71PBpE/ZLWLC91o7/kreIhHwxjzW8aV/0 JggYnb4B1GohPdV8pa0ONRUTBAMrED/pgubAQfp34+SRtJkLgYM43VCWuKmWLA4/RKmO YNUw== X-Gm-Message-State: AOAM5320Ph1jDP87dX0Cxdx510UX79yeV9sGxJ/uASUotrxq8vIe/Maj 1Jf9Dzv1nAt3p/MZtAg8BR4= X-Google-Smtp-Source: ABdhPJwmTcpNrr37VElfNpqehHSBvOJFHFFfHrHovcAKxDpg8BeyMYMNILKDT4r2RmVxa1x2U8XKog== X-Received: by 2002:a63:f14a:: with SMTP id o10mr21710759pgk.216.1591635696982; Mon, 08 Jun 2020 10:01:36 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id iq3sm103489pjb.6.2020.06.08.10.01.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2020 10:01:32 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 9045A41DD1; Mon, 8 Jun 2020 17:01:28 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, martin.petersen@oracle.com, jejb@linux.ibm.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain , Christoph Hellwig Subject: [PATCH v6 5/6] loop: be paranoid on exit and prevent new additions / removals Date: Mon, 8 Jun 2020 17:01:25 +0000 Message-Id: <20200608170127.20419-6-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 In-Reply-To: <20200608170127.20419-1-mcgrof@kernel.org> References: <20200608170127.20419-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org Be pedantic on removal as well and hold the mutex. This should prevent uses of addition while we exit. Reviewed-by: Ming Lei Reviewed-by: Christoph Hellwig Signed-off-by: Luis Chamberlain --- drivers/block/loop.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index c33bbbfd1bd9..d55e1b52f076 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -2402,6 +2402,8 @@ static void __exit loop_exit(void) range = max_loop ? max_loop << part_shift : 1UL << MINORBITS; + mutex_lock(&loop_ctl_mutex); + idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); idr_destroy(&loop_index_idr); @@ -2409,6 +2411,8 @@ static void __exit loop_exit(void) unregister_blkdev(LOOP_MAJOR, "loop"); misc_deregister(&loop_misc); + + mutex_unlock(&loop_ctl_mutex); } module_init(loop_init); From patchwork Mon Jun 8 17:01:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 11593725 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 43EE614E3 for ; Mon, 8 Jun 2020 17:02:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 08DD3207ED for ; Mon, 8 Jun 2020 17:02:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591635737; bh=riOug4JqBCzg4SIwDrrh/+uov/0WrLZQk46xLBs1wII=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=LJkzFJd/P+er3kSTA7QW2bnIyAZu6egI4yl82x7NP8QY3gwNYklS241/dXfe0sFON oS6i/llrSaZ6I5edDH2QdnZWq+uveHcMUgtCwRIf7KV0YdS3806Vq9mXlxkXSpfv7U X5EdJoi6uQksp9Y3MEfx54xvQQj6SH/SrAx9lRPs= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387507AbgFHRCC (ORCPT ); Mon, 8 Jun 2020 13:02:02 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:44299 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730718AbgFHRBh (ORCPT ); Mon, 8 Jun 2020 13:01:37 -0400 Received: by mail-pf1-f195.google.com with SMTP id 64so1943873pfv.11; Mon, 08 Jun 2020 10:01:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BXDjJ7y4kAjAoIq3NLlxxshI3+WsFhQehQeoJndvSbs=; b=JzVnlonyT0FArGJQCFXXWEae1WUGpHZ7IPlixp+1Nq6MHe+Ne7jUPmZUN8EvrB5lmy kC9Ub1g+J6iiqgop/YLKtjFcX55BnZDJdXWsb1Cjqy+QNvVt7yyKwAUw/iOYpZHS3D22 Pz90zZdAgEid95bOguZjuycMMPIu3jcn79jqKfSinFJvtAhL2FoJLOHEfD21AIxNIQZe ZpDU13HA4TowkF5KWxjDHln7AAbYUS/uY0Kevf+MHSyPSMnciqeVyViEhTPiyeGR57Gk 1yEQ79jtm2oTJTZpd4FXKyzfKC4Nwt+gQPbevkOlzmnUDYwghZwtNwMeCXCN/DVUrZOz rDdQ== X-Gm-Message-State: AOAM530J+jxTMDjxesV4PpXNrTBtEB20/Iz1mvKE0L4wARaZBNawoIfg Vy0L2dGqPkJnIRgkxEcCOvg= X-Google-Smtp-Source: ABdhPJyeyDj9bMXdFW6Wd7IBC8nhDpsWhwG/SrlFg5KFMRn5bFXdjmvtvwKdt0w3nZVOHHQtnLodvQ== X-Received: by 2002:a65:52cd:: with SMTP id z13mr20816774pgp.259.1591635695752; Mon, 08 Jun 2020 10:01:35 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id j16sm7443498pfa.179.2020.06.08.10.01.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2020 10:01:32 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id C260C422E5; Mon, 8 Jun 2020 17:01:28 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, martin.petersen@oracle.com, jejb@linux.ibm.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain , Omar Sandoval , Hannes Reinecke , Michal Hocko , syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com Subject: [PATCH v6 6/6] blktrace: fix debugfs use after free Date: Mon, 8 Jun 2020 17:01:26 +0000 Message-Id: <20200608170127.20419-7-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 In-Reply-To: <20200608170127.20419-1-mcgrof@kernel.org> References: <20200608170127.20419-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org On commit 6ac93117ab00 ("blktrace: use existing disk debugfs directory") merged on v4.12 Omar fixed the original blktrace code for request-based drivers (multiqueue). This however left in place a possible crash, if you happen to abuse blktrace while racing to remove / add a device. We used to use asynchronous removal of the request_queue, and with that the issue was easier to reproduce. Now that we have reverted to synchronous removal of the request_queue, the issue is still possible to reproduce, its however just a bit more difficult. We essentially run two instances of break-blktrace which add/remove a loop device, and setup a blktrace and just never tear the blktrace down. We do this twice in parallel. This is easily reproduced with the script run_0004.sh from break-blktrace [0]. We can end up with two types of panics each reflecting where we race, one a failed blktrace setup: [ 252.426751] debugfs: Directory 'loop0' with parent 'block' already present! [ 252.432265] BUG: kernel NULL pointer dereference, address: 00000000000000a0 [ 252.436592] #PF: supervisor write access in kernel mode [ 252.439822] #PF: error_code(0x0002) - not-present page [ 252.442967] PGD 0 P4D 0 [ 252.444656] Oops: 0002 [#1] SMP NOPTI [ 252.446972] CPU: 10 PID: 1153 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 [ 252.452673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 [ 252.456343] RIP: 0010:down_write+0x15/0x40 [ 252.458146] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 00 00 48 0f b1 55 00 75 0f 48 8b 04 25 c0 8b 01 00 48 89 45 08 5d [ 252.463638] RSP: 0018:ffffa626415abcc8 EFLAGS: 00010246 [ 252.464950] RAX: 0000000000000000 RBX: ffff958c25f0f5c0 RCX: ffffff8100000000 [ 252.466727] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 [ 252.468482] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000001 [ 252.470014] R10: 0000000000000000 R11: ffff958d1f9227ff R12: 0000000000000000 [ 252.471473] R13: ffff958c25ea5380 R14: ffffffff8cce15f1 R15: 00000000000000a0 [ 252.473346] FS: 00007f2e69dee540(0000) GS:ffff958c2fc80000(0000) knlGS:0000000000000000 [ 252.475225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 252.476267] CR2: 00000000000000a0 CR3: 0000000427d10004 CR4: 0000000000360ee0 [ 252.477526] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 252.478776] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 252.479866] Call Trace: [ 252.480322] simple_recursive_removal+0x4e/0x2e0 [ 252.481078] ? debugfs_remove+0x60/0x60 [ 252.481725] ? relay_destroy_buf+0x77/0xb0 [ 252.482662] debugfs_remove+0x40/0x60 [ 252.483518] blk_remove_buf_file_callback+0x5/0x10 [ 252.484328] relay_close_buf+0x2e/0x60 [ 252.484930] relay_open+0x1ce/0x2c0 [ 252.485520] do_blk_trace_setup+0x14f/0x2b0 [ 252.486187] __blk_trace_setup+0x54/0xb0 [ 252.486803] blk_trace_ioctl+0x90/0x140 [ 252.487423] ? do_sys_openat2+0x1ab/0x2d0 [ 252.488053] blkdev_ioctl+0x4d/0x260 [ 252.488636] block_ioctl+0x39/0x40 [ 252.489139] ksys_ioctl+0x87/0xc0 [ 252.489675] __x64_sys_ioctl+0x16/0x20 [ 252.490380] do_syscall_64+0x52/0x180 [ 252.491032] entry_SYSCALL_64_after_hwframe+0x44/0xa9 And the other on the device removal: [ 128.528940] debugfs: Directory 'loop0' with parent 'block' already present! [ 128.615325] BUG: kernel NULL pointer dereference, address: 00000000000000a0 [ 128.619537] #PF: supervisor write access in kernel mode [ 128.622700] #PF: error_code(0x0002) - not-present page [ 128.625842] PGD 0 P4D 0 [ 128.627585] Oops: 0002 [#1] SMP NOPTI [ 128.629871] CPU: 12 PID: 544 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 [ 128.635595] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 [ 128.640471] RIP: 0010:down_write+0x15/0x40 [ 128.643041] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 00 00 48 0f b1 55 00 75 0f 65 48 8b 04 25 c0 8b 01 00 48 89 45 08 5d [ 128.650180] RSP: 0018:ffffa9c3c05ebd78 EFLAGS: 00010246 [ 128.651820] RAX: 0000000000000000 RBX: ffff8ae9a6370240 RCX: ffffff8100000000 [ 128.653942] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 [ 128.655720] RBP: 00000000000000a0 R08: 0000000000000002 R09: ffff8ae9afd2d3d0 [ 128.657400] R10: 0000000000000056 R11: 0000000000000000 R12: 0000000000000000 [ 128.659099] R13: 0000000000000000 R14: 0000000000000003 R15: 00000000000000a0 [ 128.660500] FS: 00007febfd995540(0000) GS:ffff8ae9afd00000(0000) knlGS:0000000000000000 [ 128.662204] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 128.663426] CR2: 00000000000000a0 CR3: 0000000420042003 CR4: 0000000000360ee0 [ 128.664776] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 128.666022] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 128.667282] Call Trace: [ 128.667801] simple_recursive_removal+0x4e/0x2e0 [ 128.668663] ? debugfs_remove+0x60/0x60 [ 128.669368] debugfs_remove+0x40/0x60 [ 128.669985] blk_trace_free+0xd/0x50 [ 128.670593] __blk_trace_remove+0x27/0x40 [ 128.671274] blk_trace_shutdown+0x30/0x40 [ 128.671935] blk_release_queue+0x95/0xf0 [ 128.672589] kobject_put+0xa5/0x1b0 [ 128.673188] disk_release+0xa2/0xc0 [ 128.673786] device_release+0x28/0x80 [ 128.674376] kobject_put+0xa5/0x1b0 [ 128.674915] loop_remove+0x39/0x50 [loop] [ 128.675511] loop_control_ioctl+0x113/0x130 [loop] [ 128.676199] ksys_ioctl+0x87/0xc0 [ 128.676708] __x64_sys_ioctl+0x16/0x20 [ 128.677274] do_syscall_64+0x52/0x180 [ 128.677823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 The common theme here is: debugfs: Directory 'loop0' with parent 'block' already present This crash happens because of how blktrace uses the debugfs directory where it places its files. Upon init we always create the same directory which would be needed by blktrace but we only do this for make_request drivers (multiqueue) block drivers, but never for request-based block drivers. Furthermore, that directory is only created on init for the entire disk. This means that if you use blktrace on a partition, we'll always be creating a new directory regardless of whether or not you are doing blktrace on a make_request driver (multiqueue) or a request-based block drivers. These directory creations are only associated with a path, and so when a debugfs_remove() is called it removes everything in its way. A device removal will remove all blktrace files, and so if a blktrace is still present a cleanup of blktrace files later will end up trying to remove dentries pointing to NULL. We can fix the UAF by using a debugfs directory which moving forward will always be accessible if debugfs is enabled for both make_request drivers (multiqueue) and request-based block drivers, *and* for all partitions upon creation. This ensures that removal of the directories only happens on device removal and removes the race of the files underneath an active blktrace. We special-case a solution for scsi-generic as well which got blktrace support added by Christof via commit 6da127ad0918 ("blktrace: Add blktrace ioctls to SCSI generic devices") so upstream since v2.6.25. scsi-generic drives use a character device, however behind the scenes we have a scsi device with a request_queue. How this is used varies by class of driver (TYPE_DISK, TYPE_TAPE, etc). We simply create its a scsi-generic dedicated debugfs_dir and have blktrace use that when this interface is used. This goes tested with: o nvme partitions o ISCSI with tgt, and blktracing against scsi-generic with: o block o tape o cdrom o media changer o blktests This patch is part of the work which disputes the severity of CVE-2019-19770 which shows this issue is not a core debugfs issue, but a misuse of debugfs within blktace. Cc: Bart Van Assche Cc: Omar Sandoval Cc: Hannes Reinecke Cc: Nicolai Stange Cc: Greg Kroah-Hartman Cc: Michal Hocko Cc: "Martin K. Petersen" Cc: "James E.J. Bottomley" Cc: yu kuai Reported-by: syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com Fixes: 6ac93117ab00 ("blktrace: use existing disk debugfs directory") Signed-off-by: Luis Chamberlain --- block/blk-core.c | 4 --- block/blk-mq-debugfs.c | 5 ---- block/blk-sysfs.c | 40 +++++++++++++++++++++++++++ block/blk.h | 2 -- block/partitions/core.c | 3 ++ drivers/scsi/sg.c | 3 ++ include/linux/blkdev.h | 4 ++- include/linux/blktrace_api.h | 1 - include/linux/genhd.h | 1 + kernel/trace/blktrace.c | 53 ++++++++++++++++++++++++++++-------- 10 files changed, 91 insertions(+), 25 deletions(-) diff --git a/block/blk-core.c b/block/blk-core.c index a5126c0be777..fd850bebdf18 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -51,9 +51,7 @@ #include "blk-pm.h" #include "blk-rq-qos.h" -#ifdef CONFIG_DEBUG_FS struct dentry *blk_debugfs_root; -#endif EXPORT_TRACEPOINT_SYMBOL_GPL(block_bio_remap); EXPORT_TRACEPOINT_SYMBOL_GPL(block_rq_remap); @@ -1937,9 +1935,7 @@ int __init blk_dev_init(void) blk_requestq_cachep = kmem_cache_create("request_queue", sizeof(struct request_queue), 0, SLAB_PANIC, NULL); -#ifdef CONFIG_DEBUG_FS blk_debugfs_root = debugfs_create_dir("block", NULL); -#endif return 0; } diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c index 15df3a36e9fa..a2800bc56fb4 100644 --- a/block/blk-mq-debugfs.c +++ b/block/blk-mq-debugfs.c @@ -824,9 +824,6 @@ void blk_mq_debugfs_register(struct request_queue *q) struct blk_mq_hw_ctx *hctx; int i; - q->debugfs_dir = debugfs_create_dir(kobject_name(q->kobj.parent), - blk_debugfs_root); - debugfs_create_files(q->debugfs_dir, q, blk_mq_debugfs_queue_attrs); /* @@ -857,9 +854,7 @@ void blk_mq_debugfs_register(struct request_queue *q) void blk_mq_debugfs_unregister(struct request_queue *q) { - debugfs_remove_recursive(q->debugfs_dir); q->sched_debugfs_dir = NULL; - q->debugfs_dir = NULL; } static void blk_mq_debugfs_register_ctx(struct blk_mq_hw_ctx *hctx, diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index 561624d4cc4e..70168435f079 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "blk.h" #include "blk-mq.h" @@ -918,6 +919,9 @@ static void blk_release_queue(struct kobject *kobj) blk_trace_shutdown(q); + debugfs_remove_recursive(q->debugfs_dir); + if (IS_ENABLED(CONFIG_CHR_DEV_SG)) + debugfs_remove_recursive(q->sg_debugfs_dir); if (queue_is_mq(q)) blk_mq_debugfs_unregister(q); @@ -937,6 +941,20 @@ struct kobj_type blk_queue_ktype = { .release = blk_release_queue, }; +/** + * blk_sg_debugfs_init - initialize debugfs for scsi-generic + * @q: the associated queue + * @name: name of the scsi-generic device + * + * To be used by scsi-generic for allowing it to use blktrace. + */ +void blk_sg_debugfs_init(struct request_queue *q, const char *name) +{ + if (IS_ENABLED(CONFIG_CHR_DEV_SG)) + q->sg_debugfs_dir = debugfs_create_dir(name, blk_debugfs_root); +} +EXPORT_SYMBOL_GPL(blk_sg_debugfs_init); + /** * blk_register_queue - register a block layer queue with sysfs * @disk: Disk of which the request queue should be registered with sysfs. @@ -989,6 +1007,28 @@ int blk_register_queue(struct gendisk *disk) goto unlock; } + /* + * Blktrace needs a debugfs name even for queues that don't register + * a gendisk, so it lazily registers the debugfs directory. But that + * can get us into a situation where a SCSI device is found, with no + * driver for it (yet). Then blktrace is used on the device, creating + * the debugfs directory, and only after that a driver is loaded. In + * that case we might already have a debugfs directory registered here. + * Even worse we could be racing with blktrace to register it. + */ +#ifdef CONFIG_BLK_DEV_IO_TRACE + mutex_lock(&q->blk_trace_mutex); + if (!q->debugfs_dir) { + q->debugfs_dir = + debugfs_create_dir(kobject_name(q->kobj.parent), + blk_debugfs_root); + } + mutex_unlock(&q->blk_trace_mutex); +#else + q->debugfs_dir = debugfs_create_dir(kobject_name(q->kobj.parent), + blk_debugfs_root); +#endif + if (queue_is_mq(q)) { __blk_mq_register_dev(dev, q); blk_mq_debugfs_register(q); diff --git a/block/blk.h b/block/blk.h index b5d1f0fc6547..499308c6ab3b 100644 --- a/block/blk.h +++ b/block/blk.h @@ -14,9 +14,7 @@ /* Max future timer expiry for timeouts */ #define BLK_MAX_TIMEOUT (5 * HZ) -#ifdef CONFIG_DEBUG_FS extern struct dentry *blk_debugfs_root; -#endif struct blk_flush_queue { unsigned int flush_pending_idx:1; diff --git a/block/partitions/core.c b/block/partitions/core.c index 78951e33b2d7..8387128364f1 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "check.h" static int (*check_part[])(struct parsed_partitions *) = { @@ -322,6 +323,7 @@ void delete_partition(struct gendisk *disk, struct hd_struct *part) get_device(disk_to_dev(part_to_disk(part))); rcu_assign_pointer(ptbl->part[part->partno], NULL); kobject_put(part->holder_dir); + debugfs_remove_recursive(part->debugfs_dir); device_del(part_to_dev(part)); /* @@ -444,6 +446,7 @@ static struct hd_struct *add_partition(struct gendisk *disk, int partno, if (!p->holder_dir) goto out_del; + p->debugfs_dir = debugfs_create_dir(dev_name(pdev), blk_debugfs_root); dev_set_uevent_suppress(pdev, 0); if (flags & ADDPART_FLAG_WHOLEDISK) { err = device_create_file(pdev, &dev_attr_whole_disk); diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 20472aaaf630..5f6ccf4ba4d9 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1117,6 +1117,9 @@ sg_ioctl_common(struct file *filp, Sg_device *sdp, Sg_fd *sfp, return put_user(max_sectors_bytes(sdp->device->request_queue), ip); case BLKTRACESETUP: + if (!sdp->device->request_queue->sg_debugfs_dir) + blk_sg_debugfs_init(sdp->device->request_queue, + sdp->disk->disk_name); return blk_trace_setup(sdp->device->request_queue, sdp->disk->disk_name, MKDEV(SCSI_GENERIC_MAJOR, sdp->index), diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index 2462b78c1013..afc43c8923c5 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -574,8 +574,9 @@ struct request_queue { struct list_head tag_set_list; struct bio_set bio_split; -#ifdef CONFIG_BLK_DEBUG_FS struct dentry *debugfs_dir; + struct dentry *sg_debugfs_dir; +#ifdef CONFIG_BLK_DEBUG_FS struct dentry *sched_debugfs_dir; struct dentry *rqos_debugfs_dir; #endif @@ -858,6 +859,7 @@ static inline void rq_flush_dcache_pages(struct request *rq) extern int blk_register_queue(struct gendisk *disk); extern void blk_unregister_queue(struct gendisk *disk); +extern void blk_sg_debugfs_init(struct request_queue *q, const char *name); extern blk_qc_t generic_make_request(struct bio *bio); extern blk_qc_t direct_make_request(struct bio *bio); extern void blk_rq_init(struct request_queue *q, struct request *rq); diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h index 3b6ff5902edc..eb6db276e293 100644 --- a/include/linux/blktrace_api.h +++ b/include/linux/blktrace_api.h @@ -22,7 +22,6 @@ struct blk_trace { u64 end_lba; u32 pid; u32 dev; - struct dentry *dir; struct dentry *dropped_file; struct dentry *msg_file; struct list_head running_list; diff --git a/include/linux/genhd.h b/include/linux/genhd.h index 392aad5e29a2..902e50808bd9 100644 --- a/include/linux/genhd.h +++ b/include/linux/genhd.h @@ -76,6 +76,7 @@ struct hd_struct { int make_it_fail; #endif struct rcu_work rcu_work; + struct dentry *debugfs_dir; }; /** diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c index 7ff2ea5cd05e..4690d70e16a4 100644 --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -314,7 +314,6 @@ static void blk_trace_free(struct blk_trace *bt) debugfs_remove(bt->msg_file); debugfs_remove(bt->dropped_file); relay_close(bt->rchan); - debugfs_remove(bt->dir); free_percpu(bt->sequence); free_percpu(bt->msg_data); kfree(bt); @@ -488,9 +487,6 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, if (!buts->buf_size || !buts->buf_nr) return -EINVAL; - if (!blk_debugfs_root) - return -ENOENT; - strncpy(buts->name, name, BLKTRACE_BDEV_SIZE); buts->name[BLKTRACE_BDEV_SIZE - 1] = '\0'; @@ -511,6 +507,47 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, return -EBUSY; } + /* + * We have to use a partition directory if a partition is being worked + * on. The same request_queue is shared between all partitions. + */ + if (bdev && bdev != bdev->bd_contains) { + dir = bdev->bd_part->debugfs_dir; + } else if (IS_ENABLED(CONFIG_CHR_DEV_SG) && + MAJOR(dev) == SCSI_GENERIC_MAJOR) { + /* + * scsi-generic exposes the request_queue through the /dev/sg* + * interface but since that uses a different path than whatever + * the respective scsi driver device name may expose and use + * for the request_queue debugfs_dir. We have a dedicated + * dentry for scsi-generic then. + */ + dir = q->sg_debugfs_dir; + } else { + /* + * Drivers which do not use the *add_disk*() interfaces will + * not have their debugfs_dir created for them automatically, + * so we must create it for them. + */ + if (!q->debugfs_dir) { + q->debugfs_dir = + debugfs_create_dir(buts->name, + blk_debugfs_root); + } + dir = q->debugfs_dir; + } + + /* + * As blktrace relies on debugfs for its interface the debugfs directory + * is required, contrary to the usual mantra of not checking for debugfs + * files or directories. + */ + if (IS_ERR_OR_NULL(dir)) { + pr_warn("debugfs_dir not present for %s so skipping\n", + buts->name); + return -ENOENT; + } + bt = kzalloc(sizeof(*bt), GFP_KERNEL); if (!bt) return -ENOMEM; @@ -524,12 +561,6 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, if (!bt->msg_data) goto err; - ret = -ENOENT; - - dir = debugfs_lookup(buts->name, blk_debugfs_root); - if (!dir) - bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); - bt->dev = dev; atomic_set(&bt->dropped, 0); INIT_LIST_HEAD(&bt->running_list); @@ -565,8 +596,6 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, ret = 0; err: - if (dir && !bt->dir) - dput(dir); if (ret) blk_trace_free(bt); return ret;