linux/block
Omar Sandoval e972b08b91 blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race
We're seeing crashes from rq_qos_wake_function that look like this:

  BUG: unable to handle page fault for address: ffffafe180a40084
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0
  Oops: Oops: 0002 [#1] PREEMPT SMP PTI
  CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
  RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40
  Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00
  RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011
  RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084
  RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011
  R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002
  R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003
  FS:  0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:
   <IRQ>
   try_to_wake_up+0x5a/0x6a0
   rq_qos_wake_function+0x71/0x80
   __wake_up_common+0x75/0xa0
   __wake_up+0x36/0x60
   scale_up.part.0+0x50/0x110
   wb_timer_fn+0x227/0x450
   ...

So rq_qos_wake_function() calls wake_up_process(data->task), which calls
try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock).

p comes from data->task, and data comes from the waitqueue entry, which
is stored on the waiter's stack in rq_qos_wait(). Analyzing the core
dump with drgn, I found that the waiter had already woken up and moved
on to a completely unrelated code path, clobbering what was previously
data->task. Meanwhile, the waker was passing the clobbered garbage in
data->task to wake_up_process(), leading to the crash.

What's happening is that in between rq_qos_wake_function() deleting the
waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding
that it already got a token and returning. The race looks like this:

rq_qos_wait()                           rq_qos_wake_function()
==============================================================
prepare_to_wait_exclusive()
                                        data->got_token = true;
                                        list_del_init(&curr->entry);
if (data.got_token)
        break;
finish_wait(&rqw->wait, &data.wq);
  ^- returns immediately because
     list_empty_careful(&wq_entry->entry)
     is true
... return, go do something else ...
                                        wake_up_process(data->task)
                                          (NO LONGER VALID!)-^

Normally, finish_wait() is supposed to synchronize against the waker.
But, as noted above, it is returning immediately because the waitqueue
entry has already been removed from the waitqueue.

The bug is that rq_qos_wake_function() is accessing the waitqueue entry
AFTER deleting it. Note that autoremove_wake_function() wakes the waiter
and THEN deletes the waitqueue entry, which is the proper order.

Fix it by swapping the order. We also need to use
list_del_init_careful() to match the list_empty_careful() in
finish_wait().

Fixes: 38cfb5a45e ("blk-wbt: improve waking of tasks")
Cc: stable@vger.kernel.org
Signed-off-by: Omar Sandoval <osandov@fb.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/r/d3bee2463a67b1ee597211823bf7ad3721c26e41.1729014591.git.osandov@fb.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-10-16 07:20:14 -06:00
..
partitions block: fix potential invalid pointer dereference in blk_add_partition 2024-09-12 08:46:40 -06:00
badblocks.c badblocks: avoid checking invalid range in badblocks_check() 2023-12-23 18:38:08 -07:00
bdev.c for-6.12/block-20240925 2024-09-25 14:56:40 -07:00
bfq-cgroup.c block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator() 2024-09-10 16:32:09 -06:00
bfq-iosched.c block, bfq: factor out a helper to split bfqq in bfq_init_rq() 2024-09-10 16:32:09 -06:00
bfq-iosched.h block, bfq: remove bfq_log_bfqg() 2024-09-10 16:32:09 -06:00
bfq-wf2q.c
bio-integrity.c Linux 6.11 2024-09-17 08:32:53 -06:00
bio.c block: unpin user pages belonging to a folio at once 2024-09-11 07:24:01 -06:00
blk-cgroup-fc-appid.c block: Replace all non-returning strlcpy with strscpy 2023-06-01 09:13:31 -06:00
blk-cgroup-rwstat.c blk-cgroup: use group allocation/free of per-cpu counters API 2024-04-03 09:10:17 -06:00
blk-cgroup-rwstat.h
blk-cgroup.c blk-ioprio: remove per-disk structure 2024-07-28 16:47:51 -06:00
blk-cgroup.h blk-cgroup: Remove unused declaration blkg_path() 2024-08-16 15:07:27 -06:00
blk-core.c scsi: block: Don't check REQ_ATOMIC for reads 2024-08-12 18:03:38 -04:00
blk-crypto-fallback.c block, fs: Restore the per-bio/request data lifetime fields 2024-02-06 14:31:05 +01:00
blk-crypto-internal.h
blk-crypto-profile.c blk-crypto: use dynamic lock class for blk_crypto_profile::lock 2023-07-05 16:36:12 -06:00
blk-crypto-sysfs.c
blk-crypto.c
blk-flush.c for-6.11/block-20240710 2024-07-15 14:20:22 -07:00
blk-ia-ranges.c
blk-integrity.c block: fix blk_rq_map_integrity_sg kernel-doc 2024-10-02 07:15:33 -06:00
blk-ioc.c blk-ioc: fix recursive spin_lock/unlock_irq() in ioc_clear_queue() 2023-06-07 07:51:00 -06:00
blk-iocost.c blk_iocost: remove some duplicate irq disable/enables 2024-10-02 07:15:43 -06:00
blk-iolatency.c block: add blk_time_get_ns() and blk_time_get() helpers 2024-02-05 10:07:22 -07:00
blk-ioprio.c blk-ioprio: remove per-disk structure 2024-07-28 16:47:51 -06:00
blk-ioprio.h blk-ioprio: remove per-disk structure 2024-07-28 16:47:51 -06:00
blk-lib.c block: fix detection of unsupported WRITE SAME in blkdev_issue_write_zeroes 2024-08-28 08:49:25 -06:00
blk-map.c block: don't free the integrity payload in bio_integrity_unmap_free_user 2024-07-03 10:21:16 -06:00
blk-merge.c blk-integrity: properly account for segments 2024-09-13 12:31:45 -06:00
blk-mq-cpumap.c
blk-mq-debugfs.c block: Catch possible entries missing from rqf_name[] 2024-07-19 09:32:49 -06:00
blk-mq-debugfs.h block: Replace zone_wlock debugfs entry with zone_wplugs entry 2024-04-17 08:44:03 -06:00
blk-mq-pci.c
blk-mq-sched.c blk-mq: Remove the hctx 'run' debugfs attribute 2024-01-17 14:16:34 -07:00
blk-mq-sched.h
blk-mq-sysfs.c
blk-mq-tag.c block: Fix lockdep warning in blk_mq_mark_tag_wait 2024-08-15 19:25:03 -06:00
blk-mq-virtio.c
blk-mq.c blk-mq: setup queue ->tag_set before initializing hctx 2024-10-14 08:17:07 -06:00
blk-mq.h block: Relocate BLK_MQ_CPU_WORK_BATCH 2024-07-19 09:32:48 -06:00
blk-pm.c block: Remove blk_set_runtime_active() 2023-11-20 10:22:40 -07:00
blk-pm.h
blk-rq-qos.c blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race 2024-10-16 07:20:14 -06:00
blk-rq-qos.h block: skip QUEUE_FLAG_STATS and rq-qos for passthrough io 2023-12-01 18:29:18 -07:00
blk-settings.c block: Remove unused blk_limits_io_{min,opt} 2024-09-20 00:19:48 -06:00
blk-stat.c blk-throttle: remove CONFIG_BLK_DEV_THROTTLING_LOW 2024-05-09 09:44:55 -06:00
blk-stat.h block: delete redundant function declaration 2024-05-27 13:58:06 -06:00
blk-sysfs.c block: Prevent deadlocks when switching elevators 2024-09-10 13:43:42 -06:00
blk-throttle.c Linux 6.11 2024-09-17 08:32:53 -06:00
blk-throttle.h blk-throttle: remove last_low_overflow_time 2024-09-10 16:31:41 -06:00
blk-timeout.c
blk-wbt.c blk-wbt: don't throttle swap writes in direct reclaim 2024-07-01 06:51:53 -06:00
blk-wbt.h blk-wbt: remove the separate write cache tracking 2023-12-26 09:28:10 -07:00
blk-zoned.c for-6.11/block-20240710 2024-07-15 14:20:22 -07:00
blk.h block: implement async io_uring discard cmd 2024-09-11 10:45:28 -06:00
bounce.c block: split integrity support out of bio.h 2024-07-03 10:21:15 -06:00
bsg-lib.c scsi: bsg: Pass dev to blk_mq_alloc_queue() 2024-05-30 20:22:15 -04:00
bsg.c SCSI misc on 20230629 2023-06-30 11:57:07 -07:00
disk-events.c block: move bdev_mark_dead out of disk_check_media_change 2023-10-28 13:29:23 +02:00
early-lookup.c wrapper for access to ->bd_partno 2024-05-02 17:48:09 -04:00
elevator.c elevator: Remove argument from elevator_find_get 2024-10-11 11:11:09 -06:00
elevator.h block: Prevent deadlocks when switching elevators 2024-09-10 13:43:42 -06:00
fops.c vfs-6.12.blocksize 2024-09-20 17:53:17 -07:00
genhd.c block: fix deadlock between sd_remove & sd_release 2024-07-24 09:51:21 -06:00
holder.c block: fix deadlock between bd_link_disk_holder and partition scan 2024-02-23 07:44:19 -07:00
ioctl.c block: implement async io_uring discard cmd 2024-09-11 10:45:28 -06:00
ioprio.c block: move __get_task_ioprio() into header file 2024-01-08 12:27:39 -07:00
Kconfig block: remove the blk_integrity_profile structure 2024-06-14 10:20:06 -06:00
Kconfig.iosched
kyber-iosched.c
Makefile block: remove the blk_integrity_profile structure 2024-06-14 10:20:06 -06:00
mq-deadline.c block/mq-deadline: Fix the tag reservation code 2024-07-02 08:47:45 -06:00
opal_proto.h block: sed-opal: handle empty atoms when parsing response 2024-02-16 15:52:45 -07:00
sed-opal.c block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() 2024-06-12 10:53:20 -06:00
t10-pi.c block: constify ext_pi_ref_escape() 2024-08-13 06:20:02 -06:00