| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Nov 2022 21:21:56 +0800
From: Li Nan <linan122@...wei.com>
To: <tj@...nel.org>, <josef@...icpanda.com>, <axboe@...nel.dk>
CC: <cgroups@...r.kernel.org>, <linux-block@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <linan122@...wei.com>,
<yukuai3@...wei.com>, <yi.zhang@...wei.com>
Subject: [PATCH -next v2 9/9] blk-iocost: fix walk_list corruption
From: Yu Kuai <yukuai3@...wei.com>
Our test report a problem:
------------[ cut here ]------------
list_del corruption. next->prev should be ffff888127e0c4b0, but was ffff888127e090b0
WARNING: CPU: 2 PID: 3117789 at lib/list_debug.c:62 __list_del_entry_valid+0x119/0x130
RIP: 0010:__list_del_entry_valid+0x119/0x130
RIP: 0010:__list_del_entry_valid+0x119/0x130
Call Trace:
<IRQ>
iocg_flush_stat.isra.0+0x11e/0x230
? ioc_rqos_done+0x230/0x230
? ioc_now+0x14f/0x180
ioc_timer_fn+0x569/0x1640
We haven't reporduced it yet, but we think this is due to parent iocg is
freed before child iocg, and then in ioc_timer_fn, walk_list is
corrupted.
1) Remove child cgroup can concurrent with remove parent cgroup, and
ioc_pd_free for parent iocg can be called before child iocg. This can be
fixed by moving the handle of walk_list to ioc_pd_offline, since that
offline from child is ensured to be called before parent.
2) ioc_pd_free can be triggered from both removing device and removing
cgroup, this patch fix the problem by deleting timer before deactivating
policy, so that free parent iocg first in this case won't matter.
Signed-off-by: Yu Kuai <yukuai3@...wei.com>
Signed-off-by: Li Nan <linan122@...wei.com>
---
block/blk-iocost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/blk-iocost.c b/block/blk-iocost.c
index 710cf63a1643..d2b873908f88 100644
--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -2813,13 +2813,14 @@ static void ioc_rqos_exit(struct rq_qos *rqos)
{
struct ioc *ioc = rqos_to_ioc(rqos);
+ del_timer_sync(&ioc->timer);
+
blkcg_deactivate_policy(rqos->q, &blkcg_policy_iocost);
spin_lock_irq(&ioc->lock);
ioc->running = IOC_STOP;
spin_unlock_irq(&ioc->lock);
- del_timer_sync(&ioc->timer);
free_percpu(ioc->pcpu_stat);
kfree(ioc);
}
--
2.31.1
Powered by blists - more mailing lists