linux/block
Omar Sandoval efed9a3337 kyber: fix out of bounds access when preempted
__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and
passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx
for the current CPU again and uses that to get the corresponding Kyber
context in the passed hctx. However, the thread may be preempted between
the two calls to blk_mq_get_ctx(), and the ctx returned the second time
may no longer correspond to the passed hctx. This "works" accidentally
most of the time, but it can cause us to read garbage if the second ctx
came from an hctx with more ctx's than the first one (i.e., if
ctx->index_hw[hctx->type] > hctx->nr_ctx).

This manifested as this UBSAN array index out of bounds error reported
by Jakub:

UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9
index 13106 is out of range for type 'long unsigned int [128]'
Call Trace:
 dump_stack+0xa4/0xe5
 ubsan_epilogue+0x5/0x40
 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34
 queued_spin_lock_slowpath+0x476/0x480
 do_raw_spin_lock+0x1c2/0x1d0
 kyber_bio_merge+0x112/0x180
 blk_mq_submit_bio+0x1f5/0x1100
 submit_bio_noacct+0x7b0/0x870
 submit_bio+0xc2/0x3a0
 btrfs_map_bio+0x4f0/0x9d0
 btrfs_submit_data_bio+0x24e/0x310
 submit_one_bio+0x7f/0xb0
 submit_extent_page+0xc4/0x440
 __extent_writepage_io+0x2b8/0x5e0
 __extent_writepage+0x28d/0x6e0
 extent_write_cache_pages+0x4d7/0x7a0
 extent_writepages+0xa2/0x110
 do_writepages+0x8f/0x180
 __writeback_single_inode+0x99/0x7f0
 writeback_sb_inodes+0x34e/0x790
 __writeback_inodes_wb+0x9e/0x120
 wb_writeback+0x4d2/0x660
 wb_workfn+0x64d/0xa10
 process_one_work+0x53a/0xa80
 worker_thread+0x69/0x5b0
 kthread+0x20b/0x240
 ret_from_fork+0x1f/0x30

Only Kyber uses the hctx, so fix it by passing the request_queue to
->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can
map the queues itself to avoid the mismatch.

Fixes: a6088845c2 ("block: kyber: make kyber more friendly with merging")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Link: https://lore.kernel.org/r/c7598605401a48d5cfeadebb678abd10af22b83f.1620691329.git.osandov@fb.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-05-11 08:12:14 -06:00
..
partitions for-5.13/block-2021-04-27 2021-04-28 14:27:12 -07:00
badblocks.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
bfq-cgroup.c block, bfq: merge bursts of newly-created queues 2021-03-25 10:50:07 -06:00
bfq-iosched.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
bfq-iosched.h block, bfq: merge bursts of newly-created queues 2021-03-25 10:50:07 -06:00
bfq-wf2q.c block, bfq: always inject I/O of queues blocked by wakers 2021-03-25 10:50:07 -06:00
bio-integrity.c block: remove BLK_BOUNCE_ISA support 2021-04-06 09:28:17 -06:00
bio.c Revert "bio: limit bio max size" 2021-05-08 21:49:48 -06:00
blk-cgroup-rwstat.c blk-cgroup: Fix the recursive blkg rwstat 2021-03-05 11:32:15 -07:00
blk-cgroup-rwstat.h blk-cgroup: separate out blkg_rwstat under CONFIG_BLK_CGROUP_RWSTAT 2019-11-07 12:28:13 -07:00
blk-cgroup.c for-5.12/block-2021-02-17 2021-02-21 11:02:48 -08:00
blk-core.c block: refactor the bounce buffering code 2021-04-06 09:28:17 -06:00
blk-crypto-fallback.c block: rename BIO_MAX_PAGES to BIO_MAX_VECS 2021-03-11 07:47:48 -07:00
blk-crypto-internal.h block: make blk_crypto_rq_bio_prep() able to fail 2020-10-05 10:47:43 -06:00
blk-crypto.c dm: support key eviction from keyslot managers of underlying devices 2021-02-11 09:45:25 -05:00
blk-exec.c block: drop removed argument from kernel-doc of blk_execute_rq() 2021-01-29 07:43:29 -07:00
blk-flush.c block: use an on-stack bio in blkdev_issue_flush 2021-01-27 09:51:48 -07:00
blk-integrity.c block: remove the unused blk_integrity_merge_bio export 2020-10-06 07:29:53 -06:00
blk-ioc.c block: remove retry loop in ioc_release_fn() 2020-07-16 10:22:15 -06:00
blk-iocost.c blk-iocost: don't ignore vrate_min on QD contention 2021-04-26 06:44:18 -06:00
blk-iolatency.c block: Remove redundant 'return' statement 2020-10-08 07:59:48 -06:00
blk-lib.c block: rename BIO_MAX_PAGES to BIO_MAX_VECS 2021-03-11 07:47:48 -07:00
blk-map.c block: remove an incorrect check from blk_rq_append_bio 2021-04-12 06:45:12 -06:00
blk-merge.c block: recalculate segment count for multi-segment discards correctly 2021-03-23 10:39:57 -06:00
blk-mq-cpumap.c blk-mq: remove the calling of local_memory_node() 2020-10-20 07:08:17 -06:00
blk-mq-debugfs-zoned.c block: Cleanup license notice 2019-01-17 21:21:40 -07:00
blk-mq-debugfs.c for-5.13/block-2021-04-27 2021-04-28 14:27:12 -07:00
blk-mq-debugfs.h blk-mq: no need to check return value of debugfs_create functions 2019-06-13 03:00:30 -06:00
blk-mq-pci.c block: Fix blk_mq_*_map_queues() kernel-doc headers 2019-05-31 15:12:34 -06:00
blk-mq-rdma.c block: Fix blk_mq_*_map_queues() kernel-doc headers 2019-05-31 15:12:34 -06:00
blk-mq-sched.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
blk-mq-sched.h block: get rid of the trace rq insert wrapper 2021-02-22 06:37:41 -07:00
blk-mq-sysfs.c blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue 2020-10-09 12:46:28 -06:00
blk-mq-tag.c blk-mq: Always use blk_mq_is_sbitmap_shared 2021-04-06 09:24:07 -06:00
blk-mq-tag.h blk-mq: Relocate hctx_may_queue() 2020-09-03 15:20:47 -06:00
blk-mq-virtio.c blk-mq: Fix typo in comment 2020-03-17 20:55:21 +01:00
blk-mq.c SCSI misc on 20210428 2021-04-28 17:22:10 -07:00
blk-mq.h scsi: blk-mq: Return budget token from .get_budget callback 2021-03-04 17:36:59 -05:00
blk-pm.c scsi: block: Fix a race in the runtime power management code 2020-12-09 11:41:41 -05:00
blk-pm.h block: Remove unused blk_pm_*() function definitions 2021-02-22 06:33:48 -07:00
blk-rq-qos.c Revert "blk-rq-qos: remove redundant finish_wait to rq_qos_wait." 2020-07-15 09:33:37 -06:00
blk-rq-qos.h blk-rq-qos: fix first node deletion of rq_qos_del() 2019-10-15 10:13:13 -06:00
blk-settings.c Revert "bio: limit bio max size" 2021-05-08 21:49:48 -06:00
blk-stat.c blk-stat: make q->stats->lock irqsafe 2020-09-01 16:48:46 -06:00
blk-stat.h block: deactivate blk_stat timer in wbt_disable_default() 2018-12-12 06:47:51 -07:00
blk-sysfs.c block: add sysfs entry for virt boundary mask 2021-04-06 09:23:23 -06:00
blk-throttle.c block: store a block_device pointer in struct bio 2021-01-24 18:17:20 -07:00
blk-timeout.c block: blk-timeout: delete duplicated word 2020-07-31 16:29:47 -06:00
blk-wbt.c blk: wbt: remove unused parameter from wbt_should_throttle 2021-01-26 13:13:00 -07:00
blk-wbt.h blk-wbt: remove wbt_update_limits 2020-05-29 16:30:39 -06:00
blk-zoned.c blk-zoned: Remove the definition of blk_zone_start() 2021-04-07 14:31:45 -06:00
blk.h block: refactor blk_drop_partitions 2021-04-08 10:24:36 -06:00
bounce.c block: stop calling blk_queue_bounce for passthrough requests 2021-04-06 09:28:18 -06:00
bsg-lib.c block: drop double zeroing 2020-09-23 09:18:13 -06:00
bsg.c block: remove unnecessary argument from blk_execute_rq 2021-01-24 21:52:39 -07:00
cmdline-parser.c
elevator.c blk-mq: set default elevator as deadline in case of hctx shared tagset 2021-04-07 10:15:23 -06:00
genhd.c block: remove disk_part_iter 2021-04-08 10:24:36 -06:00
ioctl.c block: return -EBUSY when there are open partitions in blkdev_reread_part 2021-04-21 10:49:37 -06:00
ioprio.c block: Fix sys_ioprio_set(.which=IOPRIO_WHO_PGRP) task iteration 2021-04-08 13:43:53 -06:00
Kconfig blk-wbt: Remove obsolete multiqueue I/O scheduling comment 2020-09-01 16:49:26 -06:00
Kconfig.iosched treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
keyslot-manager.c - Fix DM integrity's HMAC support to provide enhanced security of 2021-02-22 10:22:54 -08:00
kyber-iosched.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
Makefile blk-mq: merge blk-softirq.c into blk-mq.c 2020-06-24 09:15:56 -06:00
mq-deadline.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
opal_proto.h block: sed-opal: Change the check condition for regular session validity 2020-03-12 08:00:10 -06:00
scsi_ioctl.c block: Remove an obsolete comment from sg_io() 2021-04-13 11:23:52 -06:00
sed-opal.c block: sed-opal: Change the check condition for regular session validity 2020-03-12 08:00:10 -06:00
t10-pi.c block: Allow t10-pi to be modular 2020-01-06 20:59:04 -07:00