diff --git a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch new file mode 100644 index 000000000..be5eddebc --- /dev/null +++ b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch @@ -0,0 +1,64 @@ +From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sat, 5 Sep 2015 15:47:36 -0400 +Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and + ->root_rl.blkg + +While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always +create the blkcg_gq for the root blkcg") removed the part which clears +q->root_blkg and ->root_rl.blkg during q exit. This leaves the two +pointers dangling after blkg_destroy_all(). blk-throttle exit path +performs blkg traversals and dereferences ->root_blkg and can lead to +the following oops. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000558 + IP: [] __blkg_lookup+0x26/0x70 + ... + task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000 + RIP: 0010:[] [] __blkg_lookup+0x26/0x70 + ... + Call Trace: + [] blk_throtl_drain+0x5a/0x110 + [] blkcg_drain_queue+0x18/0x20 + [] __blk_drain_queue+0xc0/0x170 + [] blk_queue_bypass_start+0x61/0x80 + [] blkcg_deactivate_policy+0x39/0x100 + [] blk_throtl_exit+0x38/0x50 + [] blkcg_exit_queue+0x3e/0x50 + [] blk_release_queue+0x1e/0xc0 + ... + +While the bug is a straigh-forward use-after-free bug, it is tricky to +reproduce because blkg release is RCU protected and the rest of exit +path usually finishes before RCU grace period. + +This patch fixes the bug by updating blkg_destro_all() to clear +q->root_blkg and ->root_rl.blkg. + +Signed-off-by: Tejun Heo +Reported-by: "Richard W.M. Jones" +Reported-by: Josh Boyer +Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com +Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg") +Cc: stable@vger.kernel.org # v4.2+ +--- + block/blk-cgroup.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index d6283b3f5db5..9cc48d1d7abb 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q) + blkg_destroy(blkg); + spin_unlock(&blkcg->lock); + } ++ ++ q->root_blkg = NULL; ++ q->root_rl.blkg = NULL; + } + + /* +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 1f6556b94..87d035f66 100644 --- a/kernel.spec +++ b/kernel.spec @@ -596,6 +596,9 @@ Patch520: ARM-dts-Fix-Makefile-target-for-sun4i-a10-itead-itea.patch #rhbz 1258223 Patch521: x86-alternatives-Make-optimize_nops-interrupt-safe-a.patch +#rhbz 1237136 +Patch522: block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch + Patch904: kdbus.patch # END OF PATCH DEFINITIONS @@ -2043,6 +2046,9 @@ fi # # %changelog +* Tue Sep 08 2015 Josh Boyer +- Fix oops in blk layer (rhbz 1237136) + * Sun Sep 06 2015 Josh Boyer - 4.3.0-0.rc0.git8.1 - Linux v4.2-9700-g7d9071a09502