Re: [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5

From: Jens Axboe
Date: Mon Jan 16 2023 - 09:34:00 EST

Next message: Linus Walleij: "Re: [PATCH v2 1/2] pinctrl: digicolor: Remove duplicate assignment of of_gpio_n_cells"
Previous message: Konrad Dybcio: "[PATCH 1/2] arm64: dts: qcom: sdm630: Don't use underscores in node names"
In reply to: Linux kernel regression tracking (#update): "Re: [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5"
Next in thread: Greg Kroah-Hartman: "Re: [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/16/23 6:42 AM, Jens Axboe wrote:
> On 1/16/23 6:17?AM, Linux kernel regression tracking (Thorsten Leemhuis) wrote:
>> Hi, this is your Linux kernel regression tracker.
>>
>> I noticed a regression report in bugzilla.kernel.org. As many (most?)
>> kernel developer don't keep an eye on it, I decided to forward it by
>> mail. Quoting from https://bugzilla.kernel.org/show_bug.cgi?id=216932 :
>
> Looks like:
>
> commit 6d47e0f6a535701134d950db65eb8fe1edf0b575
> Author: Jens Axboe <axboe@xxxxxxxxx>
> Date: Wed Jan 4 08:52:06 2023 -0700
>
> block: don't allow splitting of a REQ_NOWAIT bio
>
> got picked up by stable, but not the required prep patch:
>
>
> commit 613b14884b8595e20b9fac4126bf627313827fbe
> Author: Jens Axboe <axboe@xxxxxxxxx>
> Date: Wed Jan 4 08:51:19 2023 -0700
>
> block: handle bio_split_to_limits() NULL return
>
> Greg/team, can you pick the latter too? It'll pick cleanly for
> 6.1-stable, not sure how far back the other patch has gone yet.

Looked back, and 5.15 has it too, but the cherry-pick won't work
on that kernel.

Here's one for 5.15-stable that I verified crashes before this one,
and works with it. Haven't done an allmodconfig yet...

--
Jens Axboe

From 850091593128cdbc72ce0f06ff35665d7d708a5f Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Mon, 16 Jan 2023 07:11:04 -0700
Subject: [PATCH] block: handle bio_split_to_limits() NULL return

commit 613b14884b8595e20b9fac4126bf627313827fbe upstream.

This can't happen right now, but in preparation for allowing
bio_split_to_limits() returning NULL if it ended the bio, check for it
in all the callers.

Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
block/blk-merge.c | 4 +++-
block/blk-mq.c | 2 ++
drivers/block/drbd/drbd_req.c | 2 ++
drivers/block/pktcdvd.c | 2 ++
drivers/block/ps3vram.c | 2 ++
drivers/block/rsxx/dev.c | 2 ++
drivers/md/md.c | 2 ++
drivers/nvme/host/multipath.c | 2 ++
drivers/s390/block/dcssblk.c | 2 ++
9 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/block/blk-merge.c b/block/blk-merge.c
index bb26db93ad1d..d1435b657297 100644
--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -348,11 +348,13 @@ void __blk_queue_split(struct bio **bio, unsigned int *nr_segs)
break;
}
split = blk_bio_segment_split(q, *bio, &q->bio_split, nr_segs);
+ if (IS_ERR(split))
+ *bio = split = NULL;
break;
}

if (split) {
- /* there isn't chance to merge the splitted bio */
+ /* there isn't chance to merge the split bio */
split->bi_opf |= REQ_NOMERGE;

bio_chain(split, *bio);
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 1a28ba9017ed..9f53b4caf977 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2193,6 +2193,8 @@ blk_qc_t blk_mq_submit_bio(struct bio *bio)

blk_queue_bounce(q, &bio);
__blk_queue_split(&bio, &nr_segs);
+ if (!bio)
+ goto queue_exit;

if (!bio_integrity_prep(bio))
goto queue_exit;
diff --git a/drivers/block/drbd/drbd_req.c b/drivers/block/drbd/drbd_req.c
index 47e0d105b462..4281dc847bc2 100644
--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -1602,6 +1602,8 @@ blk_qc_t drbd_submit_bio(struct bio *bio)
struct drbd_device *device = bio->bi_bdev->bd_disk->private_data;

blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

/*
* what we "blindly" assume:
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index 0f26b2510a75..ca2ab977ef8e 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2407,6 +2407,8 @@ static blk_qc_t pkt_submit_bio(struct bio *bio)
struct bio *split;

blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

pd = bio->bi_bdev->bd_disk->queue->queuedata;
if (!pd) {
diff --git a/drivers/block/ps3vram.c b/drivers/block/ps3vram.c
index c7b19e128b03..c79aa4d8ccf7 100644
--- a/drivers/block/ps3vram.c
+++ b/drivers/block/ps3vram.c
@@ -587,6 +587,8 @@ static blk_qc_t ps3vram_submit_bio(struct bio *bio)
dev_dbg(&dev->core, "%s\n", __func__);

blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

spin_lock_irq(&priv->lock);
busy = !bio_list_empty(&priv->list);
diff --git a/drivers/block/rsxx/dev.c b/drivers/block/rsxx/dev.c
index 1cc40b0ea761..6b253d99bc48 100644
--- a/drivers/block/rsxx/dev.c
+++ b/drivers/block/rsxx/dev.c
@@ -127,6 +127,8 @@ static blk_qc_t rsxx_submit_bio(struct bio *bio)
blk_status_t st = BLK_STS_IOERR;

blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

might_sleep();

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 59ab99844df8..9e54b865f30d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -458,6 +458,8 @@ static blk_qc_t md_submit_bio(struct bio *bio)
}

blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

if (mddev->ro == 1 && unlikely(rw == WRITE)) {
if (bio_sectors(bio) != 0)
diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
index fe199d568a4a..8d97b942de01 100644
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -329,6 +329,8 @@ static blk_qc_t nvme_ns_head_submit_bio(struct bio *bio)
* pool from the original queue to allocate the bvecs from.
*/
blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

srcu_idx = srcu_read_lock(&head->srcu);
ns = nvme_find_path(head);
diff --git a/drivers/s390/block/dcssblk.c b/drivers/s390/block/dcssblk.c
index 5be3d1c39a78..54176c073547 100644
--- a/drivers/s390/block/dcssblk.c
+++ b/drivers/s390/block/dcssblk.c
@@ -866,6 +866,8 @@ dcssblk_submit_bio(struct bio *bio)
unsigned long bytes_done;

blk_queue_split(&bio);
+ if (!bio)
+ return BLK_QC_T_NONE;

bytes_done = 0;
dev_info = bio->bi_bdev->bd_disk->private_data;
--
2.39.0

Next message: Linus Walleij: "Re: [PATCH v2 1/2] pinctrl: digicolor: Remove duplicate assignment of of_gpio_n_cells"
Previous message: Konrad Dybcio: "[PATCH 1/2] arm64: dts: qcom: sdm630: Don't use underscores in node names"
In reply to: Linux kernel regression tracking (#update): "Re: [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5"
Next in thread: Greg Kroah-Hartman: "Re: [regression] Bug 216932 - io_uring with libvirt cause kernel NULL pointer dereference since 6.1.5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]