[PATCH kernel-4.19] blk-mq: fix divide by zero crash in tg_may_dispatch() - Kernel

30 Aug 2021

From: Yu Kuai yukuai3@huawei.com
hulk inclusion
category: bugfix
bugzilla: 177149, https://gitee.com/openeuler/kernel/issues/I47R8R
CVE: NA
-----------------------------------------------
If blk-throttle is enabled and io is issued before
blk_throtl_register_queue() is done. Divide by zero crash will be
triggered in tg_may_dispatch() because 'throtl_slice' is uninitialized.
Thus introduce a new falg QUEUE_FLAG_THROTL_INIT_DONE. It will be set
after blk_throtl_register_queue() is done, and will be checked before
apply any config.
Signed-off-by: Yu Kuai yukuai3@huawei.com
Reviewed-by: Hou Tao houtao1@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 block/blk-sysfs.c      |  2 ++
 block/blk-throttle.c   | 41 +++++++++++++++++++++++++++++++++++++++--
 include/linux/blkdev.h |  1 +
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index 15ad67c3c56b8..1f958bace71fc 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -951,6 +951,7 @@ int blk_register_queue(struct gendisk *disk)
    blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q);
    wbt_enable_default(q);
    blk_throtl_register_queue(q);
+	blk_queue_flag_set(QUEUE_FLAG_THROTL_INIT_DONE, q);
/* Now everything is ready and send out KOBJ_ADD uevent */
    kobject_uevent(&q->kobj, KOBJ_ADD);
@@ -983,6 +984,7 @@ void blk_unregister_queue(struct gendisk *disk)
    if (!blk_queue_registered(q))
    	return;
+	blk_queue_flag_clear(QUEUE_FLAG_THROTL_INIT_DONE, q);
    /*
     * Since sysfs_remove_dir() prevents adding new directory entries
     * before removal of existing entries starts, protect against
diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index 18b8e868995f9..9426330d99dda 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -11,6 +11,8 @@
 #include <linux/bio.h>
 #include <linux/blktrace_api.h>
 #include <linux/blk-cgroup.h>
+#include <linux/sched/signal.h>
+#include <linux/delay.h>
 #include "blk.h"
/* Max dispatch from a group in 1 round */
@@ -1436,6 +1438,31 @@ static void tg_conf_updated(struct throtl_grp *tg, bool global)
    }
 }
+static inline int throtl_check_init_done(struct request_queue *q)
+{
+	if (test_bit(QUEUE_FLAG_THROTL_INIT_DONE, &q->queue_flags))
+		return 0;
+
+	return blk_queue_dying(q) ? -ENODEV : -EBUSY;
+}
+
+/*
+ * If throtl_check_init_done() return -EBUSY, we should retry after a short
+ * msleep(), since that throttle init will be completed in blk_register_queue()
+ * soon.
+ */
+static inline int throtl_restart_syscall_when_busy(int errno)
+{
+	int ret = errno;
+
+	if (ret == -EBUSY) {
+		msleep(10);
+		ret = restart_syscall();
+	}
+
+	return ret;
+}
+
 static ssize_t tg_set_conf(struct kernfs_open_file *of,
    		   char *buf, size_t nbytes, loff_t off, bool is_u64)
 {
@@ -1449,6 +1476,10 @@ static ssize_t tg_set_conf(struct kernfs_open_file *of,
    if (ret)
    	return ret;
+	ret = throtl_check_init_done(ctx.disk->queue);
+	if (ret)
+		goto out_finish;
+
    ret = -EINVAL;
    if (sscanf(ctx.body, "%llu", &v) != 1)
    	goto out_finish;
@@ -1456,7 +1487,6 @@ static ssize_t tg_set_conf(struct kernfs_open_file *of,
    	v = U64_MAX;
tg = blkg_to_tg(ctx.blkg);
-
    if (is_u64)
    	*(u64 *)((void *)tg + of_cft(of)->private) = v;
    else
@@ -1466,6 +1496,8 @@ static ssize_t tg_set_conf(struct kernfs_open_file *of,
    ret = 0;
 out_finish:
    blkg_conf_finish(&ctx);
+	ret = throtl_restart_syscall_when_busy(ret);
+
    return ret ?: nbytes;
 }
@@ -1615,8 +1647,11 @@ static ssize_t tg_set_limit(struct kernfs_open_file *of,
    if (ret)
    	return ret;
-	tg = blkg_to_tg(ctx.blkg);
+	ret = throtl_check_init_done(ctx.disk->queue);
+	if (ret)
+		goto out_finish;
+	tg = blkg_to_tg(ctx.blkg);
    v[0] = tg->bps_conf[READ][index];
    v[1] = tg->bps_conf[WRITE][index];
    v[2] = tg->iops_conf[READ][index];
@@ -1712,6 +1747,8 @@ static ssize_t tg_set_limit(struct kernfs_open_file *of,
    ret = 0;
 out_finish:
    blkg_conf_finish(&ctx);
+	ret = throtl_restart_syscall_when_busy(ret);
+
    return ret ?: nbytes;
 }
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 376f5dee46fce..7ed2b137c3324 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -709,6 +709,7 @@ struct request_queue {
 #define QUEUE_FLAG_NOMERGES     5	/* disable merge attempts */
 #define QUEUE_FLAG_SAME_COMP	6	/* complete on same CPU-group */
 #define QUEUE_FLAG_FAIL_IO	7	/* fake timeout */
+#define QUEUE_FLAG_THROTL_INIT_DONE 8	/* io throttle can be online */
 #define QUEUE_FLAG_NONROT	9	/* non-rotational device (SSD) */
 #define QUEUE_FLAG_VIRT        QUEUE_FLAG_NONROT /* paravirt device */
 #define QUEUE_FLAG_IO_STAT     10	/* do IO stats */
-- 
2.25.1

    