CC: kbuild-...@lists.01.org BCC: l...@intel.com CC: linux-ker...@vger.kernel.org TO: Ming Lei <ming....@redhat.com> CC: Jens Axboe <ax...@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-5.18/block head: 8f9e7b65f833cb9a4b2e2f54a049d74df394d906 commit: ee37eddbfa9e0401f13a01691cf4bbbacd2d16c9 [125/127] block: avoid use-after-free on throttle data :::::: branch date: 13 hours ago :::::: commit date: 13 hours ago config: openrisc-randconfig-m031-20220318 (https://download.01.org/0day-ci/archive/20220319/202203191245.pigwwaal-...@intel.com/config) compiler: or1k-linux-gcc (GCC) 11.2.0 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <l...@intel.com> Reported-by: Dan Carpenter <dan.carpen...@oracle.com> smatch warnings: block/blk-throttle.c:1188 throtl_pending_timer_fn() error: we previously assumed 'tg' could be null (see line 1146) vim +/tg +1188 block/blk-throttle.c e43473b7f223ec Vivek Goyal 2010-09-15 1117 c79892c5576163 Shaohua Li 2017-03-27 1118 static bool throtl_can_upgrade(struct throtl_data *td, c79892c5576163 Shaohua Li 2017-03-27 1119 struct throtl_grp *this_tg); 6e1a5704cbbd24 Tejun Heo 2013-05-14 1120 /** 6e1a5704cbbd24 Tejun Heo 2013-05-14 1121 * throtl_pending_timer_fn - timer function for service_queue->pending_timer 216382dccb2e0c Bart Van Assche 2019-05-30 1122 * @t: the pending_timer member of the throtl_service_queue being serviced 6e1a5704cbbd24 Tejun Heo 2013-05-14 1123 * 6e1a5704cbbd24 Tejun Heo 2013-05-14 1124 * This timer is armed when a child throtl_grp with active bio's become 6e1a5704cbbd24 Tejun Heo 2013-05-14 1125 * pending and queued on the service_queue's pending_tree and expires when 6e1a5704cbbd24 Tejun Heo 2013-05-14 1126 * the first child throtl_grp should be dispatched. This function 2e48a530a3a7da Tejun Heo 2013-05-14 1127 * dispatches bio's from the children throtl_grps to the parent 2e48a530a3a7da Tejun Heo 2013-05-14 1128 * service_queue. 2e48a530a3a7da Tejun Heo 2013-05-14 1129 * 2e48a530a3a7da Tejun Heo 2013-05-14 1130 * If the parent's parent is another throtl_grp, dispatching is propagated 2e48a530a3a7da Tejun Heo 2013-05-14 1131 * by either arming its pending_timer or repeating dispatch directly. If 2e48a530a3a7da Tejun Heo 2013-05-14 1132 * the top-level service_tree is reached, throtl_data->dispatch_work is 2e48a530a3a7da Tejun Heo 2013-05-14 1133 * kicked so that the ready bio's are issued. 6e1a5704cbbd24 Tejun Heo 2013-05-14 1134 */ e99e88a9d2b067 Kees Cook 2017-10-16 1135 static void throtl_pending_timer_fn(struct timer_list *t) 69df0ab030c94e Tejun Heo 2013-05-14 1136 { e99e88a9d2b067 Kees Cook 2017-10-16 1137 struct throtl_service_queue *sq = from_timer(sq, t, pending_timer); 2e48a530a3a7da Tejun Heo 2013-05-14 1138 struct throtl_grp *tg = sq_to_tg(sq); 69df0ab030c94e Tejun Heo 2013-05-14 1139 struct throtl_data *td = sq_to_td(sq); 2e48a530a3a7da Tejun Heo 2013-05-14 1140 struct throtl_service_queue *parent_sq; ee37eddbfa9e04 Ming Lei 2022-03-18 1141 struct request_queue *q; 2e48a530a3a7da Tejun Heo 2013-05-14 1142 bool dispatched; 6e1a5704cbbd24 Tejun Heo 2013-05-14 1143 int ret; e43473b7f223ec Vivek Goyal 2010-09-15 1144 ee37eddbfa9e04 Ming Lei 2022-03-18 1145 /* throtl_data may be gone, so figure out request queue by blkg */ ee37eddbfa9e04 Ming Lei 2022-03-18 @1146 if (tg) ee37eddbfa9e04 Ming Lei 2022-03-18 1147 q = tg->pd.blkg->q; ee37eddbfa9e04 Ming Lei 2022-03-18 1148 else ee37eddbfa9e04 Ming Lei 2022-03-18 1149 q = td->queue; ee37eddbfa9e04 Ming Lei 2022-03-18 1150 0d945c1f966b2b Christoph Hellwig 2018-11-15 1151 spin_lock_irq(&q->queue_lock); ee37eddbfa9e04 Ming Lei 2022-03-18 1152 ee37eddbfa9e04 Ming Lei 2022-03-18 1153 if (!q->root_blkg) ee37eddbfa9e04 Ming Lei 2022-03-18 1154 goto out_unlock; ee37eddbfa9e04 Ming Lei 2022-03-18 1155 c79892c5576163 Shaohua Li 2017-03-27 1156 if (throtl_can_upgrade(td, NULL)) c79892c5576163 Shaohua Li 2017-03-27 1157 throtl_upgrade_state(td); c79892c5576163 Shaohua Li 2017-03-27 1158 2e48a530a3a7da Tejun Heo 2013-05-14 1159 again: 2e48a530a3a7da Tejun Heo 2013-05-14 1160 parent_sq = sq->parent_sq; 2e48a530a3a7da Tejun Heo 2013-05-14 1161 dispatched = false; e43473b7f223ec Vivek Goyal 2010-09-15 1162 7f52f98c2a8333 Tejun Heo 2013-05-14 1163 while (true) { fda6f272c77a7a Tejun Heo 2013-05-14 1164 throtl_log(sq, "dispatch nr_queued=%u read=%u write=%u", 2e48a530a3a7da Tejun Heo 2013-05-14 1165 sq->nr_queued[READ] + sq->nr_queued[WRITE], 2e48a530a3a7da Tejun Heo 2013-05-14 1166 sq->nr_queued[READ], sq->nr_queued[WRITE]); e43473b7f223ec Vivek Goyal 2010-09-15 1167 7f52f98c2a8333 Tejun Heo 2013-05-14 1168 ret = throtl_select_dispatch(sq); 7f52f98c2a8333 Tejun Heo 2013-05-14 1169 if (ret) { 7f52f98c2a8333 Tejun Heo 2013-05-14 1170 throtl_log(sq, "bios disp=%u", ret); 7f52f98c2a8333 Tejun Heo 2013-05-14 1171 dispatched = true; 651930bc1c2a25 Tejun Heo 2013-05-14 1172 } e43473b7f223ec Vivek Goyal 2010-09-15 1173 7f52f98c2a8333 Tejun Heo 2013-05-14 1174 if (throtl_schedule_next_dispatch(sq, false)) 7f52f98c2a8333 Tejun Heo 2013-05-14 1175 break; 7f52f98c2a8333 Tejun Heo 2013-05-14 1176 7f52f98c2a8333 Tejun Heo 2013-05-14 1177 /* this dispatch windows is still open, relax and repeat */ 0d945c1f966b2b Christoph Hellwig 2018-11-15 1178 spin_unlock_irq(&q->queue_lock); 7f52f98c2a8333 Tejun Heo 2013-05-14 1179 cpu_relax(); 0d945c1f966b2b Christoph Hellwig 2018-11-15 1180 spin_lock_irq(&q->queue_lock); 7f52f98c2a8333 Tejun Heo 2013-05-14 1181 } 6a525600ffeb9e Tejun Heo 2013-05-14 1182 2e48a530a3a7da Tejun Heo 2013-05-14 1183 if (!dispatched) 2e48a530a3a7da Tejun Heo 2013-05-14 1184 goto out_unlock; 6e1a5704cbbd24 Tejun Heo 2013-05-14 1185 2e48a530a3a7da Tejun Heo 2013-05-14 1186 if (parent_sq) { 2e48a530a3a7da Tejun Heo 2013-05-14 1187 /* @parent_sq is another throl_grp, propagate dispatch */ 2e48a530a3a7da Tejun Heo 2013-05-14 @1188 if (tg->flags & THROTL_TG_WAS_EMPTY) { 2e48a530a3a7da Tejun Heo 2013-05-14 1189 tg_update_disptime(tg); 2e48a530a3a7da Tejun Heo 2013-05-14 1190 if (!throtl_schedule_next_dispatch(parent_sq, false)) { 2e48a530a3a7da Tejun Heo 2013-05-14 1191 /* window is already open, repeat dispatching */ 2e48a530a3a7da Tejun Heo 2013-05-14 1192 sq = parent_sq; 2e48a530a3a7da Tejun Heo 2013-05-14 1193 tg = sq_to_tg(sq); 2e48a530a3a7da Tejun Heo 2013-05-14 1194 goto again; 2e48a530a3a7da Tejun Heo 2013-05-14 1195 } 2e48a530a3a7da Tejun Heo 2013-05-14 1196 } 2e48a530a3a7da Tejun Heo 2013-05-14 1197 } else { b53b072c4bb579 Baolin Wang 2020-09-07 1198 /* reached the top-level, queue issuing */ 2e48a530a3a7da Tejun Heo 2013-05-14 1199 queue_work(kthrotld_workqueue, &td->dispatch_work); 2e48a530a3a7da Tejun Heo 2013-05-14 1200 } 2e48a530a3a7da Tejun Heo 2013-05-14 1201 out_unlock: 0d945c1f966b2b Christoph Hellwig 2018-11-15 1202 spin_unlock_irq(&q->queue_lock); 6e1a5704cbbd24 Tejun Heo 2013-05-14 1203 } e43473b7f223ec Vivek Goyal 2010-09-15 1204 :::::: The code at line 1188 was first introduced by commit :::::: 2e48a530a3a7daebd0cc17866304a36d39b611de blk-throttle: make throtl_pending_timer_fn() ready for hierarchy :::::: TO: Tejun Heo <t...@kernel.org> :::::: CC: Tejun Heo <t...@kernel.org> --- 0-DAY CI Kernel Test Service https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org _______________________________________________ kbuild mailing list -- kbuild@lists.01.org To unsubscribe send an email to kbuild-le...@lists.01.org
