1. 09 9月, 2021 1 次提交
  2. 27 8月, 2021 9 次提交
  3. 25 8月, 2021 1 次提交
    • S
      libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind · 32b2397c
      sumiyawang 提交于
      There is a use after free crash when the pmem driver tears down its
      mapping while I/O is still inbound.
      
      This is triggered by driver unbind, "ndctl destroy-namespace", while I/O
      is in flight.
      
      Fix the sequence of blk_cleanup_queue() vs memunmap().
      
      The crash signature is of the form:
      
       BUG: unable to handle page fault for address: ffffc90080200000
       CPU: 36 PID: 9606 Comm: systemd-udevd
       Call Trace:
        ? pmem_do_bvec+0xf9/0x3a0
        ? xas_alloc+0x55/0xd0
        pmem_rw_page+0x4b/0x80
        bdev_read_page+0x86/0xb0
        do_mpage_readpage+0x5d4/0x7a0
        ? lru_cache_add+0xe/0x10
        mpage_readpages+0xf9/0x1c0
        ? bd_link_disk_holder+0x1a0/0x1a0
        blkdev_readpages+0x1d/0x20
        read_pages+0x67/0x1a0
      
        ndctl Call Trace in vmcore:
        PID: 23473  TASK: ffff88c4fbbe8000  CPU: 1   COMMAND: "ndctl"
        __schedule
        schedule
        blk_mq_freeze_queue_wait
        blk_freeze_queue
        blk_cleanup_queue
        pmem_release_queue
        devm_action_release
        release_nodes
        devres_release_all
        device_release_driver_internal
        device_driver_detach
        unbind_store
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: Nsumiyawang <sumiyawang@tencent.com>
      Reviewed-by: Nyongduan <yongduan@tencent.com>
      Link: https://lore.kernel.org/r/1629632949-14749-1-git-send-email-sumiyawang@tencent.com
      Fixes: 50f44ee7 ("mm/devm_memremap_pages: fix final page put race")
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      32b2397c
  4. 23 8月, 2021 2 次提交
  5. 22 8月, 2021 6 次提交
  6. 21 8月, 2021 21 次提交