[SRU][Focal][PATCH v3 0/1] fix wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks

Jacob Martin jacob.martin at canonical.com
Wed Sep 18 16:57:03 UTC 2024 

BugLink: https://bugs.launchpad.net/bugs/2081085

SRU Justification

[Impact]
Systems with storage devices that utilize the GENHD_FL_HIDDEN flag, such as
NVMe disks declaring support for multiple controllers (aka native
multipathing), will have a request queue with backing_dev_info->dev set to
NULL. When tracing is enabled with any of the wbt:wbt_* events enabled, a NULL
pointer dereference will occur in the corresponding trace function called from
wb_timer_fn. This occurs when the trace function attempts to access the
device's name with dev_name.

On a DGXA100 system, this can be reproduced by running the following, where
/dev/nvme0n1 is one of the 4 NVMe disks in the system that support native
multipathing:
$ echo 1 | sudo tee /sys/kernel/tracing/events/wbt/enable
$ echo 1 | sudo tee /sys/kernel/tracing/tracing_on
$ sudo dd if=/dev/zero of=/dev/nvme0n1

A NULL pointer dereference will occur and the system will become unresponsive.

[Fix]
The upstream commit d51cfc53ade318 ("bdi: use bdi_dev_name() to get device
name") resolves this by changing the wbt:wbt_* trace functions to use the
bdi_dev_name function instead of dev_name. The bdi_dev_name function safely
handles the case where the supplied device is NULL.

[Test Case]
Verified that the commit d51cfc53ade318 ("bdi: use bdi_dev_name() to get device
name") resolves the issue on DGXA100 when applied to the "Ubuntu-5.4.0-196.216"
tag. The reproducer no longer causes a NULL pointer dereference or otherwise
crash the system.

[Regression Potential]
There is a low risk of a regression:
* In the focal K5.4 kernel, the bdi_dev_name function is used in other trace
  event functions for the same purpose of catching the case where bdi->dev is
  NULL.
* This change is already present in kernel versions 5.7 and newer.

[Other]
The patch d51cfc53ade318 ("bdi: use bdi_dev_name() to get device name") is
already present in Jammy K5.15 and newer.

v2 and v3:
- fix email threading

Yufen Yu (1):
  bdi: use bdi_dev_name() to get device name

 block/bfq-iosched.c        | 6 ++++--
 block/blk-cgroup.c         | 2 +-
 fs/ceph/debugfs.c          | 2 +-
 include/trace/events/wbt.h | 8 ++++----
 4 files changed, 10 insertions(+), 8 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list