ACK: [SRU][Focal][PATCH v3 0/1] fix wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks

Thibault Ferrante thibault.ferrante at canonical.com
Mon Sep 23 11:39:08 UTC 2024 

Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>

On 18-09-2024 18:57, Jacob Martin wrote:
> BugLink: https://bugs.launchpad.net/bugs/2081085
> 
> SRU Justification
> 
> [Impact]
> Systems with storage devices that utilize the GENHD_FL_HIDDEN flag, such as
> NVMe disks declaring support for multiple controllers (aka native
> multipathing), will have a request queue with backing_dev_info->dev set to
> NULL. When tracing is enabled with any of the wbt:wbt_* events enabled, a NULL
> pointer dereference will occur in the corresponding trace function called from
> wb_timer_fn. This occurs when the trace function attempts to access the
> device's name with dev_name.
> 
> On a DGXA100 system, this can be reproduced by running the following, where
> /dev/nvme0n1 is one of the 4 NVMe disks in the system that support native
> multipathing:
> $ echo 1 | sudo tee /sys/kernel/tracing/events/wbt/enable
> $ echo 1 | sudo tee /sys/kernel/tracing/tracing_on
> $ sudo dd if=/dev/zero of=/dev/nvme0n1
> 
> A NULL pointer dereference will occur and the system will become unresponsive.
> 
> [Fix]
> The upstream commit d51cfc53ade318 ("bdi: use bdi_dev_name() to get device
> name") resolves this by changing the wbt:wbt_* trace functions to use the
> bdi_dev_name function instead of dev_name. The bdi_dev_name function safely
> handles the case where the supplied device is NULL.
> 
> [Test Case]
> Verified that the commit d51cfc53ade318 ("bdi: use bdi_dev_name() to get device
> name") resolves the issue on DGXA100 when applied to the "Ubuntu-5.4.0-196.216"
> tag. The reproducer no longer causes a NULL pointer dereference or otherwise
> crash the system.
> 
> [Regression Potential]
> There is a low risk of a regression:
> * In the focal K5.4 kernel, the bdi_dev_name function is used in other trace
>    event functions for the same purpose of catching the case where bdi->dev is
>    NULL.
> * This change is already present in kernel versions 5.7 and newer.
> 
> [Other]
> The patch d51cfc53ade318 ("bdi: use bdi_dev_name() to get device name") is
> already present in Jammy K5.15 and newer.
> 
> v2 and v3:
> - fix email threading
> 
> Yufen Yu (1):
>    bdi: use bdi_dev_name() to get device name
> 
>   block/bfq-iosched.c        | 6 ++++--
>   block/blk-cgroup.c         | 2 +-
>   fs/ceph/debugfs.c          | 2 +-
>   include/trace/events/wbt.h | 8 ++++----
>   4 files changed, 10 insertions(+), 8 deletions(-)
> 


-- 
--
Thibault

More information about the kernel-team mailing list