From nobody Mon Feb 9 15:29:29 2026 Received: from mail-pg1-f225.google.com (mail-pg1-f225.google.com [209.85.215.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0DB1356A28 for ; Mon, 12 Jan 2026 11:42:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.225 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768218174; cv=none; b=FukJgku8VGyFy7zHfNTR8eL/lvtWQwHvOVNEhFdmaiCIdUapuqqaGF0PL8qij8FBMd+e39Q9T6UmyCv5IB0+a1tF5A129I0ZMdoYFYnEWHnAOhslLM+y61tp5U1a8HDMgUvKlg9XFIuwAwiqpv9QEzpb/xUNEwMESFmlnO37zs4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768218174; c=relaxed/simple; bh=c95WO/l5Yh3ODJc5THKGAjEQryf6UWGtacSfjwHl9EA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gBFvvcVRSEBQw9vUNvy+88FPulWULOS4SRm3VWmTKETQmJevcg/KvuB137wmwQzd/VKxUch91oFzqyKqScJc1XeLq6mmr13FrEyfZ5FccVu0CWFFxOL6gDxNtRrRhx7Qe0O1y7LE0H/3Z/30Hs4/VD0Uml4zsm2iA73dxRWKgdQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=hr7s7myz; arc=none smtp.client-ip=209.85.215.225 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="hr7s7myz" Received: by mail-pg1-f225.google.com with SMTP id 41be03b00d2f7-c03ea3b9603so189880a12.2 for ; Mon, 12 Jan 2026 03:42:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768218171; x=1768822971; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fzFvHeJhDdP4ilFE2+bLWYgTIbgx2yUf1NNqPTKhjnU=; b=F7US6XpNSZaeiODK2cVj/n9fYeUi8/m41paFhU3fTHjUL8HpQk8LuW+k2Q1Bzbj4P5 Vin81CMZ+fm6s9PekdrmkaUy0UxZyz49Zw02CvlKxk3yka5d28xf7tamnKnf70VpA1iX JdQEU0sToh3B7EahfCucw4pdeK54KdnvbqiAOBe564ppyIWpvmLpmP3N6CSsU8ISM5Qm KDgLwpB6W9jo3U5XTPMTR38u5E6p5qR5iO8eKYbCnMyVO4SuoTKgiLr3Knyg42RtFAnv BfMea9xp4CUtU3ZwkHZufQTdYG2raK4fUUzh8rIR5K+J+Fg872/BocTFReXEoylfeWQm ag3A== X-Forwarded-Encrypted: i=1; AJvYcCWromRHZHZXnD3M/BnBqYV6HdmZQVUZjXrCLDx6/PFVQgio21p22dLfO9QnrndiCWUmS20Xj6yZtAhhCHU=@vger.kernel.org X-Gm-Message-State: AOJu0YxJO9wG9nGkCUKJG+tNrhvHDm+wk7xKWynPy0P6TdiWflWLcKq/ 3w7G5NbxGmPYK/yAeLBU5G0heTd4KfQ8sRmHQ+2YBV66OqpuV0SbYSFsNBCRyR5aBKw+3TZ7Bj+ LNuOsNog4+xJwStz0bNgC+gKZik3c4cZOIYiUNZIGKXCn9Z/KJWSqQqyGxN51qiwP32cCuhuk5n BajX88wPnrPA2BPekjnukyU9qPKHkQG4W1KBTIDZF7+BPTP42bZ4HxEUvsSBJDSJchvWhwpP4XD CJflUoya1FabU0M3UvKZj1CUIgZIJrWWGnoaXQ= X-Gm-Gg: AY/fxX724dBESNEXRCmvpfx/d3RwzovD2c6KBIiT9CekuMXyqh5EcEDv4vOZlE8TaSp YM+oPNRYpsORgCNxCf0kH3Z8iO6ADbtISKQn4o/Gax2PjtGUr9fisQc4mvF9TmVL86Nx9ildOhK FaohEe0jTlXAacGpFO/kX5gLY3M3rdGP77oEpdgaF0FCyXm4B5N4VbpqgiDuYTWXpUSLWwJ4l53 Th+g/y9oOq4RVE40FIH+/iRCS4pll5Ub1mP94Y7/XHG2xCoomsf7R1OoQ9XVjdmrsS7AP6lyDnj S3bt2z5gM6WdSLdQst44V8qRyn+RPw+UyG+i8v8sM65xOZcSXLObshliUDKJb6FQOMIfyuAiz1P NCMcAEHPGCIy1xZiHHnO1sh58YSjjGw/iRnTf2C3JVZbJ6fPNtXCYymXwAiNapVaFEekI+Cqo3y 6QwG41L3b2gNWvZpcScyUw19wDDobQ2fD2kYEivWWMmqx6pxAcfPdGB3QM9ws= X-Google-Smtp-Source: AGHT+IFbPwIJXPrQoCraLyA/WLFUoUqwQ6vt1u2KzUvNX+phVPA3jr58eKmLbNeypcVBzi74iNviYirLUAEK X-Received: by 2002:a05:6a20:7f8a:b0:244:aefe:71ef with SMTP id adf61e73a8af0-3898f9903f0mr11537222637.6.1768218170823; Mon, 12 Jan 2026 03:42:50 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 41be03b00d2f7-c4cc8952df8sm1459183a12.12.2026.01.12.03.42.50 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Jan 2026 03:42:50 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-pl1-f200.google.com with SMTP id d9443c01a7336-2a0891f819aso22119485ad.3 for ; Mon, 12 Jan 2026 03:42:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768218169; x=1768822969; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fzFvHeJhDdP4ilFE2+bLWYgTIbgx2yUf1NNqPTKhjnU=; b=hr7s7myzXDppYeBDqEA5fUIGcoPByswxXfPxIojG06oZOGZ2UbehVKRzSLtnZiOxTh mNCQ82cn3Mi3UV+OXLwXEp2FEvaW23kPz2daPd7Z/A45s10k/chs9WzoX5xwpNhwOmk1 jS4IC+P4pIuLBS3orwsEbQbRRsobQTC5q6z00= X-Forwarded-Encrypted: i=1; AJvYcCVeLznLydOM81GHptrRc7pjBsaj3v2lVOnRhIUWwzw+b1XoYXmV/U6OIQJahuRaslahFKsMF/R8sLJFvjo=@vger.kernel.org X-Received: by 2002:a17:902:ea01:b0:2a0:9424:7dc7 with SMTP id d9443c01a7336-2a3ee4917d2mr129653695ad.4.1768218169329; Mon, 12 Jan 2026 03:42:49 -0800 (PST) X-Received: by 2002:a17:902:ea01:b0:2a0:9424:7dc7 with SMTP id d9443c01a7336-2a3ee4917d2mr129653635ad.4.1768218168930; Mon, 12 Jan 2026 03:42:48 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3c48c0asm175905495ad.31.2026.01.12.03.42.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jan 2026 03:42:47 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: tj@kernel.org, axboe@kernel.dk, cgroups@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Laibin Qiu , Ming Lei , Sasha Levin , Keerthana K , Shivani Agarwal Subject: [PATCH v5.10-v5.15] blk-throttle: Set BIO_THROTTLED when bio has been throttled Date: Mon, 12 Jan 2026 11:39:36 +0000 Message-ID: <20260112113936.3291786-1-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Laibin Qiu [ Upstream commit 5a011f889b4832aa80c2a872a5aade5c48d2756f ] 1.In current process, all bio will set the BIO_THROTTLED flag after __blk_throtl_bio(). 2.If bio needs to be throttled, it will start the timer and stop submit bio directly. Bio will submit in blk_throtl_dispatch_work_fn() when the timer expires.But in the current process, if bio is throttled. The BIO_THROTTLED will be set to bio after timer start. If the bio has been completed, it may cause use-after-free blow. BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70 Read of size 2 at addr ffff88801b8902d4 by task fio/26380 dump_stack+0x9b/0xce print_address_description.constprop.6+0x3e/0x60 kasan_report.cold.9+0x22/0x3a blk_throtl_bio+0x12f0/0x2c70 submit_bio_checks+0x701/0x1550 submit_bio_noacct+0x83/0xc80 submit_bio+0xa7/0x330 mpage_readahead+0x380/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 26380: kasan_save_stack+0x19/0x40 __kasan_kmalloc.constprop.2+0xc1/0xd0 kmem_cache_alloc+0x146/0x440 mempool_alloc+0x125/0x2f0 bio_alloc_bioset+0x353/0x590 mpage_alloc+0x3b/0x240 do_mpage_readpage+0xddf/0x1ef0 mpage_readahead+0x264/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 0: kasan_save_stack+0x19/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x1b/0x30 __kasan_slab_free+0x111/0x160 kmem_cache_free+0x94/0x460 mempool_free+0xd6/0x320 bio_free+0xe0/0x130 bio_put+0xab/0xe0 bio_endio+0x3a6/0x5d0 blk_update_request+0x590/0x1370 scsi_end_request+0x7d/0x400 scsi_io_completion+0x1aa/0xe50 scsi_softirq_done+0x11b/0x240 blk_mq_complete_request+0xd4/0x120 scsi_mq_done+0xf0/0x200 virtscsi_vq_done+0xbc/0x150 vring_interrupt+0x179/0x390 __handle_irq_event_percpu+0xf7/0x490 handle_irq_event_percpu+0x7b/0x160 handle_irq_event+0xcc/0x170 handle_edge_irq+0x215/0xb20 common_interrupt+0x60/0x120 asm_common_interrupt+0x1e/0x40 Fix this by move BIO_THROTTLED set into the queue_lock. Signed-off-by: Laibin Qiu Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20220301123919.2381579-1-qiulaibin@huawei.c= om Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin [ Keerthana: Remove 'out' and handle return with reference to commit 81c7a6= 3 ] Signed-off-by: Keerthana K Signed-off-by: Shivani Agarwal --- block/blk-throttle.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/block/blk-throttle.c b/block/blk-throttle.c index 4bf514a7b..4d3436cd6 100644 --- a/block/blk-throttle.c +++ b/block/blk-throttle.c @@ -2216,8 +2216,10 @@ bool blk_throtl_bio(struct bio *bio) rcu_read_lock(); =20 /* see throtl_charge_bio() */ - if (bio_flagged(bio, BIO_THROTTLED)) - goto out; + if (bio_flagged(bio, BIO_THROTTLED)) { + rcu_read_unlock(); + return false; + } =20 if (!cgroup_subsys_on_dfl(io_cgrp_subsys)) { blkg_rwstat_add(&tg->stat_bytes, bio->bi_opf, @@ -2225,8 +2227,10 @@ bool blk_throtl_bio(struct bio *bio) blkg_rwstat_add(&tg->stat_ios, bio->bi_opf, 1); } =20 - if (!tg->has_rules[rw]) - goto out; + if (!tg->has_rules[rw]) { + rcu_read_unlock(); + return false; + } =20 spin_lock_irq(&q->queue_lock); =20 @@ -2310,14 +2314,14 @@ bool blk_throtl_bio(struct bio *bio) } =20 out_unlock: - spin_unlock_irq(&q->queue_lock); -out: bio_set_flag(bio, BIO_THROTTLED); =20 #ifdef CONFIG_BLK_DEV_THROTTLING_LOW if (throttled || !td->track_bio_latency) bio->bi_issue.value |=3D BIO_ISSUE_THROTL_SKIP_LATENCY; #endif + spin_unlock_irq(&q->queue_lock); + rcu_read_unlock(); return throttled; } --=20 2.40.4