Description
In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be leaked and never completed, causing tasks to hang indefinitely. Reproduce: 1. prepare dm which has iscsi slave device 2. inject io-timeout-fail to dm echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times 3. read/write dm 4. iscsiadm -m node -u Result: hang task like below [ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds. [ 862.244133] Tainted: G E 6.19.0-rc1+ #51 [ 862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000 [ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi] [ 862.245264] Call Trace: [ 862.245587] <TASK> [ 862.245814] __schedule+0x810/0x15c0 [ 862.246557] schedule+0x69/0x180 [ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120 [ 862.247688] elevator_change+0x16d/0x460 [ 862.247893] elevator_set_none+0x87/0xf0 [ 862.248798] blk_unregister_queue+0x12e/0x2a0 [ 862.248995] __del_gendisk+0x231/0x7e0 [ 862.250143] del_gendisk+0x12f/0x1d0 [ 862.250339] sd_remove+0x85/0x130 [sd_mod] [ 862.250650] device_release_driver_internal+0x36d/0x530 [ 862.250849] bus_remove_device+0x1dd/0x3f0 [ 862.251042] device_del+0x38a/0x930 [ 862.252095] __scsi_remove_device+0x293/0x360 [ 862.252291] scsi_remove_target+0x486/0x760 [ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi] [ 862.252886] process_one_work+0x633/0xe50 [ 862.253101] worker_thread+0x6df/0xf10 [ 862.253647] kthread+0x36d/0x720 [ 862.254533] ret_from_fork+0x2a6/0x470 [ 862.255852] ret_from_fork_asm+0x1a/0x30 [ 862.256037] </TASK> Remove the blk_should_fake_timeout() check from dm, as dm has no native timeout handling and should not attempt to fake timeouts.
Product status
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before ece6720de9403260088209b0b92d45e0b49ff856
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before 8200fca818c1e2f65bc6cb16d934ff6049302197
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before b307b6307f6459841312432bd4bc9519cbac97f5
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before 4f9e7ca933a9fbf9912a384b061a00c77332cbf0
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before 6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before c8a23d4c995ef4227bd4de64cd3910637ee6162e
e6ee8c0b767540f59e20da3ced282601db8aa502 (git) before f3a9c95a15d2f4466acad5c68faeff79ca5e9f47
2.6.31
Any version before 2.6.31
5.10.252 (semver)
5.15.202 (semver)
6.1.165 (semver)
6.6.128 (semver)
6.12.75 (semver)
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/ece6720de9403260088209b0b92d45e0b49ff856
git.kernel.org/...c/8200fca818c1e2f65bc6cb16d934ff6049302197
git.kernel.org/...c/b307b6307f6459841312432bd4bc9519cbac97f5
git.kernel.org/...c/4f9e7ca933a9fbf9912a384b061a00c77332cbf0
git.kernel.org/...c/cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224
git.kernel.org/...c/6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3
git.kernel.org/...c/c8a23d4c995ef4227bd4de64cd3910637ee6162e
git.kernel.org/...c/f3a9c95a15d2f4466acad5c68faeff79ca5e9f47