Description
In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be leaked and never completed, causing tasks to hang indefinitely. Reproduce: 1. prepare dm which has iscsi slave device 2. inject io-timeout-fail to dm echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times 3. read/write dm 4. iscsiadm -m node -u Result: hang task like below [ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds. [ 862.244133] Tainted: G E 6.19.0-rc1+ #51 [ 862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000 [ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi] [ 862.245264] Call Trace: [ 862.245587] <TASK> [ 862.245814] __schedule+0x810/0x15c0 [ 862.246557] schedule+0x69/0x180 [ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120 [ 862.247688] elevator_change+0x16d/0x460 [ 862.247893] elevator_set_none+0x87/0xf0 [ 862.248798] blk_unregister_queue+0x12e/0x2a0 [ 862.248995] __del_gendisk+0x231/0x7e0 [ 862.250143] del_gendisk+0x12f/0x1d0 [ 862.250339] sd_remove+0x85/0x130 [sd_mod] [ 862.250650] device_release_driver_internal+0x36d/0x530 [ 862.250849] bus_remove_device+0x1dd/0x3f0 [ 862.251042] device_del+0x38a/0x930 [ 862.252095] __scsi_remove_device+0x293/0x360 [ 862.252291] scsi_remove_target+0x486/0x760 [ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi] [ 862.252886] process_one_work+0x633/0xe50 [ 862.253101] worker_thread+0x6df/0xf10 [ 862.253647] kthread+0x36d/0x720 [ 862.254533] ret_from_fork+0x2a6/0x470 [ 862.255852] ret_from_fork_asm+0x1a/0x30 [ 862.256037] </TASK> Remove the blk_should_fake_timeout() check from dm, as dm has no native timeout handling and should not attempt to fake timeouts.
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ece6720de9403260088209b0b92d45e0b49ff856
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 8200fca818c1e2f65bc6cb16d934ff6049302197
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b307b6307f6459841312432bd4bc9519cbac97f5
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4f9e7ca933a9fbf9912a384b061a00c77332cbf0
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c8a23d4c995ef4227bd4de64cd3910637ee6162e
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f3a9c95a15d2f4466acad5c68faeff79ca5e9f47
5.10.252 (semver)
5.15.202 (semver)
6.1.165 (semver)
6.6.128 (semver)
6.12.75 (semver)
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/ece6720de9403260088209b0b92d45e0b49ff856
git.kernel.org/...c/8200fca818c1e2f65bc6cb16d934ff6049302197
git.kernel.org/...c/b307b6307f6459841312432bd4bc9519cbac97f5
git.kernel.org/...c/4f9e7ca933a9fbf9912a384b061a00c77332cbf0
git.kernel.org/...c/cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224
git.kernel.org/...c/6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3
git.kernel.org/...c/c8a23d4c995ef4227bd4de64cd3910637ee6162e
git.kernel.org/...c/f3a9c95a15d2f4466acad5c68faeff79ca5e9f47