UPSTREAM: loop: Fix use-after-free issues

do_req_filebacked() calls blk_mq_complete_request() synchronously or
    asynchronously when using asynchronous I/O unless memory allocation fails.
    Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor
    'rq' after do_req_filebacked() finished unless we are sure that the request
    has not yet been completed. This patch fixes the following kernel crash:

    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054
    Call trace:
     css_put.42938+0x1c/0x1ac
     loop_process_work+0xc8c/0xfd4
     loop_rootcg_workfn+0x24/0x34
     process_one_work+0x244/0x558
     worker_thread+0x400/0x8fc
     kthread+0x16c/0x1e0
     ret_from_fork+0x10/0x20

    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Ming Lei <ming.lei@redhat.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Dan Schatzberg <schatzberg.dan@gmail.com>
    Fixes: c74d40e8b5 ("loop: charge i/o to mem and blk cg")
    Fixes: bc07c10a36 ("block: loop: support DIO & AIO")
    Signed-off-by: Bart Van Assche <bvanassche@acm.org>
    Reviewed-by: Ming Lei <ming.lei@redhat.com>
    Link: https://lore.kernel.org/r/20230314182155.80625-1-bvanassche@acm.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

Bug: 274539241
(cherry picked from commit 9b0cb770f5d7b1ff40bea7ca385438ee94570eec)
Signed-off-by: liuyu <liuyu@allwinnertech.com>
Signed-off-by: Aran Dalton <arda@allwinnertech.com>
Change-Id: I33b1e1fdc722a6fa87bc830531f3cf565fc83248

drivers/block/loop.c

@@ -2182,35 +2182,44 @@ static blk_status_t loop_queue_rq(struct blk_mq_hw_ctx *hctx,
 
 static void loop_handle_cmd(struct loop_cmd *cmd)
 {
+	struct cgroup_subsys_state *cmd_blkcg_css = cmd->blkcg_css;
+	struct cgroup_subsys_state *cmd_memcg_css = cmd->memcg_css;
 	struct request *rq = blk_mq_rq_from_pdu(cmd);
 	const bool write = op_is_write(req_op(rq));
 	struct loop_device *lo = rq->q->queuedata;
 	int ret = 0;
 	struct mem_cgroup *old_memcg = NULL;
+	const bool use_aio = cmd->use_aio;
 
 	if (write && (lo->lo_flags & LO_FLAGS_READ_ONLY)) {
 		ret = -EIO;
 		goto failed;
 	}
 
-	if (cmd->blkcg_css)
-		kthread_associate_blkcg(cmd->blkcg_css);
-	if (cmd->memcg_css)
+	if (cmd_blkcg_css)
+		kthread_associate_blkcg(cmd_blkcg_css);
+	if (cmd_memcg_css)
 		old_memcg = set_active_memcg(
-			mem_cgroup_from_css(cmd->memcg_css));
+			mem_cgroup_from_css(cmd_memcg_css));
 
+	/*
+	 * do_req_filebacked() may call blk_mq_complete_request() synchronously
+	 * or asynchronously if using aio. Hence, do not touch 'cmd' after
+	 * do_req_filebacked() has returned unless we are sure that 'cmd' has
+	 * not yet been completed.
+	 */
 	ret = do_req_filebacked(lo, rq);
 
-	if (cmd->blkcg_css)
+	if (cmd_blkcg_css)
 		kthread_associate_blkcg(NULL);
 
-	if (cmd->memcg_css) {
+	if (cmd_memcg_css) {
 		set_active_memcg(old_memcg);
-		css_put(cmd->memcg_css);
+		css_put(cmd_memcg_css);
 	}
  failed:
 	/* complete non-aio request */
-	if (!cmd->use_aio || ret) {
+	if (!use_aio || ret) {
 		if (ret == -EOPNOTSUPP)
 			cmd->ret = ret;
 		else