Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4881086yba; Wed, 10 Apr 2019 06:56:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqx8+vRaHfJcHzLlAlVFfE/s2n2IULGdWSFgfKrUr80HE2l6lZ2oQ3G+B5/XG/8ulprMKnUk X-Received: by 2002:a17:902:6b8b:: with SMTP id p11mr20187973plk.225.1554904563034; Wed, 10 Apr 2019 06:56:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554904563; cv=none; d=google.com; s=arc-20160816; b=dUFmJa0GKs8URrvzPNp8KS5iwUtHeUHqtZNR8waNpijWPzuEzGUUsBoDcUvstU9UgL WJCkEdcOdMFkbln8d0sPci+CIhy1W0wLbJVPnXo1XsKyoBXAaLGlqLLXv9suUIS4gDU1 QR2SbWbbuJkzCSzTBek7agQ9GSZt/FlS1xiCSmBqvbr78fynma+Gk6YBqCd42k/wVhEU nAvuDexgVlchPD+idWuRDYudzEW5gh1VSRQhlhBnDgYSuuHtGbrqcABHhcTmaIEq18Ie Cptb/BlttWC9WtFnhrEYvkm6wDkob9W8i1pYwBBvNPD0vSI874QuUhOCIfWQnqnKDtuM YnkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=KVvJABIBSgcHdfAB8e8HevNW9p1ofcuwyUz+cr1Lv0Y=; b=tEmk1FklUYtcVUg6DByK2uCXwZs2EMXZtxtvAH0gF9enWf7YX9qSa9PMFHqnBL1iQN 0FO5NMDBZs7UzfqC76NMPtVH8jHcuyCwjmxT3P4+4EiFKthQkpCGX+cWlojSRIkcFtcJ fXJqEu+2uN8PplAWvOvQetUew6sPh4qHRyTCvjZ3XrsbqBUEXh9J4O7muBur8D5kprTK jVD0ngLgGgD5ph1VfBGmXcjXr5RUgW2PvI4m18b3MrOyZnaIv6yVg4uRvjC/TPzLpuJ9 +zwb4JocT6DhTXBvwgl/yM3fgX2z9u+0l9AqVBlCzpoLJZVZtSbkSHuwrH8u1JfM1p6x BQrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=U4tjuKC9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k70si11490208pgd.75.2019.04.10.06.55.46; Wed, 10 Apr 2019 06:56:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=U4tjuKC9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732106AbfDJNzI (ORCPT + 99 others); Wed, 10 Apr 2019 09:55:08 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:33433 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731694AbfDJNzI (ORCPT ); Wed, 10 Apr 2019 09:55:08 -0400 Received: by mail-pf1-f196.google.com with SMTP id h5so1550497pfo.0 for ; Wed, 10 Apr 2019 06:55:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=KVvJABIBSgcHdfAB8e8HevNW9p1ofcuwyUz+cr1Lv0Y=; b=U4tjuKC9ZeW5fd+OHeehMtJJpn61Fa3Dx5hx+cOUkZKJBc0o3y9FPR+XWFT3rrS1RV T0N29mgDT2dIeyzG4AdXispRkuufSp8RCYudpPT423bLMM77VgqUTKniHJk1HXZZf7ZQ le/m1okqHa6jxUR+uuK+9ELVsUyWhhrtuT6cuvSsUcxF0G3YkvpUN3bbWJYecV1LaLHi DZs+y6FwrRKYZzvv8+nTHSAxhd/EKoSsutacPJGccCA6VPV6nMKlcy4SI4TxIy1Ip6Mi 8OXtP+twWF5W6sfjMduNMcCgjdMAHqQGIvB1mkMoKnobk3JevGuhtDSj69oB2QArOKKr BeZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=KVvJABIBSgcHdfAB8e8HevNW9p1ofcuwyUz+cr1Lv0Y=; b=gn3Qmq1OagM+Ylg0Wb+Q0HmrRAd8njd/NoZwRzh3LknNL9Ud0Maf7iPbFXIOCtKEPM s7SVSVB5cLW7YdE5+6l8qUWiRNmUI9wt/HXND5loHGSU2zU1+uesGW8MUuTBmeDOFbHk iWwoKuk/yuxSdDNpaYGhZ4oGvZ6u96XbKPEKG/zW053dH8eeFHpHhI4ZPBdXwefB/fAS +lkw8rwOS4CyLi7yaRHlYHv4Sj3EHz+XP3ZOFnFWzJp8LomQvYJSdyXwenL5HjBQicdz /FMfk1C+1BeTyoeCHNSSR3E3IlvslM7TL2NCYLdd+9HJmesKaiEO6gieEBEqnYHBkACq /UnQ== X-Gm-Message-State: APjAAAUW9iMKTSnQ9p9JpSbUy8HKB9V/MTR9O1XANEBXdLJJFmIznqug qliZO50KCC2HAgTW7vkcsURNSg== X-Received: by 2002:a63:d304:: with SMTP id b4mr41113150pgg.300.1554904507471; Wed, 10 Apr 2019 06:55:07 -0700 (PDT) Received: from [192.168.1.121] (66.29.188.166.static.utbb.net. [66.29.188.166]) by smtp.gmail.com with ESMTPSA id d15sm51503564pfo.34.2019.04.10.06.55.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 06:55:06 -0700 (PDT) Subject: Re: [PATCH BUGFIX V2] block, bfq: fix use after free in bfq_bfqq_expire To: Paolo Valente Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, ulf.hansson@linaro.org, linus.walleij@linaro.org, broonie@kernel.org, bfq-iosched@googlegroups.com, oleksandr@natalenko.name, Dmitrii Tcvetkov , Douglas Anderson References: <20190410083833.14462-1-paolo.valente@linaro.org> From: Jens Axboe Message-ID: <94d03c91-2e4b-6f42-7c99-09efe964cc8a@kernel.dk> Date: Wed, 10 Apr 2019 07:55:04 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190410083833.14462-1-paolo.valente@linaro.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/10/19 2:38 AM, Paolo Valente wrote: > The function bfq_bfqq_expire() invokes the function > __bfq_bfqq_expire(), and the latter may free the in-service bfq-queue. > If this happens, then no other instruction of bfq_bfqq_expire() must > be executed, or a use-after-free will occur. > > Basing on the assumption that __bfq_bfqq_expire() invokes > bfq_put_queue() on the in-service bfq-queue exactly once, the queue is > assumed to be freed if its refcounter is equal to one right before > invoking __bfq_bfqq_expire(). > > But, since commit 9dee8b3b057e ("block, bfq: fix queue removal from > weights tree") this assumption is false. __bfq_bfqq_expire() may also > invoke bfq_weights_tree_remove() and, since commit 9dee8b3b057e > ("block, bfq: fix queue removal from weights tree"), also > the latter function may invoke bfq_put_queue(). So __bfq_bfqq_expire() > may invoke bfq_put_queue() twice, and this is the actual case where > the in-service queue may happen to be freed. > > To address this issue, this commit moves the check on the refcounter > of the queue right around the last bfq_put_queue() that may be invoked > on the queue. Applied, thanks. -- Jens Axboe