Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp444481ybh; Wed, 18 Mar 2020 02:54:30 -0700 (PDT) X-Google-Smtp-Source: ADFU+vv8hc4w6J/cY306lz3V3TmrCb9aP53aQYESGLpvU57MPwd++mGy6PJ+LAeanASQ+uu/yzcu X-Received: by 2002:a54:4e0e:: with SMTP id a14mr2500773oiy.88.1584525270772; Wed, 18 Mar 2020 02:54:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584525270; cv=none; d=google.com; s=arc-20160816; b=gcHgmfiu6dVoRJoD0rDADnbLeM3r0sxuCeSCOeDmvcwCf/LAVjBgDvGqptMhJu5llU 2bBAfv+oB9cjUgD4t7NLLtZBLU0inR22yDw/9Vz0t00Dhw8KVDJzzUSrg8ju30vvZTGI XMDatqpkqPxDkhPfkwuhxju1I7GesA7BCwKJpwZdTeAq1+XcZxlVrVa2Dc88shWK8Vt1 znShD3hM0Nf04bvsPaOP9ozlxaCWBovE/cyAZhDf32RKD2RDmwnF9KJ+OCfstcZgSKfs O2vaont+Vznt37Jo16BSB3j1EjFJfSNNQE3WFdW9NOFSpuZV9S9qLQMNHSuuI0SiBF4C dqsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=DQYWT+FZ7OxUpOev4JmXnt7SGKCRgK28Wc2qiR4t0pg=; b=efjoAbkX7cLHSDov2qaFK3WH13gdVbYwjc126HVxkRRY43ULdqd6emefBcNYeKZzGX cqtsUPojshy83J9i2eOovgBjoGsQa9vF95gun3dQZHxyKBoRL0KiVJgK5dLHnPLJajVq d9y4kcMUTvQEvVqrLqafPVXPzeXy4h/GQutg8W48mkrsI7MLaw86Ec3pFKALXeVC3ftQ Y9WuBp7f9F9DM188VWoVpV/qeHpXmojukUWE7GmpFKL9J/v+l1osPTGwhYwPM0bubeu8 1VQ8x4okJENE38POhA6itEkHLL6lY/12Ql7PzrDy/MwsYer7TsuMBW1HGUDiSebAG3ni CRjQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d10si3416334oif.30.2020.03.18.02.54.19; Wed, 18 Mar 2020 02:54:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727561AbgCRJxD (ORCPT + 99 others); Wed, 18 Mar 2020 05:53:03 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:60706 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726786AbgCRJxC (ORCPT ); Wed, 18 Mar 2020 05:53:02 -0400 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id D795AB3176922763EE12; Wed, 18 Mar 2020 17:52:22 +0800 (CST) Received: from [127.0.0.1] (10.173.220.183) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Wed, 18 Mar 2020 17:52:16 +0800 Subject: Re: [PATCH] block, bfq: fix use-after-free in bfq_idle_slice_timer_body To: Paolo Valente CC: Jens Axboe , linux-block , "linux-kernel@vger.kernel.org" , Mingfangsen , Yanxiaodan , "wubo (T)" , renxudong , Louhongxiang References: <6c0d0b36-751b-a63a-418b-888a88ce58f4@huawei.com> <0a6e190a-3393-53f9-b127-d57d67cdcdc8@huawei.com> <4171EF13-7956-44DA-A5BF-0245E4926436@linaro.org> From: Zhiqiang Liu Message-ID: <241f9766-bfe6-485a-331c-fdc693738ffc@huawei.com> Date: Wed, 18 Mar 2020 17:52:15 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <4171EF13-7956-44DA-A5BF-0245E4926436@linaro.org> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.173.220.183] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/3/18 16:45, Paolo Valente wrote: > > >>>> spin_lock_irqsave(&bfqd->lock, flags); >>>> - bfq_clear_bfqq_wait_request(bfqq); >>>> - >>>> if (bfqq != bfqd->in_service_queue) { >>>> spin_unlock_irqrestore(&bfqd->lock, flags); >>>> return; >>>> } >>>> >>>> + bfq_clear_bfqq_wait_request(bfqq); >>>> + >>> >>> Please add a comment on why you (correctly) clear this flag only if bfqq is in service. >>> >>> For the rest, seems ok to me. >>> >>> Thank you very much for spotting and fixing this bug, >>> Paolo >>> >> Thanks for your reply. >> Considering that the bfqq may be in race, we should firstly check whether bfqq is in service before >> doing something on it. >> > > The comment you propose is correct, but the correctness issue I raised > is essentially the opposite. Sorry for not being clear. > > Let me put it the other way round: why is it still correct that, if > bfqq is not the queue in service, then that flag is not cleared at all? > IOW, why is it not a problem that that flag remains untouched is bfqq > is not in service? > > Thanks, > Paolo > Thanks for your patient. As you comment in bfq_idle_slice_timer, there are two race situations as follows, a) bfqq is null bfq_idle_slice_timer will not call bfq_idle_slice_timer_body ->no problem b) bfqq are not in service 1) bfqq is freed it will cause use-after-free problem before calling bfq_clear_bfqq_wait_request in bfq_idle_slice_timer_body. -> use-after-free problem as analyzed in the patch. 2) bfqq is not freed it means in_service_queue has been set to a new bfqq. The old bfqq has been expired through __bfq_bfqq_expire func. Then the wait_request flags of old bfqq will be cleared in __bfq_bfqd_reset_in_service func. -> it is no a problem to re-clear the wait_request flags before checking whether bfqq is in service. In one word, the old bfqq in race has already cleared the wait_request flag when switching in_service_queue. Thanks, Zhiqiang Liu >>>> >>> >>> >>> . > > > . >