Received: by 2002:a25:d783:0:0:0:0:0 with SMTP id o125csp121012ybg; Wed, 18 Mar 2020 18:43:55 -0700 (PDT) X-Google-Smtp-Source: ADFU+vs/nnDc8xE958tW15S4UQT8QVlKnkBiaEvqjRbyurLqM18ZL/X9KD0PUXI1xJZXkJP1+i6h X-Received: by 2002:aca:4cd8:: with SMTP id z207mr634031oia.155.1584582235035; Wed, 18 Mar 2020 18:43:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584582235; cv=none; d=google.com; s=arc-20160816; b=mHUgTZHCb/FgtUK16oFD9yCsBjHX0bMlAg6WDmxCBErDF0onWnmYJy9c2T6QKTfpEw 0W4QcIwLBLYEZkNSYKjXJimZqLIi/fmgDPLTvzzf/hFhShfPZ1hXaDXQhE7B5PSxaP6S d3Q7O2yat4NnDxeLuAgs0eXjOUiO0JynOwShd+QzqiYY7nnqqLIaHl+NebO7HQyX/zbm dEWy6nALFFAvCoBIaAcyj7mLzEAjBPvP4+1owGYgJDr/Bm1Lb3Wyb5iAoy3v8yP5jskA 3qvXt2L4Ubmebh0PpDCV0+aN2lMkw/M5tE6rEhXxx7V1J/SYC0RqW4eYI+wVUuQbZybJ Dk9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=ZLTNQAzGNaLz09FX3Gn/VsZ6bH6f2f0S66RplgjQ2E4=; b=jSyOMO0jlfZiHOg2sNqWw9GorBnREiu8Dvi5w5f7wEMHXIapfx35KZzrkyCkjG0H/O gV9GwYJr7k719ElWEvpIoPvUGN+/nelpzUMaBbnTAF8En9+XnTSS0x+BShTI05zmRwH1 eaPIh4F4JtYsPcjwprj6n9AGsHHWUH+tlVRwjuHlUyRqmCk2jjueSOvMd1C11KRT1yxX 3e6GlF9eBpbvnY52GYI8vhJQlmi2VVmzL9dfE7lFPSXBHVrhKjgoQHIzhsknEh7LpqYQ uMg+nJZYbt3NO8PM6M23jTHE7J1imYXWWo3Z+8MPDXzoV4BXf8HhPheDl+j0szugiGmY C1tA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m20si439707otk.238.2020.03.18.18.43.42; Wed, 18 Mar 2020 18:43:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727065AbgCSBm5 (ORCPT + 99 others); Wed, 18 Mar 2020 21:42:57 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:47522 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726623AbgCSBm5 (ORCPT ); Wed, 18 Mar 2020 21:42:57 -0400 Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id D2B13D9740C94B40F8FC; Thu, 19 Mar 2020 09:42:51 +0800 (CST) Received: from [127.0.0.1] (10.173.220.183) by DGGEMS403-HUB.china.huawei.com (10.3.19.203) with Microsoft SMTP Server id 14.3.487.0; Thu, 19 Mar 2020 09:42:45 +0800 Subject: Re: [PATCH] block, bfq: fix use-after-free in bfq_idle_slice_timer_body To: Paolo Valente CC: Jens Axboe , linux-block , "linux-kernel@vger.kernel.org" , Mingfangsen , Yanxiaodan , "wubo (T)" , renxudong , Louhongxiang References: <6c0d0b36-751b-a63a-418b-888a88ce58f4@huawei.com> <0a6e190a-3393-53f9-b127-d57d67cdcdc8@huawei.com> <4171EF13-7956-44DA-A5BF-0245E4926436@linaro.org> <241f9766-bfe6-485a-331c-fdc693738ffc@huawei.com> From: Zhiqiang Liu Message-ID: Date: Thu, 19 Mar 2020 09:42:44 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.173.220.183] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/3/18 19:07, Paolo Valente wrote: > > >> Il giorno 18 mar 2020, alle ore 10:52, Zhiqiang Liu ha scritto: >> >> >> >> On 2020/3/18 16:45, Paolo Valente wrote: >>> >>> >>>>>> spin_lock_irqsave(&bfqd->lock, flags); >>>>>> - bfq_clear_bfqq_wait_request(bfqq); >>>>>> - >>>>>> if (bfqq != bfqd->in_service_queue) { >>>>>> spin_unlock_irqrestore(&bfqd->lock, flags); >>>>>> return; >>>>>> } >>>>>> >>>>>> + bfq_clear_bfqq_wait_request(bfqq); >>>>>> + >>>>> >>>>> Please add a comment on why you (correctly) clear this flag only if bfqq is in service. >>>>> >>>>> For the rest, seems ok to me. >>>>> >>>>> Thank you very much for spotting and fixing this bug, >>>>> Paolo >>>>> >>>> Thanks for your reply. >>>> Considering that the bfqq may be in race, we should firstly check whether bfqq is in service before >>>> doing something on it. >>>> >>> >>> The comment you propose is correct, but the correctness issue I raised >>> is essentially the opposite. Sorry for not being clear. >>> >>> Let me put it the other way round: why is it still correct that, if >>> bfqq is not the queue in service, then that flag is not cleared at all? >>> IOW, why is it not a problem that that flag remains untouched is bfqq >>> is not in service? >>> >>> Thanks, >>> Paolo >>> >> Thanks for your patient. >> As you comment in bfq_idle_slice_timer, there are two race situations as follows, >> a) bfqq is null >> bfq_idle_slice_timer will not call bfq_idle_slice_timer_body ->no problem >> b) bfqq are not in service >> 1) bfqq is freed >> it will cause use-after-free problem before calling bfq_clear_bfqq_wait_request >> in bfq_idle_slice_timer_body. -> use-after-free problem as analyzed in the patch. >> 2) bfqq is not freed >> it means in_service_queue has been set to a new bfqq. The old bfqq has been expired >> through __bfq_bfqq_expire func. Then the wait_request flags of old bfqq will be cleared >> in __bfq_bfqd_reset_in_service func. -> it is no a problem to re-clear the wait_request >> flags before checking whether bfqq is in service. > > Great, this item 2 is exactly what I meant. We need a comment > because, even if now this stuff is clear to you, imagine somebody > else getting to your modified piece of code after reading hundreds of > lines of code, about a non-trivial state machine as BFQ ... :) > > Thanks, > Paolo > Ok, I will add the following comment in the v3 patch. Considering that the bfqq may be in race, we should firstly check whether bfqq is in service before doing something on it. If the bfqq in race is not in service, it means the bfqq has been expired through __bfq_bfqq_expire func, and wait_request flags has been cleared in __bfq_bfqd_reset_in_service func. >> >> In one word, the old bfqq in race has already cleared the wait_request flag when switching in_service_queue. >> >> Thanks, >> Zhiqiang Liu >> >>>>>> >>>>> >>>>> >>>>> . >>> >>> >>> . >>> >> > > > . >