Received: by 2002:a25:d783:0:0:0:0:0 with SMTP id o125csp121012ybg;
        Wed, 18 Mar 2020 18:43:55 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vs/nnDc8xE958tW15S4UQT8QVlKnkBiaEvqjRbyurLqM18ZL/X9KD0PUXI1xJZXkJP1+i6h
X-Received: by 2002:aca:4cd8:: with SMTP id z207mr634031oia.155.1584582235035;
        Wed, 18 Mar 2020 18:43:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584582235; cv=none;
        d=google.com; s=arc-20160816;
        b=mHUgTZHCb/FgtUK16oFD9yCsBjHX0bMlAg6WDmxCBErDF0onWnmYJy9c2T6QKTfpEw
         0W4QcIwLBLYEZkNSYKjXJimZqLIi/fmgDPLTvzzf/hFhShfPZ1hXaDXQhE7B5PSxaP6S
         d3Q7O2yat4NnDxeLuAgs0eXjOUiO0JynOwShd+QzqiYY7nnqqLIaHl+NebO7HQyX/zbm
         dEWy6nALFFAvCoBIaAcyj7mLzEAjBPvP4+1owGYgJDr/Bm1Lb3Wyb5iAoy3v8yP5jskA
         3qvXt2L4Ubmebh0PpDCV0+aN2lMkw/M5tE6rEhXxx7V1J/SYC0RqW4eYI+wVUuQbZybJ
         Dk9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=ZLTNQAzGNaLz09FX3Gn/VsZ6bH6f2f0S66RplgjQ2E4=;
        b=jSyOMO0jlfZiHOg2sNqWw9GorBnREiu8Dvi5w5f7wEMHXIapfx35KZzrkyCkjG0H/O
         gV9GwYJr7k719ElWEvpIoPvUGN+/nelpzUMaBbnTAF8En9+XnTSS0x+BShTI05zmRwH1
         eaPIh4F4JtYsPcjwprj6n9AGsHHWUH+tlVRwjuHlUyRqmCk2jjueSOvMd1C11KRT1yxX
         3e6GlF9eBpbvnY52GYI8vhJQlmi2VVmzL9dfE7lFPSXBHVrhKjgoQHIzhsknEh7LpqYQ
         uMg+nJZYbt3NO8PM6M23jTHE7J1imYXWWo3Z+8MPDXzoV4BXf8HhPheDl+j0szugiGmY
         C1tA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m20si439707otk.238.2020.03.18.18.43.42;
        Wed, 18 Mar 2020 18:43:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727065AbgCSBm5 (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Wed, 18 Mar 2020 21:42:57 -0400
Received: from szxga06-in.huawei.com ([45.249.212.32]:47522 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726623AbgCSBm5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Mar 2020 21:42:57 -0400
Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.60])
        by Forcepoint Email with ESMTP id D2B13D9740C94B40F8FC;
        Thu, 19 Mar 2020 09:42:51 +0800 (CST)
Received: from [127.0.0.1] (10.173.220.183) by DGGEMS403-HUB.china.huawei.com
 (10.3.19.203) with Microsoft SMTP Server id 14.3.487.0; Thu, 19 Mar 2020
 09:42:45 +0800
Subject: Re: [PATCH] block, bfq: fix use-after-free in
 bfq_idle_slice_timer_body
To:     Paolo Valente <paolo.valente@linaro.org>
CC:     Jens Axboe <axboe@kernel.dk>,
        linux-block <linux-block@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Mingfangsen <mingfangsen@huawei.com>,
        Yanxiaodan <yanxiaodan@huawei.com>,
        "wubo (T)" <wubo40@huawei.com>, renxudong <renxudong1@huawei.com>,
        Louhongxiang <louhongxiang@huawei.com>
References: <6c0d0b36-751b-a63a-418b-888a88ce58f4@huawei.com>
 <C69604D5-CBB7-4A5F-AD73-7A9C0B6B3360@linaro.org>
 <0a6e190a-3393-53f9-b127-d57d67cdcdc8@huawei.com>
 <4171EF13-7956-44DA-A5BF-0245E4926436@linaro.org>
 <241f9766-bfe6-485a-331c-fdc693738ffc@huawei.com>
 <A7FFF605-BAA8-42C1-B648-1D5BA17D1286@linaro.org>
From:   Zhiqiang Liu <liuzhiqiang26@huawei.com>
Message-ID: <d4769184-c049-2a2d-0ad4-907bea0e3c6b@huawei.com>
Date:   Thu, 19 Mar 2020 09:42:44 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <A7FFF605-BAA8-42C1-B648-1D5BA17D1286@linaro.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.173.220.183]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 2020/3/18 19:07, Paolo Valente wrote:
> 
> 
>> Il giorno 18 mar 2020, alle ore 10:52, Zhiqiang Liu <liuzhiqiang26@huawei.com> ha scritto:
>>
>>
>>
>> On 2020/3/18 16:45, Paolo Valente wrote:
>>>
>>>
>>>>>> 	spin_lock_irqsave(&bfqd->lock, flags);
>>>>>> -	bfq_clear_bfqq_wait_request(bfqq);
>>>>>> -
>>>>>> 	if (bfqq != bfqd->in_service_queue) {
>>>>>> 		spin_unlock_irqrestore(&bfqd->lock, flags);
>>>>>> 		return;
>>>>>> 	}
>>>>>>
>>>>>> +	bfq_clear_bfqq_wait_request(bfqq);
>>>>>> +
>>>>>
>>>>> Please add a comment on why you (correctly) clear this flag only if bfqq is in service.
>>>>>
>>>>> For the rest, seems ok to me.
>>>>>
>>>>> Thank you very much for spotting and fixing this bug,
>>>>> Paolo
>>>>>
>>>> Thanks for your reply.
>>>> Considering that the bfqq may be in race, we should firstly check whether bfqq is in service before
>>>> doing something on it.
>>>>
>>>
>>> The comment you propose is correct, but the correctness issue I raised
>>> is essentially the opposite.  Sorry for not being clear.
>>>
>>> Let me put it the other way round: why is it still correct that, if
>>> bfqq is not the queue in service, then that flag is not cleared at all?
>>> IOW, why is it not a problem that that flag remains untouched is bfqq
>>> is not in service?
>>>
>>> Thanks,
>>> Paolo
>>>
>> Thanks for your patient.
>> As you comment in bfq_idle_slice_timer, there are two race situations as follows,
>> a) bfqq is null
>>   bfq_idle_slice_timer will not call bfq_idle_slice_timer_body ->no problem
>> b) bfqq are not in service
>>   1) bfqq is freed
>>      it will cause use-after-free problem before calling bfq_clear_bfqq_wait_request
>>      in bfq_idle_slice_timer_body. -> use-after-free problem as analyzed in the patch.
>>   2) bfqq is not freed
>>      it means in_service_queue has been set to a new bfqq. The old bfqq has been expired
>>      through __bfq_bfqq_expire func. Then the wait_request flags of old bfqq will be cleared
>>      in __bfq_bfqd_reset_in_service func. -> it is no a problem to re-clear the wait_request
>>      flags before checking whether bfqq is in service.
> 
> Great, this item 2 is exactly what I meant.  We need a comment
> because, even if now this stuff is clear to you, imagine somebody
> else getting to your modified piece of code after reading hundreds of
> lines of code, about a non-trivial state machine as BFQ ...  :)
> 
> Thanks,
> Paolo
> 
Ok, I will add the following comment in the v3 patch.

Considering that the bfqq may be in race, we should firstly check whether bfqq is in service
before doing something on it. If the bfqq in race is not in service, it means the bfqq has
been expired through __bfq_bfqq_expire func, and wait_request flags has been cleared in
__bfq_bfqd_reset_in_service func.

>>
>> In one word, the old bfqq in race has already cleared the wait_request flag when switching in_service_queue.
>>
>> Thanks,
>> Zhiqiang Liu
>>
>>>>>>
>>>>>
>>>>>
>>>>> .
>>>
>>>
>>> .
>>>
>>
> 
> 
> .
>