Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2127507ybb; Sat, 21 Mar 2020 13:31:12 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvVaPdFrjcExheof00TmBZqONjX5BFtM2JkvA4uBtpdia1mwdWoqMICQEYE3h4+QYMPMSxE X-Received: by 2002:aca:849:: with SMTP id 70mr11912789oii.30.1584822672271; Sat, 21 Mar 2020 13:31:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584822672; cv=none; d=google.com; s=arc-20160816; b=fOZyjCurvfxA8rMjGDqEq8rfpDgsxZFXGkhV7Wvkp5VUorB1c/mPkQY+OtTB5vmx0V ZLij3mPwpgD5NYcioUeaX9fhUmtUgwwJzJhXdF3In7Eu8SnJOF01vNQeWXaqe9DcLEjW kP5HbTTko66N9OSapTakqgxD85D+usAmNRuVQGu7sMz1eokD4qR3H3NYTvdWUGl9hCx7 J18kV8meVZulHwLv+cstoLBV55JkwV3Wq4UAY3X6iOSduH1gD0XM0XKJt8waVsF6OPRQ p2HZIp1sJQtJmQFp+VXlKKl3Q7e3FSccAy5kWqDVV4eM65Ue74M7uJj2+u0fDtofczdv RlGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=yQE1AGuPuSquTWhE+3+C/nBZtIGBtGuN9+H3HNtBPO4=; b=0X4EuS813q18wGQoYI8HmdGS0f9+r9QtGYGLTjlBeXFPs2vP5MY1PhNmmGohu/k898 BfOW5noFlfzyeOGIpfA/gufa/+PxSkwfTybhNV3QTfTWgjA4hT7chskazoSMpqfD7BZt 7KpQ3dXWfEjqerxGXqFmqrEiaMV8c04MEkCEy4DhtzVnw74jX6vwTfUiXMIoRyJk9t1G pB0Kx2KJdtN+a4pEdMZyZOZ27NjxmtdSri9qNMkbm1PpNMT20skYhHIyMEeYOO5xbCze AjUMMW+FNluLtUkatQEC8jZRTePoRB+uiicUWlmpoJJq5tFB35P+VQICn2uE9J2+zMRI OTrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=onoovAOq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5si4901597oij.127.2020.03.21.13.30.59; Sat, 21 Mar 2020 13:31:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=onoovAOq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727634AbgCUUaC (ORCPT + 99 others); Sat, 21 Mar 2020 16:30:02 -0400 Received: from mail-pj1-f65.google.com ([209.85.216.65]:54496 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726146AbgCUUaC (ORCPT ); Sat, 21 Mar 2020 16:30:02 -0400 Received: by mail-pj1-f65.google.com with SMTP id np9so4122544pjb.4 for ; Sat, 21 Mar 2020 13:30:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=yQE1AGuPuSquTWhE+3+C/nBZtIGBtGuN9+H3HNtBPO4=; b=onoovAOqdnHVRsn+D2keLQnUIEXz3fTCxc3cksfVs1zkhu6Vdw8KpjxT6twmbTppwt LiZsjy65KFeJalVJfVLzWar6TXUbhOtml6ZyhcTMwc2YhaArKrHhlcULFDAp1aBIPanB i6BAT85NkErgBonyqGqRDlbdaBOw9/l8ASyRluZ8jAQoOG+wUwa5fIkbRwgsmwzsyjXB 60W+PR7D80ZcGQwPrGlgm2tc3oXWoRBqtRHR8l5tVnOfuiX13cOM33maG6HqmbZnHBg2 EL/j2etChh6dpRxHmVZVnfw2R4aOwpeueag239BNhc45g6EdvlY6juYW2mKEpFrFsSI8 fd7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=yQE1AGuPuSquTWhE+3+C/nBZtIGBtGuN9+H3HNtBPO4=; b=NbhLtbtMXRgOrfekVCsEkTAwQpljDkcas0zh70TgVdcmBw4V7ftfgMs0zlGwFHXhsC uKjpadUS4RWbPlMdOhmoCh6eTRlTuNbaAi5sZHQNqTxeQhhQ1hYrEwp9/NdKbSXIbNzj pxlbUCNBmi9P+aztWifnVomUP8FHSFZWZWx6sgZg2P0Vr8P2S+Q0+vKZyUolYIsDblTZ UgG3S7TKYK1PQVIp889qBkF6nhba52Zs3OHqpoM5LOUl4VWAkd/qNQams2pSdxWqI99q ZGm8XNA2cUxC+nPu5Jhajc2O9H4xj9FqL0jO/HRltdDzrZz0xRfWLgl6x059QdUNhUbE OFPA== X-Gm-Message-State: ANhLgQ3ghbnOUTHLGk+k17BPZcPeCb3I55ZcMPMmczqArREeJDAjoBI7 +lcFoEnR3BR2nl+8SLLAzQwQgQ== X-Received: by 2002:a17:90a:c396:: with SMTP id h22mr16833567pjt.128.1584822599958; Sat, 21 Mar 2020 13:29:59 -0700 (PDT) Received: from [192.168.1.188] ([66.219.217.145]) by smtp.gmail.com with ESMTPSA id y30sm9353091pff.67.2020.03.21.13.29.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 21 Mar 2020 13:29:59 -0700 (PDT) Subject: Re: [PATCH V3] block, bfq: fix use-after-free in bfq_idle_slice_timer_body To: Zhiqiang Liu , paolo.valente@linaro.org Cc: linux-block , "linux-kernel@vger.kernel.org" , Mingfangsen , yanxiaodan@huawei.com, "wubo (T)" , renxudong , Louhongxiang , linfeilong@huawei.com, wangwang2@huawei.com References: From: Jens Axboe Message-ID: <1052be18-ef45-e254-e1bb-09a7cd6d891f@kernel.dk> Date: Sat, 21 Mar 2020 14:29:57 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/19/20 5:18 AM, Zhiqiang Liu wrote: > > In bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is > not in bfqd-lock critical section. The bfqq, which is not > equal to NULL in bfq_idle_slice_timer, may be freed after passing > to bfq_idle_slice_timer_body. So we will access the freed memory. > > In addition, considering the bfqq may be in race, we should > firstly check whether bfqq is in service before doing something > on it in bfq_idle_slice_timer_body func. If the bfqq in race is > not in service, it means the bfqq has been expired through > __bfq_bfqq_expire func, and wait_request flags has been cleared in > __bfq_bfqd_reset_in_service func. So we do not need to re-clear the > wait_request of bfqq which is not in service. Applied, thanks. -- Jens Axboe