Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3935324ybb;
        Mon, 6 Apr 2020 19:47:53 -0700 (PDT)
X-Google-Smtp-Source: APiQypKIoiJ/blrsJCKOsGWfqPVFXYKgeYdJqiE57p7G9eGRS+j0ggJpY/6nZieAAnayYS41ggRA
X-Received: by 2002:aca:4cc9:: with SMTP id z192mr147461oia.134.1586227673446;
        Mon, 06 Apr 2020 19:47:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586227673; cv=none;
        d=google.com; s=arc-20160816;
        b=FHk00OGkcqI1hHmcQhbjLTgZnk3yO+2bTs6ukTvXQp7tOvrC1bUeKdGnZ0CR4hmzjU
         JBnesEyXolHlkOKLJr0HkUEWfDqStFg0/pbrG+mvmuc4KF+2eHiPJnTVRu3NtmrkplJB
         zwLGgkCE1oKFVKbzTznnrky9rrNLVzvAibhbQkRpXGMMmU/RyGXAesqIgUMsClp4R6Vy
         6rGcEXkRVLELEBcfcR5TYvUUFT2QWrh0QEh41TwcPExJz+nVtrhH/H9SJDScZBUK6um5
         gfhRFGHKhUL+SEJr6bbYL+15WjHIWc5fMxXp33cBCuWUcHRlE6Ru4pzxbRL0kGV++vlq
         z/6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=FUIutSLtPXyzUQvHVbzxVh5l0VUTjWSK5YNz8DwyvN4=;
        b=G3Qm28gLhah5Xca6i4zpcJRqP/SOdoOYRlhm3ewq27uDHJQSEXkOG2K8XzTcMNKoGX
         eFWNAe42HTBWyzY4YJ08a8Rrexlu/SkXFrHaubAKIsgKmEmOnW9h/ke+gD1/CrBDl0nK
         lJGynXc5KgMg3sGsEPlPdR3CTUM+eIgnSj0Z440mpbfZwsXtonB77olyjGVlR590nrKh
         XLfl6e4S/1Mnf1UIAupqkq+HJVQF0cOEOqiwOXK8GL+nw0gsMK0JqJfEyJcNn11SMkoP
         s2q97IdIfzr4FnRSwC8n6m/FDpA+VdF76QE3IepneCaLvlZK6609me8KfnIoxJIwGVrf
         7f3g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g7si659711ots.270.2020.04.06.19.47.40;
        Mon, 06 Apr 2020 19:47:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726579AbgDGCrL (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Mon, 6 Apr 2020 22:47:11 -0400
Received: from szxga04-in.huawei.com ([45.249.212.190]:12616 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726312AbgDGCrL (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Apr 2020 22:47:11 -0400
Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.60])
        by Forcepoint Email with ESMTP id D3634CBD79F8FD698109;
        Tue,  7 Apr 2020 10:47:04 +0800 (CST)
Received: from [127.0.0.1] (10.173.220.66) by DGGEMS403-HUB.china.huawei.com
 (10.3.19.203) with Microsoft SMTP Server id 14.3.487.0; Tue, 7 Apr 2020
 10:47:03 +0800
Subject: Re: [RFC 0/3] block: address blktrace use-after-free
To:     Ming Lei <ming.lei@redhat.com>,
        Luis Chamberlain <mcgrof@kernel.org>
CC:     <axboe@kernel.dk>, <viro@zeniv.linux.org.uk>,
        <gregkh@linuxfoundation.org>, <rostedt@goodmis.org>,
        <mingo@redhat.com>, <jack@suse.cz>, <nstange@suse.de>,
        <mhocko@suse.com>, <linux-block@vger.kernel.org>,
        <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>
References: <20200402000002.7442-1-mcgrof@kernel.org>
 <20200403081929.GC6887@ming.t460p>
From:   "yukuai (C)" <yukuai3@huawei.com>
Message-ID: <0e753195-72fb-ce83-16a1-176f2c3cea6a@huawei.com>
Date:   Tue, 7 Apr 2020 10:47:01 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20200403081929.GC6887@ming.t460p>
Content-Type: text/plain; charset="gbk"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.173.220.66]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2020/4/3 16:19, Ming Lei wrote:

> BTW, Yu Kuai posted one patch for this issue, looks that approach
> is simpler:
> 
> https://lore.kernel.org/linux-block/20200324132315.22133-1-yukuai3@huawei.com/
> 
> 

I think the issue might not be fixed with the patch seires.

At first, I think there are two key points for the issure:
1. The final release of queue is delayed in a workqueue
2. The creation of 'q->debugfs_dir' might failed(only if 1 exist)
And if we can fix any of the above problem, the UAF issue will be fixed.
(BTW, I did not come up with a good idea for problem 1, and my approach
is for problem 2.)

The third patch "block: avoid deferral of blk_release_queue() work" is
not enough to fix problem 1:
a. if CONFIG_DEBUG_KOBJECT_RELEASE is enable:
static void kobject_release(struct kref *kref)
{
         struct kobject *kobj = container_of(kref, struct kobject, kref);
#ifdef CONFIG_DEBUG_KOBJECT_RELEASE
         unsigned long delay = HZ + HZ * (get_random_int() & 0x3);
         pr_info("kobject: '%s' (%p): %s, parent %p (delayed %ld)\n",
                 ??kobject_name(kobj), kobj, __func__, kobj->parent, delay);
         INIT_DELAYED_WORK(&kobj->release, kobject_delayed_cleanup);

         schedule_delayed_work(&kobj->release, delay);
#else
         kobject_cleanup(kobj);
#endif
}
b. when 'kobject_put' is called from blk_cleanup_queue, can we make sure
it is the last reference?

Futhermore, I do understand the second patch fix the UAF problem by
using 'q->debugfs_dir' instead of 'q->blk_trace->dir', but the problem 2
still exist and need to be fixed.

Thanks!
Yu Kuai