Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp15127067rwb; Mon, 28 Nov 2022 08:14:04 -0800 (PST) X-Google-Smtp-Source: AA0mqf6OTgVKubBybmBHZ7xkYoEf4ExcWVTF4m4hBAoD92SYl5v34b02wqiBHy/we7cf8Ic4E4a/ X-Received: by 2002:a17:906:1c12:b0:7b5:f9dd:2f4 with SMTP id k18-20020a1709061c1200b007b5f9dd02f4mr32235409ejg.243.1669652044517; Mon, 28 Nov 2022 08:14:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669652044; cv=none; d=google.com; s=arc-20160816; b=KzyVVo9xbYo3Bp8WXnDorvIVpcHtfKjmFNx+RdRXOz+DfMimJn4iEbX4dJMnyUGfpy Xt8pErTmfKeKRnJz1J7ST9F9hGmfoc0f0xAyEGpDTzMsT+O3yI1LHK+o4OSm/nL84GlN NZAJE8IRNAVY42TiiJsy7IXisaOjKHEx++mWtFp+G9Z+4c5kjgYYTjJ6OJzrCsmTbJdR waaGHq1mSxeZ5wf64+HdGrc2X+4XMPf7FIcUiaFbypz08Kkzry4HGCYbWjygHiF3s5A9 eINE6hgodAHvhi5wRtJn+vA+hiRSTIQBQI5VM97VJ+0VEJRpNGE9govTiNWhPniibu3G IG5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=/AJ0l8IgalwuHi6aQkbaTJH6CSV9/VHsYq9E6VyGE4U=; b=fmShvkCjUfCD/6D+gLMDuy3vsm7++V/UfxrFGpkldjD0ehEZT+jxCjF3XMfqiPqIiB pleSbvth0PUphXIGFj9ifPXnSIsKwiwAsgu0falCCdFzFNjVE+x94yUbqkaxtXUECeH/ 3mGhsdnjAhpDdDVMbEpjjAt36KBP8cUvQXhPJECcyoomRyKREYcZsdNs49MfWHNb8KLu 5h6Eepzm6E2A/EpGF0RXvvUqGrHBrBHVEVMsPBu6CP+cTJW08+WwcSozqJ4qe6mmEHoW +5tlO+fduENweTX/sHSPM9nvkFhnmRVomnUzfuJuwfrn5iKShM16rxSXICiTjdOZ2M8T YA7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iTUCC3Av; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s5-20020a50d485000000b004690be1cef0si9518429edi.84.2022.11.28.08.13.43; Mon, 28 Nov 2022 08:14:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iTUCC3Av; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232391AbiK1Pyn (ORCPT + 84 others); Mon, 28 Nov 2022 10:54:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232418AbiK1Pyl (ORCPT ); Mon, 28 Nov 2022 10:54:41 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 384CA22B24 for ; Mon, 28 Nov 2022 07:53:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669650819; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/AJ0l8IgalwuHi6aQkbaTJH6CSV9/VHsYq9E6VyGE4U=; b=iTUCC3AvVb9+htMTXrYbVnOB/VKoBaIEi2QFHDEsFTgpQl0cld++MGQ9Xu2uvSXFCteAy8 z53+iL+/TJ6aKfPNUxQrzu2wzEjjBKUIhYdtPQO0ojJ4KQmpt4hVxZJvZxzsMkmLnqOmc7 w0zmQ0G9LtFiYVQ1s6+yYVI1fvxKQow= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-607-Uqa5zVnyMkuBLW5ut3eDSQ-1; Mon, 28 Nov 2022 10:53:36 -0500 X-MC-Unique: Uqa5zVnyMkuBLW5ut3eDSQ-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 626638027F5; Mon, 28 Nov 2022 15:53:35 +0000 (UTC) Received: from [10.22.10.34] (unknown [10.22.10.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8D3731415100; Mon, 28 Nov 2022 15:53:34 +0000 (UTC) Message-ID: Date: Mon, 28 Nov 2022 10:53:32 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Subject: Re: [PATCH-block] blk-cgroup: Use css_tryget() in blkcg_destroy_blkgs() Content-Language: en-US To: Jens Axboe , Tejun Heo Cc: cgroups@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, Ming Lei , Andy Shevchenko , Andrew Morton , =?UTF-8?Q?Michal_Koutn=c3=bd?= , Hillf Danton , Yi Zhang References: <20221128033057.1279383-1-longman@redhat.com> <427068db-6695-a1e2-4aa2-033220680eb9@kernel.dk> <786aacda-b25d-67f6-bad3-0030b0e2637e@kernel.dk> From: Waiman Long In-Reply-To: <786aacda-b25d-67f6-bad3-0030b0e2637e@kernel.dk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/28/22 10:42, Jens Axboe wrote: > On 11/28/22 8:38?AM, Waiman Long wrote: >> On 11/28/22 09:14, Jens Axboe wrote: >>> On 11/27/22 8:30?PM, Waiman Long wrote: >>>> Commit 951d1e94801f ("blk-cgroup: Flush stats at blkgs destruction >>>> path") incorrectly assumes that css_get() will always succeed. That may >>>> not be true if there is no blkg associated with the blkcg. If css_get() >>>> fails, the subsequent css_put() call may lead to data corruption as >>>> was illustrated in a test system that it crashed on bootup when that >>>> commit was included. Also blkcg may be freed at any time leading to >>>> use-after-free. Fix it by using css_tryget() instead and bail out if >>>> the tryget fails. >>>> >>>> Fixes: 951d1e94801f ("blk-cgroup: Flush stats at blkgs destruction path") >>>> Reported-by: Yi Zhang >>>> Signed-off-by: Waiman Long >>>> --- >>>> ? block/blk-cgroup.c | 7 ++++++- >>>> ? 1 file changed, 6 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c >>>> index 57941d2a8ba3..74fefc8cbcdf 100644 >>>> --- a/block/blk-cgroup.c >>>> +++ b/block/blk-cgroup.c >>>> @@ -1088,7 +1088,12 @@ static void blkcg_destroy_blkgs(struct blkcg *blkcg) >>>> ? ????? might_sleep(); >>>> ? -??? css_get(&blkcg->css); >>>> +??? /* >>>> +???? * If css_tryget() fails, there is no blkg to destroy. >>>> +???? */ >>>> +??? if (!css_tryget(&blkcg->css)) >>>> +??????? return; >>>> + >>>> ????? spin_lock_irq(&blkcg->lock); >>>> ????? while (!hlist_empty(&blkcg->blkg_list)) { >>>> ????????? struct blkcg_gq *blkg = hlist_entry(blkcg->blkg_list.first, >>> This doesn't seem safe to me, but maybe I'm missing something. A tryget >>> operation can be fine if we're under RCU lock and the entity is freed >>> appropriately, but what makes it safe here? Could blkcg already be gone >>> at this point? >> The actual freeing of the blkcg structure is under RCU protection. So >> the structure won't be freed immediately even if css_tryget() fails. I >> suspect what Michal found may be the root cause of this problem. If >> so, this is an existing bug which gets exposed by my patch. > But what prevents it from going away here since you're not under RCU > lock for the tryget? Doesn't help that the freeing side is done in an > RCU safe manner, if the ref attempt is not. You are right. blkcg_destroy_blkgs() shouldn't be called with all the blkcg references gone. Will work on a revised patch. Cheers, Longman