Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1379991rwb; Wed, 14 Dec 2022 09:27:11 -0800 (PST) X-Google-Smtp-Source: AA0mqf61Xq440tAuy9bOh9+Rtkj0Faeyw8Kd/yjslAAhZSwsjX9NskeA5i1pd0MAip1hWkn+p4M+ X-Received: by 2002:a62:ee14:0:b0:566:900d:6073 with SMTP id e20-20020a62ee14000000b00566900d6073mr24057738pfi.24.1671038830894; Wed, 14 Dec 2022 09:27:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671038830; cv=none; d=google.com; s=arc-20160816; b=m0mxY+cUTvvrcEP23sJEVcfpgA8Sh/HSVPgeqDrXwVeXj9hKvLuzhMYwjRtfHFxiPt VxKbAE5KxgidwQEKpbi5x1FgEmWIMnikKeNWxs6MZhlgs14p4utZO88HIIVfLcLrr7a+ w5eZqd2epstCsyp06vzSiR4+qZfZJ/aF6yU3ASRdcJN33uo5gNi1FWEUFP/cF/oKHUPv efuJEFWqfLSpbqacBCudxsWfdr6CQrU7aFwk81w+z2KxdhscpTq+N718VVN0p2M0sNtu p1GbnsN50X+/AcC5qLDbSgCTqB5RdvOG3zI+hM8kdXcCw2hVCBiTzRYcvydO2W+UU6rC 64XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=VdMn8MdKqERVq83/l+YeYkH6HVsbE2k4JfbE9pJ1Ypo=; b=ncs7mhubxGhwAfH5VtVJAL3h6kFou/sXsS3tkfY6gJL403flPn2PCvYsYgRkHNHEKG 6RYjGeh+n53w+5gQMMX9PVypgWFIMK7u9UOUoBun3cCiRqZf7k/J/P36oaRbgroCDvsR PQ4ytcAUZEc4Jo+CXsMZtST/OkJDBlQ4zotqadi/rUL7C/+uHkZhe5sWXNGdk8KnVxzt F2sgojbRH+R25LsQ66mFcvaZgzQFdY/MzBSxZBY0RE8MT3HaA1eISRrpLh0lnnTfaT5G sG4/FVcuaBVuwTH3dQ5/voGfJxDpIXjGD7ObbP/44oLdg8k4+mG3J0NoChqqhu/wEExw mqEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20210112.gappssmtp.com header.s=20210112 header.b=D+E7a9bt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 138-20020a621490000000b00562a1693523si287231pfu.20.2022.12.14.09.27.02; Wed, 14 Dec 2022 09:27:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20210112.gappssmtp.com header.s=20210112 header.b=D+E7a9bt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239170AbiLNQzE (ORCPT + 69 others); Wed, 14 Dec 2022 11:55:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239193AbiLNQym (ORCPT ); Wed, 14 Dec 2022 11:54:42 -0500 Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4CED22873C for ; Wed, 14 Dec 2022 08:54:40 -0800 (PST) Received: by mail-il1-x131.google.com with SMTP id h17so6821928ila.6 for ; Wed, 14 Dec 2022 08:54:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=VdMn8MdKqERVq83/l+YeYkH6HVsbE2k4JfbE9pJ1Ypo=; b=D+E7a9btXDFAY4h9/TXp95QlTJDLO1Qdr8/uyyoZeUcYY1BfJx680/GCWVnOYNkdrC uwS3Ihcc6GS/HH9FobTHT4q6/yO/h+HBfyzj5KqJll1QRfuD/cigJ7qaCfbC/qYDusnQ p93GRasXxxai4ma/lZuwCAwp9RWztMdrtx9AesUYzDCJXCmlEp6LHO7VShoahengkD68 Hf/JvqDQimnkUXDnJN0+2zEWVpAP3EbQTCR7j9G2i942JRgJLzpPlD0zzTUpMUsDn7PK JBIA/baZ7ShOWi9jmmY46XJNtwUyQq0zo5jo/71jmEjhytxo9rcE5br8fy/UlWnNStMf 8xZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VdMn8MdKqERVq83/l+YeYkH6HVsbE2k4JfbE9pJ1Ypo=; b=n4iJJVVvMXQydWXGc3MVi93xkzgB6UcUHbOxk0GU0j62mjWvzuqwisvnbav4go3OVO jFAQAlIJWc5bLntacQqGv7LmGrB2FTYAOzuB8JCBmU67rkTxkQZ9ka5TR3ehdrpNLVdv SGZbITx2VJNuyjIioqGGSv6lSc4cFz7ozDubB0v9Dqj7MPzu6SjGa6QYr1Z0lHA6j/bG iaZZCMewjb9VTS8kfKD9IDDrKFX8caQ9M7wOtqVSrjqf1NKjD8Fd+cDuQOnjepM+pwHC 4ITQ7RP+AeMd/9nJ+yd1tSV2Y46gVeqckIdGZS1k4a0VjAy64/3i7PJUKS+Fl2bHsIE7 CAtg== X-Gm-Message-State: ANoB5plRmVaZ4m9YUvSje/PJ+GgWTUtnf7ai/Vwi0QQU5w297Lin/cBI MdkPuYHWJOWMrPCJoNaSblBXfQ== X-Received: by 2002:a05:6e02:ed0:b0:304:ac4f:a79b with SMTP id i16-20020a056e020ed000b00304ac4fa79bmr1862392ilk.3.1671036879545; Wed, 14 Dec 2022 08:54:39 -0800 (PST) Received: from [192.168.1.94] ([207.135.234.126]) by smtp.gmail.com with ESMTPSA id h9-20020a056e020d4900b00300df8bfcf5sm1913591ilj.14.2022.12.14.08.54.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 14 Dec 2022 08:54:38 -0800 (PST) Message-ID: <5fbaea42-14a7-27a8-cea1-3a59161ceba0@kernel.dk> Date: Wed, 14 Dec 2022 09:54:35 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg To: Waiman Long , Tejun Heo Cc: Josef Bacik , Zefan Li , Johannes Weiner , Andrew Morton , cgroups@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, =?UTF-8?Q?Michal_Koutn=c3=bd?= , "Dennis Zhou (Facebook)" , Yi Zhang References: <20221213184446.50181-1-longman@redhat.com> <20221213184446.50181-2-longman@redhat.com> <34a8c4a7-a58d-63fc-4599-accf1cbb6aae@redhat.com> Content-Language: en-US From: Jens Axboe In-Reply-To: <34a8c4a7-a58d-63fc-4599-accf1cbb6aae@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/13/22 12:53 PM, Waiman Long wrote: > > On 12/13/22 14:29, Tejun Heo wrote: >> On Tue, Dec 13, 2022 at 01:44:45PM -0500, Waiman Long wrote: >>> Commit 59b57717fff8 ("blkcg: delay blkg destruction until after >>> writeback has finished") delayed call to blkcg_destroy_blkgs() to >>> cgwb_release_workfn(). However, it is done after a css_put() of blkcg >>> which may be the final put that causes the blkcg to be freed as RCU >>> read lock isn't held. >>> >>> Another place where blkcg_destroy_blkgs() can be called indirectly via >>> blkcg_unpin_online() is from the offline_css() function called from >>> css_killed_work_fn(). Over there, the potentially final css_put() call >>> is issued after offline_css(). >>> >>> By adding a css_tryget() into blkcg_destroy_blkgs() and warning its >>> failure, the following stack trace was produced in a test system on >>> bootup. >> This doesn't agree with the code anymore. Otherwise >> >> Acked-by: Tejun Heo > > Sorry, I overlooked the commit log in my update. I will update it if I need another version, or Jens can make the following edit: > > css_tryget() -> percpu_ref_is_zero(). Since the other one also needs an edit, would be great if you could just send out a v4. -- Jens Axboe