Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Sender: Tejun Heo <htejun@gmail.com>
Date:   Wed, 18 Jan 2023 06:54:41 -1000
From:   Tejun Heo <tj@kernel.org>
To:     Yu Kuai <yukuai1@huaweicloud.com>
Cc:     hch@lst.de, josef@toxicpanda.com, axboe@kernel.dk,
        cgroups@vger.kernel.org, linux-block@vger.kernel.org,
        linux-kernel@vger.kernel.org, yukuai3@huawei.com,
        yi.zhang@huawei.com, yangerkun@huawei.com
Subject: Re: [PATCH -next v2 1/3] blk-cgroup: dropping parent refcount after
 pd_free_fn() is done
Message-ID: <Y8gkUZtbWltG/vI3@slm.duckdns.org>
References: <20230118123152.1926314-1-yukuai1@huaweicloud.com>
 <20230118123152.1926314-2-yukuai1@huaweicloud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230118123152.1926314-2-yukuai1@huaweicloud.com>
Precedence: bulk

On Wed, Jan 18, 2023 at 08:31:50PM +0800, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@huawei.com>
> 
> Some cgroup policies will access parent pd through child pd even
> after pd_offline_fn() is done. If pd_free_fn() for parent is called
> before child, then UAF can be triggered. Hence it's better to guarantee
> the order of pd_free_fn().
> 
> Currently refcount of parent blkg is dropped in __blkg_release(), which
> is before pd_free_fn() is called in blkg_free_work_fn() while
> blkg_free_work_fn() is called asynchronously.
> 
> This patch make sure pd_free_fn() called from removing cgroup is ordered
> by delaying dropping parent refcount after calling pd_free_fn() for
> child.
> 
> BTW, pd_free_fn() will also be called from blkcg_deactivate_policy()
> from deleting device, and following patches will guarantee the order.
> 
> Signed-off-by: Yu Kuai <yukuai3@huawei.com>

Acked-by: Tejun Heo <tj@kernel.org>

Thanks.

-- 
tejun