All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Zhang, Qiang" <Qiang.Zhang@windriver.com>
To: Pavel Begunkov <asml.silence@gmail.com>,
	Hillf Danton <hdanton@sina.com>,
	"axboe@kernel.dk" <axboe@kernel.dk>
Cc: "syzbot+6cb11ade52aa17095297@syzkaller.appspotmail.com" 
	<syzbot+6cb11ade52aa17095297@syzkaller.appspotmail.com>,
	"io-uring@vger.kernel.org" <io-uring@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: 回复: 回复: [PATCH] io-wq: Fix UAF when wakeup wqe in hash waitqueue
Date: Thu, 10 Jun 2021 01:49:18 +0000	[thread overview]
Message-ID: <DM6PR11MB42025CAC6D19741D7B1F782DFF359@DM6PR11MB4202.namprd11.prod.outlook.com> (raw)
In-Reply-To: <9af68623-57e4-cef0-bb61-347207fb0c45@gmail.com>



________________________________________
From: Pavel Begunkov <asml.silence@gmail.com>
Sent: Tuesday, 8 June 2021 01:38
To: Zhang, Qiang; Hillf Danton; axboe@kernel.dk
Cc: syzbot+6cb11ade52aa17095297@syzkaller.appspotmail.com; io-uring@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: Re: 回复: 回复: [PATCH] io-wq: Fix UAF when wakeup wqe in hash waitqueue

[Please note: This e-mail is from an EXTERNAL e-mail address]

On 5/25/21 3:01 AM, Zhang, Qiang wrote:
[...]
>> Haven't looked at the trace and description, but I do think
>> there is a problem it solves.
>>
>> 1) io_wait_on_hash() -> __add_wait_queue(&hash->wait, &wqe->wait);
>> 2) (note: wqe is a worker) wqe's workers exit dropping refs
>> 3) refs are zero, free io-wq
>> 4) @hash is shared, so other task/wq does wake_up(&wq->hash->wait);
>> 5) it wakes freed wqe
>>
>> step 4) is a bit more trickier than that, tl;dr;
>> wq3:worker1     | locks bit1
>> wq1:worker2     | waits bit1
>> wq2:worker1     | waits bit1
>> wq1:worker3     | waits bit1
>>
>> wq3:worker1     | drop  bit1
>> wq1:worker2     | locks bit1
>> wq1:worker2     | completes all wq1 bit1 work items
>> wq1:worker2     | drop  bit1, exit and free io-wq
>>
>> wq2:worker1     | locks bit1
>> wq1             | free complete
>> wq2:worker1     | drops bit1
>> wq1:worker3     | waked up, even though freed
>>
>> Can be simplified, don't want to waste time on that
>
> Thanks Pavel
>
> Your description is better.  I have another question: under what circumstances will three io-wq(wq1, wq2, wq3) be created to share this @hash?

>Oops, missed the email. It's created by io_uring, and passed to
>io-wq, which is per-task and created on demand by io_uring.
>
>Can be achieved by a snippet just below, where threads
>haven't had io_uring instances before.
>
>thread1: ring = create_io_uring();
>thread2: submit_sqes(ring);
>thread3: submit_sqes(ring);

 Thank you for your explanation, Pavel

>
> This kind of problem also occurs between two io-wq(wq1, wq2). Is the following description OK?

>Yep, and I feel like there are cases simpler (and
>more likely) than the one I described.

>
> wq1:worker2     | locks bit1
> wq2:worker1     | waits bit1
> wq1:worker3     | waits bit1
>
> wq1:worker2     | completes all wq1 bit1 work items
> wq1:worker2     | drop  bit1, exit and free io-wq
>
> wq2:worker1     | locks bit1
> wq1                       | free complete
> wq2:worker1     | drops bit1
> wq1:worker3     | waked up, even though freed


>--
>Pavel Begunkov

  reply	other threads:[~2021-06-10  1:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-24  7:18 [PATCH] io-wq: Fix UAF when wakeup wqe in hash waitqueue qiang.zhang
     [not found] ` <20210524082536.2032-1-hdanton@sina.com>
2021-05-24  9:19   ` 回复: " Zhang, Qiang
2021-05-24 10:16     ` Pavel Begunkov
2021-05-25  2:01       ` 回复: " Zhang, Qiang
2021-06-07 17:38         ` Pavel Begunkov
2021-06-10  1:49           ` Zhang, Qiang [this message]
2021-05-24 10:18     ` Pavel Begunkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DM6PR11MB42025CAC6D19741D7B1F782DFF359@DM6PR11MB4202.namprd11.prod.outlook.com \
    --to=qiang.zhang@windriver.com \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=hdanton@sina.com \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+6cb11ade52aa17095297@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.