From: Xiubo Li <xiubli@redhat.com>
To: "Петрова Наталия Михайловна" <n.petrova@fintech.ru>,
"Ilya Dryomov" <idryomov@gmail.com>
Cc: Dongsheng Yang <dongsheng.yang@easystack.cn>,
Jens Axboe <axboe@kernel.dk>,
"ceph-devel@vger.kernel.org" <ceph-devel@vger.kernel.org>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>,
Alexey Khoroshilov <khoroshilov@ispras.ru>
Subject: Re: [PATCH] rbd: avoid double free memory on error path in rbd_dev_create()
Date: Tue, 7 Feb 2023 08:54:30 +0800 [thread overview]
Message-ID: <06f51bab-42e1-975a-ad4f-6815c2063adb@redhat.com> (raw)
In-Reply-To: <c01e807428894bef8fed628df0b8f4b6@fintech.ru>
On 06/02/2023 23:15, Петрова Наталия Михайловна wrote:
> Hi Ilya!
> Thanks for your response! I don't quite understand your idea and suggestion. The patch is designed to avoid double free memory. I explored the code again and suppose there is another situation for rbd_dev->rbd_client and rbd_dev->spec. Free memory of these pointers is possible only once in rbd_dev_free() function. In do_rbd_add() deallocation memory is only for rbd_opts: drivers/block/rbd.c 7157.
Hi Петрова,
If the rbd_dev_create() fails, for spec it will be freed in
rbd_dev_create()->rbd_spec_put() first and then in do_rbd_add() it will
call rbd_spec_put() again.
It won't trigger double free but this should generate a warning when the
refcount underflow, because the refcount_dec_and_test() will warn and
then return false when underflow happens.
The same for rbd_client.
Thanks,
- Xiubo
> Correct me if I'm wrong.
>
> Thanks,
> Natalia
>
> -----Original Message-----
> From: Ilya Dryomov <idryomov@gmail.com>
> Sent: Monday, February 6, 2023 2:59 PM
> To: Петрова Наталия Михайловна <n.petrova@fintech.ru>
> Cc: Dongsheng Yang <dongsheng.yang@easystack.cn>; Jens Axboe <axboe@kernel.dk>; ceph-devel@vger.kernel.org; linux-block@vger.kernel.org; linux-kernel@vger.kernel.org; lvc-project@linuxtesting.org; Alexey Khoroshilov <khoroshilov@ispras.ru>
> Subject: Re: [PATCH] rbd: avoid double free memory on error path in rbd_dev_create()
>
> On Fri, Feb 3, 2023 at 3:15 PM Natalia Petrova <n.petrova@fintech.ru> wrote:
>> If rbd_dev_create() fails after assignment 'opts' to 'rbd_dev->opts',
>> double free of 'rbd_options' happens:
>> one is in rbd_dev_free() and another one is in do_rbd_add().
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue")
>> Signed-off-by: Natalia Petrova <n.petrova@fintech.ru>
>> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
>> ---
>> drivers/block/rbd.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index
>> 04453f4a319c..ab6bfc352cde 100644
>> --- a/drivers/block/rbd.c
>> +++ b/drivers/block/rbd.c
>> @@ -5357,7 +5357,6 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc,
>> if (!rbd_dev)
>> return NULL;
>>
>> - rbd_dev->opts = opts;
>>
>> /* get an id and fill in device name */
>> rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0, @@
>> -5372,6 +5371,7 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc,
>> if (!rbd_dev->task_wq)
>> goto fail_dev_id;
>>
>> + rbd_dev->opts = opts;
>> /* we have a ref from do_rbd_add() */
>> __module_get(THIS_MODULE);
>>
>> --
>> 2.34.1
>>
> Hi Natalia,
>
> It seems like a similar issue is affecting rbd_dev->rbd_client and rbd_dev->spec. Unlike rbd_dev->opts, they are ref-counted and I'm guessing that the verification tool doesn't go that deep.
>
> I'd prefer all three to be addressed in the same change, since it's the same error path. Would you be willing to look into that and post a new revision or should I treat just this patch as a bug report?
>
> Thanks,
>
> Ilya
--
Best Regards,
Xiubo Li (李秀波)
Email: xiubli@redhat.com/xiubli@ibm.com
Slack: @Xiubo Li
next prev parent reply other threads:[~2023-02-07 0:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-03 14:15 [PATCH] rbd: avoid double free memory on error path in rbd_dev_create() Natalia Petrova
2023-02-06 11:58 ` Ilya Dryomov
2023-02-06 15:15 ` Петрова Наталия Михайловна
2023-02-07 0:54 ` Xiubo Li [this message]
2023-02-09 12:09 ` [PATCH v2] rbd: fix freeing memory of 'rbd_dev->opts', 'rbd_dev->spec', 'rbd_dev->rbd_client' Natalia Petrova
2023-02-11 9:40 ` Ilya Dryomov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06f51bab-42e1-975a-ad4f-6815c2063adb@redhat.com \
--to=xiubli@redhat.com \
--cc=axboe@kernel.dk \
--cc=ceph-devel@vger.kernel.org \
--cc=dongsheng.yang@easystack.cn \
--cc=idryomov@gmail.com \
--cc=khoroshilov@ispras.ru \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=n.petrova@fintech.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).