linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Bart Van Assche <bvanassche@acm.org>
To: Jens Axboe <axboe@kernel.dk>,
	"jianchao.wang" <jianchao.w.wang@oracle.com>,
	"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: Re: v4.20-rc6: Sporadic use-after-free in bt_iter()
Date: Thu, 20 Dec 2018 14:19:58 -0800	[thread overview]
Message-ID: <1545344398.185366.531.camel@acm.org> (raw)
In-Reply-To: <68c73daa-10e7-29da-b890-bf167ec164c2@kernel.dk>

On Thu, 2018-12-20 at 14:48 -0700, Jens Axboe wrote:
> -void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> -		     unsigned int hctx_idx)
> +static void blk_mq_rcu_free_pages(struct work_struct *work)
>  {
> +	struct blk_mq_tags *tags = container_of(to_rcu_work(work),
> +						struct blk_mq_tags, rcu_work);
>  	struct page *page;
>  
> +	while (!list_empty(&tags->page_list)) {
> +		page = list_first_entry(&tags->page_list, struct page, lru);
> +		list_del_init(&page->lru);
> +		/*
> +		 * Remove kmemleak object previously allocated in
> +		 * blk_mq_init_rq_map().
> +		 */
> +		kmemleak_free(page_address(page));
> +		__free_pages(page, page->private);
> +	}
> +}
> +
> +void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> +		     unsigned int hctx_idx)
> +{
>  	if (tags->rqs && set->ops->exit_request) {
>  		int i;
>  
> @@ -2038,16 +2061,9 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
>  		}
>  	}
>  
> -	while (!list_empty(&tags->page_list)) {
> -		page = list_first_entry(&tags->page_list, struct page, lru);
> -		list_del_init(&page->lru);
> -		/*
> -		 * Remove kmemleak object previously allocated in
> -		 * blk_mq_init_rq_map().
> -		 */
> -		kmemleak_free(page_address(page));
> -		__free_pages(page, page->private);
> -	}
> +	/* Punt to RCU free, so we don't race with tag iteration */
> +	INIT_RCU_WORK(&tags->rcu_work, blk_mq_rcu_free_pages);
> +	queue_rcu_work(system_wq, &tags->rcu_work);
>  }

This can only work correctly if blk_mq_rcu_free_pages() is called before
INIT_RCU_WORK() is called a second time for the same bkl_mq_tags structure
and if blk_mq_rcu_free_pages() is called before struct blk_mq_tags is freed.
What provides these guarantees? Did I perhaps miss something?

Thanks,

Bart.

  reply	other threads:[~2018-12-20 22:20 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-19 23:24 v4.20-rc6: Sporadic use-after-free in bt_iter() Bart Van Assche
2018-12-19 23:27 ` Jens Axboe
2018-12-20  0:16   ` Bart Van Assche
2018-12-20  3:17     ` Jens Axboe
2018-12-20  3:24       ` jianchao.wang
2018-12-20  4:19         ` Jens Axboe
2018-12-20  4:32           ` jianchao.wang
2018-12-20  4:48             ` Jens Axboe
2018-12-20  5:03               ` jianchao.wang
2018-12-20 13:02                 ` Jens Axboe
2018-12-20 13:07                   ` Jens Axboe
2018-12-20 18:01                     ` Bart Van Assche
2018-12-20 18:21                       ` Jens Axboe
2018-12-20 18:33                         ` Jens Axboe
2018-12-20 20:56                           ` Bart Van Assche
2018-12-20 21:00                             ` Jens Axboe
2018-12-20 21:23                               ` Bart Van Assche
2018-12-20 21:26                                 ` Jens Axboe
2018-12-20 21:31                                   ` Bart Van Assche
2018-12-20 21:34                                     ` Jens Axboe
2018-12-20 21:40                                       ` Bart Van Assche
2018-12-20 21:44                                         ` Jens Axboe
2018-12-20 21:48                                           ` Jens Axboe
2018-12-20 22:19                                             ` Bart Van Assche [this message]
2018-12-20 22:23                                               ` Jens Axboe
2018-12-20 22:33                                                 ` Jens Axboe
2018-12-20 22:47                                                   ` Jens Axboe
2018-12-20 22:50                                                     ` Jens Axboe
2019-02-14 23:36                                                       ` Bart Van Assche
2019-02-15 18:29                                                         ` Evan Green
2019-02-19 16:48                                                           ` Bart Van Assche
2019-02-21 20:54                                                             ` Evan Green
2019-02-15  2:57                                                       ` jianchao.wang
2018-12-20  4:06 ` Ming Lei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1545344398.185366.531.camel@acm.org \
    --to=bvanassche@acm.org \
    --cc=axboe@kernel.dk \
    --cc=jianchao.w.wang@oracle.com \
    --cc=linux-block@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).