From: Bart Van Assche <bvanassche@acm.org>
To: Jens Axboe <axboe@kernel.dk>,
"jianchao.wang" <jianchao.w.wang@oracle.com>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: Re: v4.20-rc6: Sporadic use-after-free in bt_iter()
Date: Thu, 20 Dec 2018 14:19:58 -0800 [thread overview]
Message-ID: <1545344398.185366.531.camel@acm.org> (raw)
In-Reply-To: <68c73daa-10e7-29da-b890-bf167ec164c2@kernel.dk>
On Thu, 2018-12-20 at 14:48 -0700, Jens Axboe wrote:
> -void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> - unsigned int hctx_idx)
> +static void blk_mq_rcu_free_pages(struct work_struct *work)
> {
> + struct blk_mq_tags *tags = container_of(to_rcu_work(work),
> + struct blk_mq_tags, rcu_work);
> struct page *page;
>
> + while (!list_empty(&tags->page_list)) {
> + page = list_first_entry(&tags->page_list, struct page, lru);
> + list_del_init(&page->lru);
> + /*
> + * Remove kmemleak object previously allocated in
> + * blk_mq_init_rq_map().
> + */
> + kmemleak_free(page_address(page));
> + __free_pages(page, page->private);
> + }
> +}
> +
> +void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> + unsigned int hctx_idx)
> +{
> if (tags->rqs && set->ops->exit_request) {
> int i;
>
> @@ -2038,16 +2061,9 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> }
> }
>
> - while (!list_empty(&tags->page_list)) {
> - page = list_first_entry(&tags->page_list, struct page, lru);
> - list_del_init(&page->lru);
> - /*
> - * Remove kmemleak object previously allocated in
> - * blk_mq_init_rq_map().
> - */
> - kmemleak_free(page_address(page));
> - __free_pages(page, page->private);
> - }
> + /* Punt to RCU free, so we don't race with tag iteration */
> + INIT_RCU_WORK(&tags->rcu_work, blk_mq_rcu_free_pages);
> + queue_rcu_work(system_wq, &tags->rcu_work);
> }
This can only work correctly if blk_mq_rcu_free_pages() is called before
INIT_RCU_WORK() is called a second time for the same bkl_mq_tags structure
and if blk_mq_rcu_free_pages() is called before struct blk_mq_tags is freed.
What provides these guarantees? Did I perhaps miss something?
Thanks,
Bart.
next prev parent reply other threads:[~2018-12-20 22:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-19 23:24 v4.20-rc6: Sporadic use-after-free in bt_iter() Bart Van Assche
2018-12-19 23:27 ` Jens Axboe
2018-12-20 0:16 ` Bart Van Assche
2018-12-20 3:17 ` Jens Axboe
2018-12-20 3:24 ` jianchao.wang
2018-12-20 4:19 ` Jens Axboe
2018-12-20 4:32 ` jianchao.wang
2018-12-20 4:48 ` Jens Axboe
2018-12-20 5:03 ` jianchao.wang
2018-12-20 13:02 ` Jens Axboe
2018-12-20 13:07 ` Jens Axboe
2018-12-20 18:01 ` Bart Van Assche
2018-12-20 18:21 ` Jens Axboe
2018-12-20 18:33 ` Jens Axboe
2018-12-20 20:56 ` Bart Van Assche
2018-12-20 21:00 ` Jens Axboe
2018-12-20 21:23 ` Bart Van Assche
2018-12-20 21:26 ` Jens Axboe
2018-12-20 21:31 ` Bart Van Assche
2018-12-20 21:34 ` Jens Axboe
2018-12-20 21:40 ` Bart Van Assche
2018-12-20 21:44 ` Jens Axboe
2018-12-20 21:48 ` Jens Axboe
2018-12-20 22:19 ` Bart Van Assche [this message]
2018-12-20 22:23 ` Jens Axboe
2018-12-20 22:33 ` Jens Axboe
2018-12-20 22:47 ` Jens Axboe
2018-12-20 22:50 ` Jens Axboe
2019-02-14 23:36 ` Bart Van Assche
2019-02-15 18:29 ` Evan Green
2019-02-19 16:48 ` Bart Van Assche
2019-02-21 20:54 ` Evan Green
2019-02-15 2:57 ` jianchao.wang
2018-12-20 4:06 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1545344398.185366.531.camel@acm.org \
--to=bvanassche@acm.org \
--cc=axboe@kernel.dk \
--cc=jianchao.w.wang@oracle.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).