From: Jens Axboe <axboe@kernel.dk>
To: Bart Van Assche <bvanassche@acm.org>,
"jianchao.wang" <jianchao.w.wang@oracle.com>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: Re: v4.20-rc6: Sporadic use-after-free in bt_iter()
Date: Thu, 20 Dec 2018 15:23:48 -0700 [thread overview]
Message-ID: <1864f5b8-cf64-a406-a3e0-9f5124ff95b5@kernel.dk> (raw)
In-Reply-To: <1545344398.185366.531.camel@acm.org>
On 12/20/18 3:19 PM, Bart Van Assche wrote:
> On Thu, 2018-12-20 at 14:48 -0700, Jens Axboe wrote:
>> -void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
>> - unsigned int hctx_idx)
>> +static void blk_mq_rcu_free_pages(struct work_struct *work)
>> {
>> + struct blk_mq_tags *tags = container_of(to_rcu_work(work),
>> + struct blk_mq_tags, rcu_work);
>> struct page *page;
>>
>> + while (!list_empty(&tags->page_list)) {
>> + page = list_first_entry(&tags->page_list, struct page, lru);
>> + list_del_init(&page->lru);
>> + /*
>> + * Remove kmemleak object previously allocated in
>> + * blk_mq_init_rq_map().
>> + */
>> + kmemleak_free(page_address(page));
>> + __free_pages(page, page->private);
>> + }
>> +}
>> +
>> +void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
>> + unsigned int hctx_idx)
>> +{
>> if (tags->rqs && set->ops->exit_request) {
>> int i;
>>
>> @@ -2038,16 +2061,9 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
>> }
>> }
>>
>> - while (!list_empty(&tags->page_list)) {
>> - page = list_first_entry(&tags->page_list, struct page, lru);
>> - list_del_init(&page->lru);
>> - /*
>> - * Remove kmemleak object previously allocated in
>> - * blk_mq_init_rq_map().
>> - */
>> - kmemleak_free(page_address(page));
>> - __free_pages(page, page->private);
>> - }
>> + /* Punt to RCU free, so we don't race with tag iteration */
>> + INIT_RCU_WORK(&tags->rcu_work, blk_mq_rcu_free_pages);
>> + queue_rcu_work(system_wq, &tags->rcu_work);
>> }
>
> This can only work correctly if blk_mq_rcu_free_pages() is called before
> INIT_RCU_WORK() is called a second time for the same bkl_mq_tags structure
> and if blk_mq_rcu_free_pages() is called before struct blk_mq_tags is freed.
> What provides these guarantees? Did I perhaps miss something?
We don't call it twice. Protecting against that is outside the scope
of this function. But we call and clear form the regular shutdown path,
and the rest is error handling on setup.
But yes, we do need to ensure that 'tags' doesn't go away. Probably best
to rework it to shove it somewhere else for freeing for that case, and
leave the rest of the shutdown alone. I'll update the patch.
--
Jens Axboe
next prev parent reply other threads:[~2018-12-20 22:23 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-19 23:24 v4.20-rc6: Sporadic use-after-free in bt_iter() Bart Van Assche
2018-12-19 23:27 ` Jens Axboe
2018-12-20 0:16 ` Bart Van Assche
2018-12-20 3:17 ` Jens Axboe
2018-12-20 3:24 ` jianchao.wang
2018-12-20 4:19 ` Jens Axboe
2018-12-20 4:32 ` jianchao.wang
2018-12-20 4:48 ` Jens Axboe
2018-12-20 5:03 ` jianchao.wang
2018-12-20 13:02 ` Jens Axboe
2018-12-20 13:07 ` Jens Axboe
2018-12-20 18:01 ` Bart Van Assche
2018-12-20 18:21 ` Jens Axboe
2018-12-20 18:33 ` Jens Axboe
2018-12-20 20:56 ` Bart Van Assche
2018-12-20 21:00 ` Jens Axboe
2018-12-20 21:23 ` Bart Van Assche
2018-12-20 21:26 ` Jens Axboe
2018-12-20 21:31 ` Bart Van Assche
2018-12-20 21:34 ` Jens Axboe
2018-12-20 21:40 ` Bart Van Assche
2018-12-20 21:44 ` Jens Axboe
2018-12-20 21:48 ` Jens Axboe
2018-12-20 22:19 ` Bart Van Assche
2018-12-20 22:23 ` Jens Axboe [this message]
2018-12-20 22:33 ` Jens Axboe
2018-12-20 22:47 ` Jens Axboe
2018-12-20 22:50 ` Jens Axboe
2019-02-14 23:36 ` Bart Van Assche
2019-02-15 18:29 ` Evan Green
2019-02-19 16:48 ` Bart Van Assche
2019-02-21 20:54 ` Evan Green
2019-02-15 2:57 ` jianchao.wang
2018-12-20 4:06 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1864f5b8-cf64-a406-a3e0-9f5124ff95b5@kernel.dk \
--to=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=jianchao.w.wang@oracle.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).