Re: [PATCH] block: make sure last_lookup set as NULL after part deleted

[Ming Lei <ming.lei@redhat.com>]

On Mon, Jan 06, 2020 at 03:39:07PM +0800, Yufen Yu wrote:
> Hi, Ming
> 
> On 2020/1/3 23:16, Ming Lei wrote:
> > Hello Yufen,
> > 
> > OK, we still can move clearing .last_lookup into __delete_partition(),
> > at that time all IO path can observe the partition percpu-refcount killed.
> > 
> > Also the rcu work fn is run after one RCU grace period, at that time,
> > the NULL .last_lookup becomes visible in all IO path too.
> > 
> > diff --git a/block/blk-core.c b/block/blk-core.c
> > index 089e890ab208..79599f5fd5b7 100644
> > --- a/block/blk-core.c
> > +++ b/block/blk-core.c
> > @@ -1365,18 +1365,6 @@ void blk_account_io_start(struct request *rq, bool new_io)
> >   		part_stat_inc(part, merges[rw]);
> >   	} else {
> >   		part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
> > -		if (!hd_struct_try_get(part)) {
> > -			/*
> > -			 * The partition is already being removed,
> > -			 * the request will be accounted on the disk only
> > -			 *
> > -			 * We take a reference on disk->part0 although that
> > -			 * partition will never be deleted, so we can treat
> > -			 * it as any other partition.
> > -			 */
> > -			part = &rq->rq_disk->part0;
> > -			hd_struct_get(part);
> > -		}
> >   		part_inc_in_flight(rq->q, part, rw);
> >   		rq->part = part;
> >   	}
> > diff --git a/block/genhd.c b/block/genhd.c
> > index ff6268970ddc..e3dec90b1f43 100644
> > --- a/block/genhd.c
> > +++ b/block/genhd.c
> > @@ -286,17 +286,21 @@ struct hd_struct *disk_map_sector_rcu(struct gendisk *disk, sector_t sector)
> >   	ptbl = rcu_dereference(disk->part_tbl);
> >   	part = rcu_dereference(ptbl->last_lookup);
> > -	if (part && sector_in_part(part, sector))
> > +	if (part && sector_in_part(part, sector) && hd_struct_try_get(part))
> >   		return part;
> >   	for (i = 1; i < ptbl->len; i++) {
> >   		part = rcu_dereference(ptbl->part[i]);
> >   		if (part && sector_in_part(part, sector)) {
> > +                       if (!hd_struct_try_get(part))
> > +                               goto exit;
> >   			rcu_assign_pointer(ptbl->last_lookup, part);
> >   			return part;
> >   		}
> >   	}
> > + exit:
> > +	hd_struct_get(&disk->part0);
> >   	return &disk->part0;
> >   }
> >   EXPORT_SYMBOL_GPL(disk_map_sector_rcu);
> > diff --git a/block/partition-generic.c b/block/partition-generic.c
> > index 1d20c9cf213f..1739f750dbf2 100644
> > --- a/block/partition-generic.c
> > +++ b/block/partition-generic.c
> > @@ -262,6 +262,12 @@ static void delete_partition_work_fn(struct work_struct *work)
> >   void __delete_partition(struct percpu_ref *ref)
> >   {
> >   	struct hd_struct *part = container_of(ref, struct hd_struct, ref);
> > +	struct disk_part_tbl *ptbl =
> > +		rcu_dereference_protected(part->disk->part_tbl, 1);
> > +
> > +	rcu_assign_pointer(ptbl->last_lookup, NULL);
> > +	put_device(disk_to_dev(part->disk));
> > +
> >   	INIT_RCU_WORK(&part->rcu_work, delete_partition_work_fn);
> >   	queue_rcu_work(system_wq, &part->rcu_work);
> >   }
> > @@ -283,8 +289,9 @@ void delete_partition(struct gendisk *disk, int partno)
> >   	if (!part)
> >   		return;
> > +	get_device(disk_to_dev(disk));
> >   	rcu_assign_pointer(ptbl->part[partno], NULL);
> > -	rcu_assign_pointer(ptbl->last_lookup, NULL);
> > +
> >   	kobject_put(part->holder_dir);
> >   	device_del(part_to_dev(part));
> > @@ -349,6 +356,7 @@ struct hd_struct *add_partition(struct gendisk *disk, int partno,
> >   	p->nr_sects = len;
> >   	p->partno = partno;
> >   	p->policy = get_disk_ro(disk);
> > +	p->disk = disk;
> >   	if (info) {
> >   		struct partition_meta_info *pinfo = alloc_part_info(disk);
> > diff --git a/include/linux/genhd.h b/include/linux/genhd.h
> > index 8bb63027e4d6..66660ec5e8ee 100644
> > --- a/include/linux/genhd.h
> > +++ b/include/linux/genhd.h
> > @@ -129,6 +129,7 @@ struct hd_struct {
> >   #else
> >   	struct disk_stats dkstats;
> >   #endif
> > +	struct gendisk *disk;
> >   	struct percpu_ref ref;
> >   	struct rcu_work rcu_work;
> >   };
> 
> 
> IMO, this change can solve the problem. But, __delete_partition will
> depend on the implementation of disk_release(). If disk .release modify
> as blocked in the future, then __delete_partition will also be blocked,
> which is not expected in rcu callback function.

__delete_partition() won't be blocked because it just calls queue_rcu_work() to
release the partition instance in wq context.

> 
> We may cache index of part[] instead of part[i] itself to fix the use-after-free bug.
> https://patchwork.kernel.org/patch/11318767/

That approach can fix the issue too, but extra overhead is added in the
fast path because partition retrieval is changed to the following way:

	+       last_lookup = READ_ONCE(ptbl->last_lookup);
	+       if (last_lookup > 0 && last_lookup < ptbl->len) {
	+               part = rcu_dereference(ptbl->part[last_lookup]);
	+               if (part && sector_in_part(part, sector))
	+                       return part;
	+       }

from 
	part = rcu_dereference(ptbl->last_lookup);

So ptbl->part[] has to be fetched, it is fine if the ->part[] array
shares same cacheline with ptbl->last_lookup, but one disk may have
too many partitions, then your approach may introduce one extra cache
miss every time.

READ_ONCE() may imply one read barrier too.


Thanks,
Ming