From: Waiman Long <longman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Jens Axboe <axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: "Josef Bacik" <josef-DigfWCa+lFGyeJad7bwFQA@public.gmane.org>,
"Zefan Li" <lizefan.x-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>,
"Johannes Weiner"
<hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
"Andrew Morton"
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-block-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org,
"Michal Koutný" <mkoutny-IBi9RG/b67k@public.gmane.org>,
"Dennis Zhou (Facebook)"
<dennisszhou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"Yi Zhang" <yi.zhang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg
Date: Wed, 14 Dec 2022 11:55:24 -0500 [thread overview]
Message-ID: <306d760d-fe6d-d02c-ad6c-e2467d8da4af@redhat.com> (raw)
In-Reply-To: <5fbaea42-14a7-27a8-cea1-3a59161ceba0-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org>
On 12/14/22 11:54, Jens Axboe wrote:
> On 12/13/22 12:53 PM, Waiman Long wrote:
>> On 12/13/22 14:29, Tejun Heo wrote:
>>> On Tue, Dec 13, 2022 at 01:44:45PM -0500, Waiman Long wrote:
>>>> Commit 59b57717fff8 ("blkcg: delay blkg destruction until after
>>>> writeback has finished") delayed call to blkcg_destroy_blkgs() to
>>>> cgwb_release_workfn(). However, it is done after a css_put() of blkcg
>>>> which may be the final put that causes the blkcg to be freed as RCU
>>>> read lock isn't held.
>>>>
>>>> Another place where blkcg_destroy_blkgs() can be called indirectly via
>>>> blkcg_unpin_online() is from the offline_css() function called from
>>>> css_killed_work_fn(). Over there, the potentially final css_put() call
>>>> is issued after offline_css().
>>>>
>>>> By adding a css_tryget() into blkcg_destroy_blkgs() and warning its
>>>> failure, the following stack trace was produced in a test system on
>>>> bootup.
>>> This doesn't agree with the code anymore. Otherwise
>>>
>>> Acked-by: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
>> Sorry, I overlooked the commit log in my update. I will update it if I need another version, or Jens can make the following edit:
>>
>> css_tryget() -> percpu_ref_is_zero().
> Since the other one also needs an edit, would be great if you could
> just send out a v4.
>
Sure, will do that.
Cheers,
Longman
WARNING: multiple messages have this Message-ID (diff)
From: Waiman Long <longman@redhat.com>
To: Jens Axboe <axboe@kernel.dk>, Tejun Heo <tj@kernel.org>
Cc: "Josef Bacik" <josef@toxicpanda.com>,
"Zefan Li" <lizefan.x@bytedance.com>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
cgroups@vger.kernel.org, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
"Michal Koutný" <mkoutny@suse.com>,
"Dennis Zhou (Facebook)" <dennisszhou@gmail.com>,
"Yi Zhang" <yi.zhang@redhat.com>
Subject: Re: [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg
Date: Wed, 14 Dec 2022 11:55:24 -0500 [thread overview]
Message-ID: <306d760d-fe6d-d02c-ad6c-e2467d8da4af@redhat.com> (raw)
In-Reply-To: <5fbaea42-14a7-27a8-cea1-3a59161ceba0@kernel.dk>
On 12/14/22 11:54, Jens Axboe wrote:
> On 12/13/22 12:53 PM, Waiman Long wrote:
>> On 12/13/22 14:29, Tejun Heo wrote:
>>> On Tue, Dec 13, 2022 at 01:44:45PM -0500, Waiman Long wrote:
>>>> Commit 59b57717fff8 ("blkcg: delay blkg destruction until after
>>>> writeback has finished") delayed call to blkcg_destroy_blkgs() to
>>>> cgwb_release_workfn(). However, it is done after a css_put() of blkcg
>>>> which may be the final put that causes the blkcg to be freed as RCU
>>>> read lock isn't held.
>>>>
>>>> Another place where blkcg_destroy_blkgs() can be called indirectly via
>>>> blkcg_unpin_online() is from the offline_css() function called from
>>>> css_killed_work_fn(). Over there, the potentially final css_put() call
>>>> is issued after offline_css().
>>>>
>>>> By adding a css_tryget() into blkcg_destroy_blkgs() and warning its
>>>> failure, the following stack trace was produced in a test system on
>>>> bootup.
>>> This doesn't agree with the code anymore. Otherwise
>>>
>>> Acked-by: Tejun Heo <tj@kernel.org>
>> Sorry, I overlooked the commit log in my update. I will update it if I need another version, or Jens can make the following edit:
>>
>> css_tryget() -> percpu_ref_is_zero().
> Since the other one also needs an edit, would be great if you could
> just send out a v4.
>
Sure, will do that.
Cheers,
Longman
next prev parent reply other threads:[~2022-12-14 16:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-13 18:44 [PATCH-block v3 0/2] blk-cgroup: Fix potential UAF & flush rstat at blkgs destruction path Waiman Long
2022-12-13 18:44 ` Waiman Long
2022-12-13 18:44 ` [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg Waiman Long
2022-12-13 18:44 ` Waiman Long
[not found] ` <20221213184446.50181-2-longman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2022-12-13 19:29 ` Tejun Heo
2022-12-13 19:29 ` Tejun Heo
[not found] ` <Y5jSllwwBdmQ1jQz-NiLfg/pYEd1N0TnZuCh8vA@public.gmane.org>
2022-12-13 19:53 ` Waiman Long
2022-12-13 19:53 ` Waiman Long
[not found] ` <34a8c4a7-a58d-63fc-4599-accf1cbb6aae-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2022-12-14 16:54 ` Jens Axboe
2022-12-14 16:54 ` Jens Axboe
[not found] ` <5fbaea42-14a7-27a8-cea1-3a59161ceba0-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org>
2022-12-14 16:55 ` Waiman Long [this message]
2022-12-14 16:55 ` Waiman Long
[not found] ` <20221213184446.50181-1-longman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2022-12-13 18:44 ` [PATCH-block v3 2/2] blk-cgroup: Flush stats at blkgs destruction path Waiman Long
2022-12-13 18:44 ` Waiman Long
2022-12-13 19:30 ` Tejun Heo
2022-12-14 1:58 ` Waiman Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=306d760d-fe6d-d02c-ad6c-e2467d8da4af@redhat.com \
--to=longman-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=dennisszhou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=josef-DigfWCa+lFGyeJad7bwFQA@public.gmane.org \
--cc=linux-block-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org \
--cc=lizefan.x-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org \
--cc=mkoutny-IBi9RG/b67k@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=yi.zhang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.