Re: [PATCH 3/3] lib/percpu-refcount: drain ->release() in perpcu_ref_exit()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ming Lei <ming.lei@redhat.com>
To: Hillf Danton <hdanton@sina.com>
Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
	Zhong Jinghua <zhongjinghua@huawei.com>,
	Dennis Zhou <dennis@kernel.org>
Subject: Re: [PATCH 3/3] lib/percpu-refcount: drain ->release() in perpcu_ref_exit()
Date: Wed, 14 Dec 2022 21:30:08 +0800	[thread overview]
Message-ID: <Y5nP4JC00zTepHue@T590> (raw)
In-Reply-To: <20221214081651.954-1-hdanton@sina.com>

On Wed, Dec 14, 2022 at 04:16:51PM +0800, Hillf Danton wrote:
> On 14 Dec 2022 10:51:01 +0800 Ming Lei <ming.lei@redhat.com>
> > The pattern of wait_event(percpu_ref_is_zero()) has been used in several
> 
> For example?

blk_mq_freeze_queue_wait() and target_wait_for_sess_cmds().

> 
> > kernel components, and this way actually has the following risk:
> > 
> > - percpu_ref_is_zero() can be returned just between
> >   atomic_long_sub_and_test() and ref->data->release(ref)
> > 
> > - given the refcount is found as zero, percpu_ref_exit() could
> >   be called, and the host data structure is freed
> > 
> > - then use-after-free is triggered in ->release() when the user host
> >   data structure is freed after percpu_ref_exit() returns
> 
> The race between exit and the release callback should be considered at the
> corresponding callsite, given the comment below, and closed for instance
> by synchronizing rcu.
> 
> /**
>  * percpu_ref_put_many - decrement a percpu refcount
>  * @ref: percpu_ref to put
>  * @nr: number of references to put
>  *
>  * Decrement the refcount, and if 0, call the release function (which was passed
>  * to percpu_ref_init())
>  *
>  * This function is safe to call as long as @ref is between init and exit.
>  */

Not sure if the above comment implies that the callsite should cover the
race.

But blk-mq can really avoid the trouble by using the existed call_rcu():


diff --git a/block/blk-core.c b/block/blk-core.c
index 3866b6c4cd88..9321767470dc 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -254,14 +254,15 @@ EXPORT_SYMBOL_GPL(blk_clear_pm_only);
 
 static void blk_free_queue_rcu(struct rcu_head *rcu_head)
 {
-	kmem_cache_free(blk_requestq_cachep,
-			container_of(rcu_head, struct request_queue, rcu_head));
+	struct request_queue *q = container_of(rcu_head,
+			struct request_queue, rcu_head);
+
+	percpu_ref_exit(&q->q_usage_counter);
+	kmem_cache_free(blk_requestq_cachep, q);
 }
 
 static void blk_free_queue(struct request_queue *q)
 {
-	percpu_ref_exit(&q->q_usage_counter);
-
 	if (q->poll_stat)
 		blk_stat_remove_callback(q, q->poll_cb);
 	blk_stat_free_callback(q->poll_cb);


Thanks, 
Ming

next prev parent reply	other threads:[~2022-12-14 13:31 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-14  2:50 [PATCH 0/3] lib/percpu-refcount: fix use-after-free by late ->release Ming Lei
2022-12-14  2:50 ` [PATCH 1/3] lib/percpu-refcount: support to exit refcount automatically during releasing Ming Lei
2022-12-14  2:51 ` [PATCH 2/3] lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT Ming Lei
2022-12-14  2:51 ` [PATCH 3/3] lib/percpu-refcount: drain ->release() in perpcu_ref_exit() Ming Lei
2022-12-15 16:54   ` Tejun Heo
2022-12-16 23:06   ` kernel test robot
2022-12-17  0:37   ` kernel test robot
2022-12-17  7:32   ` kernel test robot
     [not found] ` <20221214081651.954-1-hdanton@sina.com>
2022-12-14 13:30   ` Ming Lei [this message]
2022-12-14 16:07     ` Dennis Zhou
2022-12-15  0:34       ` Ming Lei

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3866b6c4cd8 dfblob:9321767470d )
 OR (
bs:"Re: [PATCH 3/3] lib/percpu-refcount: drain ->release() in perpcu_ref_exit()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y5nP4JC00zTepHue@T590 \
    --to=ming.lei@redhat.com \
    --cc=dennis@kernel.org \
    --cc=hdanton@sina.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=zhongjinghua@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.