From: Ming Lei <ming.lei@redhat.com>
To: "Michal Koutný" <mkoutny@suse.com>
Cc: 李龙兴 <coregee2000@gmail.com>,
syzkaller@googlegroups.com, tj@kernel.org, josef@toxicpanda.com,
axboe@kernel.dk, cgroups@vger.kernel.org,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
yukuai@fnnas.com
Subject: Re: [Kernel Bug] KASAN: slab-use-after-free Read in __blkcg_rstat_flush
Date: Tue, 3 Feb 2026 19:11:11 +0800 [thread overview]
Message-ID: <aYHXzyRJbzFSohNm@fedora> (raw)
In-Reply-To: <ffzrfu62npwacsl3225qqyjbhd6oue3x3rt46l2wcyp5oq4eli@26gvvst6hrmu>
On Tue, Feb 03, 2026 at 11:54:34AM +0100, Michal Koutný wrote:
> Hello.
>
> On Tue, Feb 03, 2026 at 11:03:01AM +0800, Ming Lei <ming.lei@redhat.com> wrote:
> > Can you try the following patch?
>
> I think it'd work thanks to the rcu_read_lock() in
> __blkcg_rstat_flush(). However, the chaining of RCU callbacks makes
> predictability of the release path less deterministic and may be
> unnecessary.
RCU supports this way, here is just 2-stage RCU chain, and everything
is deterministic.
>
> What about this:
>
> index 3cffb68ba5d87..e2f51e3bf04ef 100644
> --- a/tmp/b.c
> +++ b/tmp/a.c
> @@ -1081,6 +1081,7 @@ static void __blkcg_rstat_flush(struct blkcg *blkcg, int cpu)
> smp_mb();
>
> WRITE_ONCE(bisc->lqueued, false);
> + blkg_put(blkg);
> if (bisc == &blkg->iostat)
> goto propagate_up; /* propagate up to parent only */
>
> @@ -2220,8 +2221,10 @@ void blk_cgroup_bio_start(struct bio *bio)
> if (!READ_ONCE(bis->lqueued)) {
> struct llist_head *lhead = this_cpu_ptr(blkcg->lhead);
>
> + blkg_get(bio->bi_blkg);
> llist_add(&bis->lnode, lhead);
> WRITE_ONCE(bis->lqueued, true);
> +
I thought about this way, but ->lqueued is lockless, and in theory the `blkg_iostat_set`
can be added again after WRITE_ONCE(bisc->lqueued, false) happens, so this way looks
fragile.
Thanks,
Ming
next prev parent reply other threads:[~2026-02-03 11:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 6:19 [Kernel Bug] KASAN: slab-use-after-free Read in __blkcg_rstat_flush 李龙兴
2026-02-03 3:03 ` Ming Lei
2026-02-03 10:54 ` Michal Koutný
2026-02-03 11:11 ` Ming Lei [this message]
2026-02-03 12:53 ` Michal Koutný
2026-02-03 14:08 ` Ming Lei
2026-02-03 14:16 ` Michal Koutný
2026-02-03 14:40 ` Ming Lei
2026-02-03 14:46 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYHXzyRJbzFSohNm@fedora \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=cgroups@vger.kernel.org \
--cc=coregee2000@gmail.com \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkoutny@suse.com \
--cc=syzkaller@googlegroups.com \
--cc=tj@kernel.org \
--cc=yukuai@fnnas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.