From: Chris Mason <clm@fb.com>
To: Lars Ellenberg <lars.ellenberg@linbit.com>
Cc: Neil Brown <neilb@suse.de>, Jens Axboe <axboe@kernel.dk>,
Josef Bacik <jbacik@fb.com>, David Sterba <dsterba@suse.com>,
<linux-raid@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-btrfs@vger.kernel.org>
Subject: Re: [PATCH] [RFC] fix potential access after free: return value of blk_check_plugged() must be used schedule() safe
Date: Tue, 5 Apr 2016 20:30:03 -0400 [thread overview]
Message-ID: <20160406003003.GA57524@clm-mbp.masoncoding.com> (raw)
In-Reply-To: <20160405133657.GA3078@soda.linbit>
On Tue, Apr 05, 2016 at 03:36:57PM +0200, Lars Ellenberg wrote:
> blk_check_plugged() will return a pointer
> to an object linked on current->plug->cb_list.
>
> That list may "at any time" be implicitly cleared by
> blk_flush_plug_list()
> flush_plug_callbacks()
> either as a result of blk_finish_plug(),
> or implicitly by schedule() [and maybe other implicit mechanisms?]
>
> If there is no protection against an implicit unplug
> between the call to blk_check_plug() and using its return value,
> that implicit unplug may have already happened,
> even before the plug is actually initialized or populated,
> and we may be using a pointer to already free()d data.
>
> I suggest that both raid1 and raid10 can easily be fixed
> by moving the call to blk_check_plugged() inside the spinlock.
>
> For md/raid5 and btrfs/raid56,
> I'm unsure how (if) this needs to be fixed.
I think you're right, digging in to see if there's something I missed.
But as Neil said, it looks like we just got saved by preemption being
off by default.
-chris
next prev parent reply other threads:[~2016-04-06 0:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-05 13:36 [PATCH] [RFC] fix potential access after free: return value of blk_check_plugged() must be used schedule() safe Lars Ellenberg
2016-04-05 22:49 ` NeilBrown
2016-04-06 0:30 ` Chris Mason [this message]
2016-04-06 0:49 ` Shaohua Li
2016-04-06 3:10 ` NeilBrown
2016-04-06 12:01 ` Lars Ellenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160406003003.GA57524@clm-mbp.masoncoding.com \
--to=clm@fb.com \
--cc=axboe@kernel.dk \
--cc=dsterba@suse.com \
--cc=jbacik@fb.com \
--cc=lars.ellenberg@linbit.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).