From: Ilya Dryomov <idryomov@gmail.com>
To: Tejun Heo <tj@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org,
Ceph Development <ceph-devel@vger.kernel.org>
Subject: Re: request_queue use-after-free - inode_detach_wb()
Date: Wed, 18 Nov 2015 16:48:06 +0100 [thread overview]
Message-ID: <CAOi1vP_4aUKVjNqvmFxVGVyaif_zuHdVPjzH5RLOJgYMsSirbA@mail.gmail.com> (raw)
In-Reply-To: <20151118153039.GA11496@mtj.duckdns.org>
On Wed, Nov 18, 2015 at 4:30 PM, Tejun Heo <tj@kernel.org> wrote:
> Hello, Ilya.
>
> On Wed, Nov 18, 2015 at 04:12:07PM +0100, Ilya Dryomov wrote:
>> > It's stinky that the bdi is going away while the inode is still there.
>> > Yeah, blkdev inodes are special and created early but I think it makes
>> > sense to keep the underlying structures (queue and bdi) around while
>> > bdev is associated with it. Would simply moving put_disk() after
>> > bdput() work?
>>
>> I'd think so. struct block_device is essentially a "block device"
>> pseudo-filesystem inode, and as such, may not be around during the
>> entire lifetime of gendisk / queue. It may be kicked out of the inode
>> cache as soon as the device is closed, so it makes sense to put it
>> before putting gendisk / queue, which will outlive it.
>>
>> However, I'm confused by this comment
>>
>> /*
>> * ->release can cause the queue to disappear, so flush all
>> * dirty data before.
>> */
>> bdev_write_inode(bdev);
>>
>> It's not true, at least since your 523e1d399ce0 ("block: make gendisk
>> hold a reference to its queue"), right? (It used to say "->release can
>> cause the old bdi to disappear, so must switch it out first" and was
>> changed by Christoph in the middle of his backing_dev_info series.)
>
> Right, it started with each layer going away separately, which tends
> to get tricky with hotunplug, and we've been gradually moving towards
> a model where the entire stack stays till the last ref is gone, so
> yeah the comment isn't true anymore.
OK, I'll try to work up a patch to do bdput before put_disk and also
drop this comment.
Just to be clear, the bdi/wb vs inode lifetime rules are that inodes
should always be within bdi/wb? There's been a lot of churn in this
and related areas recently, including in block drivers: 6cd18e711dd8
("block: destroy bdi before blockdev is unregistered"), b02176f30cd3
("block: don't release bdi while request_queue has live references"),
so I want to fully get my head around this.
Thanks,
Ilya
next prev parent reply other threads:[~2015-11-18 15:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-16 20:59 request_queue use-after-free - inode_detach_wb() Ilya Dryomov
2015-11-17 20:56 ` Tejun Heo
2015-11-18 15:12 ` Ilya Dryomov
2015-11-18 15:30 ` Tejun Heo
2015-11-18 15:48 ` Ilya Dryomov [this message]
2015-11-18 15:56 ` Tejun Heo
2015-11-19 20:56 ` Ilya Dryomov
2015-11-19 21:18 ` Tejun Heo
2015-11-19 21:56 ` Ilya Dryomov
2015-11-19 22:14 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOi1vP_4aUKVjNqvmFxVGVyaif_zuHdVPjzH5RLOJgYMsSirbA@mail.gmail.com \
--to=idryomov@gmail.com \
--cc=ceph-devel@vger.kernel.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).