From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A111917C60 for ; Thu, 9 Jan 2025 13:52:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736430744; cv=none; b=jVBRjyXlYll49g1tD7D8OfjdmaEcw8Cl0qDnhFYnU223ajDkPCkL1sTOkPNCx4BbUSVOIBbenaUrXB/IxgckEz3IVWMTBw+MTrEw3yBJ/HRZ58O25V8XgFl1gB+yDIlUPPH4XZEp3U4BNUm9M7Jlcu4Mn5FbBnbw1BsvSC4yAZA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736430744; c=relaxed/simple; bh=vJEWTB1+EZZjDYmSpItqMEBTLhhMZBkDvxVvhsQPPio=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=IcIeFEjzhshVEfP35UFV6GR3FQqmCAGyybN5k1/KHYQGDp1J8hdi14zpT3zAMtt9xeqhuvpAebiIOfNxkD9GYvAHZpi6ox8/vMRfhGG+GlhcqTvuEOeRt3yQfy7CRS04ZJbtoOXBqkj4EFCSp86K0LQqJFGRgg9RtzQ1whOgjYo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk; spf=pass smtp.mailfrom=kernel.dk; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b=ij75ITBO; arc=none smtp.client-ip=209.85.166.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kernel.dk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b="ij75ITBO" Received: by mail-io1-f54.google.com with SMTP id ca18e2360f4ac-844e7409f8aso27162039f.1 for ; Thu, 09 Jan 2025 05:52:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1736430741; x=1737035541; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=lq1DFjqIwAfO5pylU4M+ORRtpviizlgmxklm3SmoyUE=; b=ij75ITBOI0KfwWjTtAe50GVj8afQeEdxBPScty7WUnxmRcUSIrKl9+r3Rv5GU9/gKS f6DAFo5XxO8NlxvdlRxDDIJhgcFb7UuXiqEHX2YKZZQCAEGtgCp56i7oaKyUjLpgn0dP Ekdl5w5k1mUViN3y4hPpKcPVDp3FKkiH552eoxXoOamzH6SFqUMJj6R2xp0d3J6f45ga 8xQLhuB3A6D9EVYCBzA7wuCXKBxo8gtJCvRUPuJXitEExYv9YkGGFxz5V6yywui90SSU 2u4/hNYFkH463tTV3ytDlFNpR9SkQy+/55fs0dbzhCpLbBPcsH1ccZW6RsLjiZjD+PXe a/kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736430741; x=1737035541; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lq1DFjqIwAfO5pylU4M+ORRtpviizlgmxklm3SmoyUE=; b=XspBCBHtALGUQRdCOZh39NiQiwBG2UOXP8Ok5tC3RMxRsmplrxK0Chu+VOHRautrE4 cTPUfwyZ+Wovz2UrLWPpNeWEcvKhmHLHILLINHAk0+sh6v6XDulbyNdDYyn+nheI98lN 6vjxQkb/hLtype8LAy8AMpiKa29ApTD7grJuPS7Cfan9aAZ3qIKDyARh0BjGmsALg92L iomQARac9GxfSjuYSfownoAoEiwIqV+L8F7MN28mmAU6WQOKviHjercjSVj9jmCIHjlu wNe7OwngkXcS6Hi9peaZEZMFeghvYsT6aQc6+2HO6zB+B5FmRkF5dDA0B02HZNYs+qz+ dclA== X-Forwarded-Encrypted: i=1; AJvYcCV6roDP7s9Wymt5YycxRENQV9p/s6sfREEY2xcM+vpigA/gIPFogdeMU16jK5D0fNwYxgN9i5cxShXxTRE=@vger.kernel.org X-Gm-Message-State: AOJu0YzxbesEti/XxeC4Z7OW/uzby6dlC18/ahxxeZ20eVmFin0hM0Qx II3bfOJUm51aovTwHHWgbWLk+ASfVsvv2Nb7P4qiC4cdd9tK+VITdh4b7RfmlOXQPdIx5gPkr7V J X-Gm-Gg: ASbGncs1MGk2PfrmOivrGtu36R4RWTfbGcNbuvKEKKB6aiaCQi9cEw1D6Oo1oMD8UFQ 5KpZBXHJOAwtmz9lFh/P84uSr6N/RIZhgZChQOwFvM8FYwjQggREWAnGEGkAn8mpLPMt/0Fn6It QQMUU9bs8WK+ccKTpNeWk4Uq6deLcxrUbZo46rEo+YQezkxQuN0HH2qB5jxgezUqjqx3wBoqsfg S5XsUMFKllBq/3DrUiLcXNwGMzapfSbeEpGtCbZ3j5psr6JkSY8mg== X-Google-Smtp-Source: AGHT+IEM8tk74VfLplBGsRxJ8ZqPpDWsUS022H5w9VjhpwnJBHLvmHAu99yrEAyTAct+QPK2R4wAfw== X-Received: by 2002:a05:6602:3787:b0:843:ea9a:acc4 with SMTP id ca18e2360f4ac-84ce01254c3mr667578039f.8.1736430740780; Thu, 09 Jan 2025 05:52:20 -0800 (PST) Received: from [192.168.1.150] ([198.8.77.157]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-84d4fb5c075sm32143839f.30.2025.01.09.05.52.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 09 Jan 2025 05:52:20 -0800 (PST) Message-ID: <89f3fc0e-ea04-4b29-a79e-5d2f2ef7af6a@kernel.dk> Date: Thu, 9 Jan 2025 06:52:19 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() To: Jan Kara , Yu Kuai Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, yi.zhang@huawei.com, yangerkun@huawei.com, "yukuai (C)" References: <20250108084148.1549973-1-yukuai1@huaweicloud.com> From: Jens Axboe Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 1/9/25 1:50 AM, Jan Kara wrote: > On Thu 09-01-25 09:32:08, Yu Kuai wrote: >> Hi, >> >> ? 2025/01/08 22:42, Jan Kara ??: >>> >>> >>>> */ >>>> if (bfqq_process_refs(waker_bfqq) == 1) >>>> return NULL; >>>> - break; >>>> + >>>> + return waker_bfqq; >>> >>> So how do you know bfqq_process_refs(waker_bfqq) is not 0 in this case? >> >> Because in this case, waker_bfqq is in the merge chain of bfqq, and bfqq >> is obtained frm the current process, which means waker_bfqq should have >> at least one process reference that is from current thread. > > Ah, right. Thanks for explanation. The except for the typo the patch looks > good to me. Feel free to add: > > Reviewed-by: Jan Kara > > (although I can see Jens has already picked up the patch so probably this > is immaterial). Still useful! The patch has a link to this thread, so it's still connected even if the commit itself isn't updated. Though with the typo in process, I'm kind of pondering just amending the commit and then I'll add your reviewed-by as well. But usually I don't, but still appreciate reviews after it's been queued. -- Jens Axboe