From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 177D0C433FE for ; Wed, 30 Nov 2022 12:39:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 734556B0072; Wed, 30 Nov 2022 07:39:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 70AA06B0073; Wed, 30 Nov 2022 07:39:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 621C56B0074; Wed, 30 Nov 2022 07:39:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 54A7E6B0072 for ; Wed, 30 Nov 2022 07:39:57 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 1F271AB4D2 for ; Wed, 30 Nov 2022 12:39:57 +0000 (UTC) X-FDA: 80190065634.16.10B4987 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by imf18.hostedemail.com (Postfix) with ESMTP id 86E3B1C0012 for ; Wed, 30 Nov 2022 12:39:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1669811995; x=1701347995; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=iPuUqicRuUklAlC5NV44CDz/ub4ZDmFDWBmSCxl3Jkw=; b=irB/0PDt4DAE44QDmpbHJZgESnnCCmUfEzW+GhTKV3o4U57DMmhh1zhh vlIoBar+1BS+taQ3pAMb0Z+vvU2fyhx4Z29EMsrVf1Q6+52jCsVs5lkFb sB7gl3Q8RoYvLFMAF+PRF1KfZRonY5KZMZ/geTV8a33W5nWh0PazuqO9H BuwmPZGBvNG47/FEfB+BHn1hG6/st9HZVlMEgz0uGWDCQSZ29YgKNRqBV jNBaNryMLeyGBOkvAXCUB8rPYWvbikmu2PyguQ3EWXVMpPq3ve1e4ZFPs hiqJXejqG9juWuc5hA8Ah4Rku8kfXrtTFmoXsThSwgQ0Q/vVrAH+08tgg Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10546"; a="379663972" X-IronPort-AV: E=Sophos;i="5.96,206,1665471600"; d="scan'208";a="379663972" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Nov 2022 04:39:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10546"; a="637977002" X-IronPort-AV: E=Sophos;i="5.96,206,1665471600"; d="scan'208";a="637977002" Received: from smile.fi.intel.com ([10.237.72.54]) by orsmga007.jf.intel.com with ESMTP; 30 Nov 2022 04:39:49 -0800 Received: from andy by smile.fi.intel.com with local (Exim 4.96) (envelope-from ) id 1p0MNO-002GIz-1o; Wed, 30 Nov 2022 14:39:46 +0200 Date: Wed, 30 Nov 2022 14:39:46 +0200 From: Andy Shevchenko To: Waiman Long Cc: Jens Axboe , Tejun Heo , cgroups@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Ming Lei , Andrew Morton , Michal =?iso-8859-1?Q?Koutn=FD?= , Hillf Danton , Chaitanya Kulkarni , Bart Van Assche , Josef Bacik , Yi Zhang Subject: Re: [PATCH-block v2] bdi, blk-cgroup: Fix potential UAF of blkcg Message-ID: References: <20221129203400.1456100-1-longman@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221129203400.1456100-1-longman@redhat.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1669811995; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=HXeJjLJuJELmr0eXasapdP/pvgZ1guZUOf3fefX73MI=; b=INnYZLzhGwWTI7NXALlHRG0CdIkWHdJ2Ry7aAPWgOxCZxduByh+ECYIE1tg+60kkWN3a/A a4sgsjXx4cux0YO/O6NgyW11sPpD+DO9lhTzvQhjbSVO5Qj3haulgKQ3SJ/z953YyVDMME yz7ZHywF6ptpO1f0v9MR8Czkp9mwqmA= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b="irB/0PDt"; spf=none (imf18.hostedemail.com: domain of andriy.shevchenko@linux.intel.com has no SPF policy when checking 134.134.136.100) smtp.mailfrom=andriy.shevchenko@linux.intel.com; dmarc=fail reason="No valid SPF" header.from=intel.com (policy=none) ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1669811995; a=rsa-sha256; cv=none; b=eho4P6wA0pljzkfFcV/5/zDlbjwrnitRaC6uTxljTgiaD1pfRXzPvIGcHGy/FJoKFQFyHN 0U7fJizQEpQwm1AbU8EsioZElsUZsin15kaczUPrEj2GXFywh9A/ZAihxYS62NsJo/N6Uo Myj/jdrtLbyPKq1dDjk/J4nBXzywdHQ= X-Stat-Signature: w6ctzm96skrzaq5ojwpmgmt8j4wtac6x X-Rspam-User: X-Rspamd-Queue-Id: 86E3B1C0012 X-Rspamd-Server: rspam11 Authentication-Results: imf18.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b="irB/0PDt"; spf=none (imf18.hostedemail.com: domain of andriy.shevchenko@linux.intel.com has no SPF policy when checking 134.134.136.100) smtp.mailfrom=andriy.shevchenko@linux.intel.com; dmarc=fail reason="No valid SPF" header.from=intel.com (policy=none) X-HE-Tag: 1669811995-380568 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Nov 29, 2022 at 03:34:00PM -0500, Waiman Long wrote: > Commit 59b57717fff8 ("blkcg: delay blkg destruction until after > writeback has finished") delayed call to blkcg_destroy_blkgs() to > cgwb_release_workfn(). However, it is done after a css_put() of blkcg > which may be the final put that causes the blkcg to be freed as RCU > read lock isn't held. > > By adding a css_tryget() into blkcg_destroy_blkgs() and warning its > failure, the following stack trace was produced in a test system on > bootup. > > [ 34.254240] RIP: 0010:blkcg_destroy_blkgs+0x16a/0x1a0 > : > [ 34.339943] Call Trace: > [ 34.342395] > [ 34.344510] blkcg_unpin_online+0x38/0x60 > [ 34.348523] cgwb_release_workfn+0x6a/0x200 > [ 34.352708] process_one_work+0x1e5/0x3b0 > [ 34.356742] ? rescuer_thread+0x390/0x390 > [ 34.360758] worker_thread+0x50/0x3a0 > [ 34.364425] ? rescuer_thread+0x390/0x390 > [ 34.368447] kthread+0xd9/0x100 > [ 34.371592] ? kthread_complete_and_exit+0x20/0x20 > [ 34.376386] ret_from_fork+0x22/0x30 > [ 34.379982] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages > This confirms that a potential UAF situation can happen. > > Fix that by delaying the css_put() until after the blkcg_unpin_online() > call. Also use css_tryget() in blkcg_destroy_blkgs() and issue a warning > if css_tryget() fails with no RCU read lock held. > > The reproducing system can no longer produce a warning with this patch. > All the runnable block/0* tests including block/027 were run successfully > without failure. -- With Best Regards, Andy Shevchenko