Re: [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg

From: Tejun Heo
Date: Tue Dec 13 2022 - 14:29:50 EST

Next message: Mina Almasry: "Re: [PATCH v3] mm: Add nodes= arg to memory.reclaim"
Previous message: Bobby Eshleman: "[PATCH net-next v7] virtio/vsock: replace virtio_vsock_pkt with sk_buff"
In reply to: Waiman Long: "[PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg"
Next in thread: Waiman Long: "Re: [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 13, 2022 at 01:44:45PM -0500, Waiman Long wrote:
> Commit 59b57717fff8 ("blkcg: delay blkg destruction until after
> writeback has finished") delayed call to blkcg_destroy_blkgs() to
> cgwb_release_workfn(). However, it is done after a css_put() of blkcg
> which may be the final put that causes the blkcg to be freed as RCU
> read lock isn't held.
>
> Another place where blkcg_destroy_blkgs() can be called indirectly via
> blkcg_unpin_online() is from the offline_css() function called from
> css_killed_work_fn(). Over there, the potentially final css_put() call
> is issued after offline_css().
>
> By adding a css_tryget() into blkcg_destroy_blkgs() and warning its
> failure, the following stack trace was produced in a test system on
> bootup.

This doesn't agree with the code anymore. Otherwise

Acked-by: Tejun Heo <tj@xxxxxxxxxx>

Thanks.

--
tejun

Next message: Mina Almasry: "Re: [PATCH v3] mm: Add nodes= arg to memory.reclaim"
Previous message: Bobby Eshleman: "[PATCH net-next v7] virtio/vsock: replace virtio_vsock_pkt with sk_buff"
In reply to: Waiman Long: "[PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg"
Next in thread: Waiman Long: "Re: [PATCH-block v3 1/2] bdi, blk-cgroup: Fix potential UAF of blkcg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]