On Fri, Jan 11, 2019 at 09:01:41AM -0800, Bart Van Assche wrote: > On Fri, 2019-01-11 at 17:55 +0100, Peter Zijlstra wrote: > > On Fri, Jan 11, 2019 at 07:55:03AM -0800, Bart Van Assche wrote: > > > On Fri, 2019-01-11 at 13:48 +0100, Peter Zijlstra wrote: > > > > I spotted this new v6 in my inbox and have rebased to it. > > > > > > Thanks! > > > > > > > On Wed, Jan 09, 2019 at 01:01:48PM -0800, Bart Van Assche wrote: > > > > > > > > > The changes compared to v5 are: > > > > > - Modified zap_class() such that it doesn't try to free a list entry > > > > > that > > > > > is already being freed. > > > > > > > > I however have a question on this; this seems wrong. Once a list entry > > > > is enqueued it should not be reachable anymore. If we can reach an entry > > > > after call_rcu() happened, we've got a problem. > > > > > > Apparently I confused you - sorry that I was not more clear. What I meant > > > is > > > that I changed a single if test into a loop. The graph lock is held while > > > that > > > loop is being executed so the code below is serialized against the code > > > called > > > from inside the RCU callback: > > > > > > @@ -4574,8 +4563,9 @@ static void zap_class(struct pending_free *pf, > > > struct lock > > > _class *class) > > > entry = list_entries + i; > > > if (entry->class != class && entry->links_to != class) > > > continue; > > > - if (__test_and_set_bit(i, pf->list_entries_being_freed)) > > > + if (list_entry_being_freed(i)) > > > continue; > > > > Yes, it is the above change that caught my eye.. That checks _both_ your > > lists. One is your current open one (@pf), but the other could already > > be pending the call_rcu(). > > > > So my question is why do we have to check both ?! How come the old code, > > that only checked @pf, is wrong? > > > > > + set_bit(i, pf->list_entries_being_freed); > > > nr_list_entries--; > > > list_del_rcu(&entry->entry); > > > } > > The list_del_rcu() call must only happen once.
Yes; obviously. But if we need to check all @pf's, that means the entry is still reachable after a single reset_lock()/free_key_range(), which is a bug. > I ran into complaints reporting that > the list_del_rcu() call triggered list corruption. This change made these > complaints > disappear. I'm saying this solution buggy, because that means the entry is still reachable after we do call_rcu() (which is a straight up UAF). Also put it differently, what guarantees checking those two @pf's is sufficient. Suppose your earlier @pf already did the RCU callback and freed stuff while the second is in progress. Then you're poking into dead space.
