On Fri 21-01-22 19:42:11, yukuai (C) wrote: > 在 2022/01/21 18:56, Jan Kara 写道: > > Hello, > > > > here is the fifth version of my patches to fix use-after-free issues in BFQ > > when processes with merged queues get moved to different cgroups. The patches > > have survived some beating in my test VM, but so far I fail to reproduce the > > original KASAN reports so testing from people who can reproduce them is most > > welcome. Kuai, can you please give these patches a run in your setup? Thanks > > a lot for your help with fixing this! > > > > Changes since v4: > > * Even more aggressive splitting of merged bfq queues to avoid problems with > > long merge chains. > > > > Changes since v3: > > * Changed handling of bfq group move to handle the case when target of the > > merge has moved. > > > > Changes since v2: > > * Improved handling of bfq queue splitting on move between cgroups > > * Removed broken change to bfq_put_cooperator() > > > > Changes since v1: > > * Added fix for bfq_put_cooperator() > > * Added fix to handle move between cgroups in bfq_merge_bio() > > > > Honza > > Previous versions: > > Link: http://lore.kernel.org/r/20211223171425.3551-1-jack@xxxxxxx # v1 > > Link: http://lore.kernel.org/r/20220105143037.20542-1-jack@xxxxxxx # v2 > > Link: http://lore.kernel.org/r/20220112113529.6355-1-jack@xxxxxxx # v3 > > Link: http://lore.kernel.org/r/20220114164215.28972-1-jack@xxxxxxx # v4 > > . > > > Hi, Jan > > I add a new BUG_ON() in bfq_setup_merge() while iterating new_bfqq, and > this time this BUG_ON() is triggered: Thanks for testing! > diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c > index 07be51bc229b..6d4e243c9a1e 100644 > --- a/block/bfq-iosched.c > +++ b/block/bfq-iosched.c > @@ -2753,6 +2753,14 @@ bfq_setup_merge(struct bfq_queue *bfqq, struct > bfq_queue *new_bfqq) > while ((__bfqq = new_bfqq->new_bfqq)) { > if (__bfqq == bfqq) > return NULL; > + if (new_bfqq->entity.parent != __bfqq->entity.parent && > + bfqq_group(__bfqq) != __bfqq->bfqd->root_group) { > + printk("%s: bfqq %px(%px) new_bfqq %px(%px)\n", > __func__, > + new_bfqq, bfqq_group(new_bfqq), __bfqq, > + bfqq_group(__bfqq)); > + BUG_ON(1); This seems to be too early to check and BUG_ON(). Yes, we can walk through and even end up with a bfqq with a different parent however in that case we refuse to setup merge a few lines below and so there is no problem. Are you still able to reproduce the use-after-free issue with this version of my patches? Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
