public inbox for [email protected]
 help / color / mirror / Atom feed
From: Alviro Iskandar Setiawan <[email protected]>
To: Ammar Nofan Faizi <[email protected]>
Cc: Ammar Faizi <[email protected]>,
	Muhammad Rizki <[email protected]>,
	 Kanna Scarlet <[email protected]>,
	"GNU/Weeb Mailing List" <[email protected]>
Subject: Re: [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function
Date: Mon, 29 Aug 2022 12:17:22 +0700	[thread overview]
Message-ID: <CAOG64qP_5znR4H8ODkQoaPz0XRzSh+VzGJyqsE1T-TZhibOuTg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>

On Mon, Aug 29, 2022 at 11:54 AM Ammar Nofan Faizi wrote:
> On 8/29/22 11:41 AM, Alviro Iskandar Setiawan wrote:
>> On Mon, Aug 29, 2022 at 8:11 AM Ammar Faizi wrote:
>>> @@ -251,7 +254,7 @@ net::DefineNetworkTrafficAnnotation("CHNetDelegate", R"(
>>>          })");
>>>
>>>   CHNetDelegate::CHNetDelegate(void):
>>> -       thread_("chromium_thread"),
>>> +       thread_(*get_thread()),
>>>          method_("GET"),
>>>          err_("")
>>>   {
>>> @@ -287,6 +290,7 @@ CHNetDelegate::~CHNetDelegate(void)
>>>          r->PostTask(FROM_HERE, base::BindOnce(CHNetDelegateDestruct, &url_req_,
>>>                                                &url_req_ctx_, &sig));
>>>          sig.Wait();
>>> +       put_thread(&thread_);
>>>   }
>>
>> if @url_req_ and @url_req_ctx_ are both nullptr, this put_thread()
>> won't be called and we have a ref count leak
>
> Yes, you're right. Will fix it in the v2 revision.
>
>>>   template <typename T, typename... Types>
>>> @@ -629,6 +633,81 @@ static uint32_t g_max_ch_thpool;
>>>   static std::mutex g_thpool_lock_;
>>>   static struct ch_thpool **g_thpool;
>>>
>>> +
>>> +static base::Thread *get_thread(void)
>>> +{
>>> +       const uint32_t max_ch_thpool = g_max_ch_thpool;
>>> +       const uint32_t nr_ref_split = 2048;
>>> +       struct ch_thpool **thp;
>>> +       struct ch_thpool *ret = nullptr;
>>> +       struct ch_thpool *tmp;
>>> +       uint32_t min_ref_idx;
>>> +       uint32_t min_ref;
>>> +       uint32_t i;
>>> +
>>> +       g_thpool_lock_.lock();
>>> +       thp = g_thpool;
>>> +       if (!thp) {
>>> +               g_thpool_lock_.unlock();
>>> +               return nullptr;
>>> +       }
>>
>> in what situation @thp can be nullptr?
>
> When the chnet_global_destroy() is called.
>
>>> +       tmp = thp[0];
>>> +       if (!tmp) {
>>> +               ret = new struct ch_thpool;
>>> +               ret->idx_ = 0;
>>> +               thp[0] = ret;
>>> +               goto out;
>>> +       }
>>> +
>>> +       min_ref = tmp->ref_count_;
>>> +       min_ref_idx = 0;
>>> +       for (i = 1; i < max_ch_thpool; i++) {
>>> +               uint32_t ref;
>>> +
>>> +               tmp = thp[i];
>>> +               if (!tmp) {
>>> +                       ret = new struct ch_thpool;
>>> +                       ret->idx_ = i;
>>> +                       thp[i] = ret;
>>> +                       goto out;
>>> +               }
>>> +
>>> +               ref = tmp->ref_count_;
>>> +               if (ref < nr_ref_split) {
>>> +                       ret = tmp;
>>> +                       break;
>>> +               }
>>> +
>>> +               if (ref < min_ref) {
>>> +                       min_ref = ref;
>>> +                       min_ref_idx = i;
>>> +               }
>>> +       }
>>> +
>>> +       if (!ret)
>>> +               ret = thp[min_ref_idx];
>>> +
>>> +out:
>>> +       ret->ref_count_++;
>>> +       g_thpool_lock_.unlock();
>>> +       return &ret->thread_;
>>> +}
>>
>> this unlock() call will behave as a full memory barrier for that
>> @ref_count_ increment, is this really needed? you can have the
>> increment after unlock() tho
>
> No, the ref_count needs to be protected by a mutex. Otherwise, we
> have a use-after-free bug.
>
> Possible UAF scenario:
>
>        Thread1                Thread2
>        ----                   -------
> --> get_thread()
>      lock()
>      unlock()                 --> put_thread()
>      # preempted away         lock()
>                               decrement
>                               delete
>                               unlock()
>      increment # UAF!!!       return
>      return

ic ic, i understand now, i didn't see that coming

tq for explaining

tq

-- Viro

  reply	other threads:[~2022-08-29  5:17 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-29  1:11 [RFC PATCH v1 0/2] Fixed number of chromium workers Ammar Faizi
2022-08-29  1:11 ` [RFC PATCH v1 1/2] chnet: Prepare global struct ch_thpool array Ammar Faizi
2022-08-29  4:21   ` Alviro Iskandar Setiawan
2022-08-29  4:47     ` Ammar Nofan Faizi
2022-08-29  1:11 ` [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function Ammar Faizi
2022-08-29  4:41   ` Alviro Iskandar Setiawan
2022-08-29  4:54     ` Ammar Nofan Faizi
2022-08-29  5:17       ` Alviro Iskandar Setiawan [this message]
2022-08-29  5:24         ` Alviro Iskandar Setiawan
2022-08-29  5:29           ` Ammar Nofan Faizi
2022-08-29  5:38             ` Alviro Iskandar Setiawan
2022-08-29  5:48               ` Ammar Nofan Faizi
2022-08-29  6:01                 ` Alviro Iskandar Setiawan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAOG64qP_5znR4H8ODkQoaPz0XRzSh+VzGJyqsE1T-TZhibOuTg@mail.gmail.com \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox