From: Alviro Iskandar Setiawan <[email protected]>
To: Ammar Nofan Faizi <[email protected]>
Cc: Ammar Faizi <[email protected]>,
Muhammad Rizki <[email protected]>,
Kanna Scarlet <[email protected]>,
"GNU/Weeb Mailing List" <[email protected]>
Subject: Re: [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function
Date: Mon, 29 Aug 2022 12:17:22 +0700 [thread overview]
Message-ID: <CAOG64qP_5znR4H8ODkQoaPz0XRzSh+VzGJyqsE1T-TZhibOuTg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
On Mon, Aug 29, 2022 at 11:54 AM Ammar Nofan Faizi wrote:
> On 8/29/22 11:41 AM, Alviro Iskandar Setiawan wrote:
>> On Mon, Aug 29, 2022 at 8:11 AM Ammar Faizi wrote:
>>> @@ -251,7 +254,7 @@ net::DefineNetworkTrafficAnnotation("CHNetDelegate", R"(
>>> })");
>>>
>>> CHNetDelegate::CHNetDelegate(void):
>>> - thread_("chromium_thread"),
>>> + thread_(*get_thread()),
>>> method_("GET"),
>>> err_("")
>>> {
>>> @@ -287,6 +290,7 @@ CHNetDelegate::~CHNetDelegate(void)
>>> r->PostTask(FROM_HERE, base::BindOnce(CHNetDelegateDestruct, &url_req_,
>>> &url_req_ctx_, &sig));
>>> sig.Wait();
>>> + put_thread(&thread_);
>>> }
>>
>> if @url_req_ and @url_req_ctx_ are both nullptr, this put_thread()
>> won't be called and we have a ref count leak
>
> Yes, you're right. Will fix it in the v2 revision.
>
>>> template <typename T, typename... Types>
>>> @@ -629,6 +633,81 @@ static uint32_t g_max_ch_thpool;
>>> static std::mutex g_thpool_lock_;
>>> static struct ch_thpool **g_thpool;
>>>
>>> +
>>> +static base::Thread *get_thread(void)
>>> +{
>>> + const uint32_t max_ch_thpool = g_max_ch_thpool;
>>> + const uint32_t nr_ref_split = 2048;
>>> + struct ch_thpool **thp;
>>> + struct ch_thpool *ret = nullptr;
>>> + struct ch_thpool *tmp;
>>> + uint32_t min_ref_idx;
>>> + uint32_t min_ref;
>>> + uint32_t i;
>>> +
>>> + g_thpool_lock_.lock();
>>> + thp = g_thpool;
>>> + if (!thp) {
>>> + g_thpool_lock_.unlock();
>>> + return nullptr;
>>> + }
>>
>> in what situation @thp can be nullptr?
>
> When the chnet_global_destroy() is called.
>
>>> + tmp = thp[0];
>>> + if (!tmp) {
>>> + ret = new struct ch_thpool;
>>> + ret->idx_ = 0;
>>> + thp[0] = ret;
>>> + goto out;
>>> + }
>>> +
>>> + min_ref = tmp->ref_count_;
>>> + min_ref_idx = 0;
>>> + for (i = 1; i < max_ch_thpool; i++) {
>>> + uint32_t ref;
>>> +
>>> + tmp = thp[i];
>>> + if (!tmp) {
>>> + ret = new struct ch_thpool;
>>> + ret->idx_ = i;
>>> + thp[i] = ret;
>>> + goto out;
>>> + }
>>> +
>>> + ref = tmp->ref_count_;
>>> + if (ref < nr_ref_split) {
>>> + ret = tmp;
>>> + break;
>>> + }
>>> +
>>> + if (ref < min_ref) {
>>> + min_ref = ref;
>>> + min_ref_idx = i;
>>> + }
>>> + }
>>> +
>>> + if (!ret)
>>> + ret = thp[min_ref_idx];
>>> +
>>> +out:
>>> + ret->ref_count_++;
>>> + g_thpool_lock_.unlock();
>>> + return &ret->thread_;
>>> +}
>>
>> this unlock() call will behave as a full memory barrier for that
>> @ref_count_ increment, is this really needed? you can have the
>> increment after unlock() tho
>
> No, the ref_count needs to be protected by a mutex. Otherwise, we
> have a use-after-free bug.
>
> Possible UAF scenario:
>
> Thread1 Thread2
> ---- -------
> --> get_thread()
> lock()
> unlock() --> put_thread()
> # preempted away lock()
> decrement
> delete
> unlock()
> increment # UAF!!! return
> return
ic ic, i understand now, i didn't see that coming
tq for explaining
tq
-- Viro
next prev parent reply other threads:[~2022-08-29 5:17 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-29 1:11 [RFC PATCH v1 0/2] Fixed number of chromium workers Ammar Faizi
2022-08-29 1:11 ` [RFC PATCH v1 1/2] chnet: Prepare global struct ch_thpool array Ammar Faizi
2022-08-29 4:21 ` Alviro Iskandar Setiawan
2022-08-29 4:47 ` Ammar Nofan Faizi
2022-08-29 1:11 ` [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function Ammar Faizi
2022-08-29 4:41 ` Alviro Iskandar Setiawan
2022-08-29 4:54 ` Ammar Nofan Faizi
2022-08-29 5:17 ` Alviro Iskandar Setiawan [this message]
2022-08-29 5:24 ` Alviro Iskandar Setiawan
2022-08-29 5:29 ` Ammar Nofan Faizi
2022-08-29 5:38 ` Alviro Iskandar Setiawan
2022-08-29 5:48 ` Ammar Nofan Faizi
2022-08-29 6:01 ` Alviro Iskandar Setiawan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOG64qP_5znR4H8ODkQoaPz0XRzSh+VzGJyqsE1T-TZhibOuTg@mail.gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox