From: Ammar Nofan Faizi <[email protected]>
To: Alviro Iskandar Setiawan <[email protected]>
Cc: Ammar Faizi <[email protected]>,
Muhammad Rizki <[email protected]>,
Kanna Scarlet <[email protected]>,
GNU/Weeb Mailing List <[email protected]>
Subject: Re: [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function
Date: Mon, 29 Aug 2022 11:54:03 +0700 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAOG64qOTrV=CRS=UMnXL1PY5EqkcCxtsJNpKD9kU0PpqD2USew@mail.gmail.com>
On 8/29/22 11:41 AM, Alviro Iskandar Setiawan wrote:
> On Mon, Aug 29, 2022 at 8:11 AM Ammar Faizi wrote:
>> @@ -251,7 +254,7 @@ net::DefineNetworkTrafficAnnotation("CHNetDelegate", R"(
>> })");
>>
>> CHNetDelegate::CHNetDelegate(void):
>> - thread_("chromium_thread"),
>> + thread_(*get_thread()),
>> method_("GET"),
>> err_("")
>> {
>> @@ -287,6 +290,7 @@ CHNetDelegate::~CHNetDelegate(void)
>> r->PostTask(FROM_HERE, base::BindOnce(CHNetDelegateDestruct, &url_req_,
>> &url_req_ctx_, &sig));
>> sig.Wait();
>> + put_thread(&thread_);
>> }
>
> if @url_req_ and @url_req_ctx_ are both nullptr, this put_thread()
> won't be called and we have a ref count leak
Yes, you're right. Will fix it in the v2 revision.
>> template <typename T, typename... Types>
>> @@ -629,6 +633,81 @@ static uint32_t g_max_ch_thpool;
>> static std::mutex g_thpool_lock_;
>> static struct ch_thpool **g_thpool;
>>
>> +
>> +static base::Thread *get_thread(void)
>> +{
>> + const uint32_t max_ch_thpool = g_max_ch_thpool;
>> + const uint32_t nr_ref_split = 2048;
>> + struct ch_thpool **thp;
>> + struct ch_thpool *ret = nullptr;
>> + struct ch_thpool *tmp;
>> + uint32_t min_ref_idx;
>> + uint32_t min_ref;
>> + uint32_t i;
>> +
>> + g_thpool_lock_.lock();
>> + thp = g_thpool;
>> + if (!thp) {
>> + g_thpool_lock_.unlock();
>> + return nullptr;
>> + }
>
> in what situation @thp can be nullptr?
When the chnet_global_destroy() is called.
>> + tmp = thp[0];
>> + if (!tmp) {
>> + ret = new struct ch_thpool;
>> + ret->idx_ = 0;
>> + thp[0] = ret;
>> + goto out;
>> + }
>> +
>> + min_ref = tmp->ref_count_;
>> + min_ref_idx = 0;
>> + for (i = 1; i < max_ch_thpool; i++) {
>> + uint32_t ref;
>> +
>> + tmp = thp[i];
>> + if (!tmp) {
>> + ret = new struct ch_thpool;
>> + ret->idx_ = i;
>> + thp[i] = ret;
>> + goto out;
>> + }
>> +
>> + ref = tmp->ref_count_;
>> + if (ref < nr_ref_split) {
>> + ret = tmp;
>> + break;
>> + }
>> +
>> + if (ref < min_ref) {
>> + min_ref = ref;
>> + min_ref_idx = i;
>> + }
>> + }
>> +
>> + if (!ret)
>> + ret = thp[min_ref_idx];
>> +
>> +out:
>> + ret->ref_count_++;
>> + g_thpool_lock_.unlock();
>> + return &ret->thread_;
>> +}
>
> this unlock() call will behave as a full memory barrier for that
> @ref_count_ increment, is this really needed? you can have the
> increment after unlock() tho
No, the ref_count needs to be protected by a mutex. Otherwise, we
have a use-after-free bug.
Possible UAF scenario:
Thread1 Thread2
---- -------
--> get_thread()
lock()
unlock() --> put_thread()
# preempted away lock()
decrement
delete
unlock()
increment # UAF!!! return
return
--
Ammar Faizi
next prev parent reply other threads:[~2022-08-29 4:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-29 1:11 [RFC PATCH v1 0/2] Fixed number of chromium workers Ammar Faizi
2022-08-29 1:11 ` [RFC PATCH v1 1/2] chnet: Prepare global struct ch_thpool array Ammar Faizi
2022-08-29 4:21 ` Alviro Iskandar Setiawan
2022-08-29 4:47 ` Ammar Nofan Faizi
2022-08-29 1:11 ` [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function Ammar Faizi
2022-08-29 4:41 ` Alviro Iskandar Setiawan
2022-08-29 4:54 ` Ammar Nofan Faizi [this message]
2022-08-29 5:17 ` Alviro Iskandar Setiawan
2022-08-29 5:24 ` Alviro Iskandar Setiawan
2022-08-29 5:29 ` Ammar Nofan Faizi
2022-08-29 5:38 ` Alviro Iskandar Setiawan
2022-08-29 5:48 ` Ammar Nofan Faizi
2022-08-29 6:01 ` Alviro Iskandar Setiawan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox