public inbox for [email protected]
 help / color / mirror / Atom feed
From: Ammar Nofan Faizi <[email protected]>
To: Alviro Iskandar Setiawan <[email protected]>
Cc: Ammar Faizi <[email protected]>,
	Muhammad Rizki <[email protected]>,
	Kanna Scarlet <[email protected]>,
	GNU/Weeb Mailing List <[email protected]>
Subject: Re: [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function
Date: Mon, 29 Aug 2022 11:54:03 +0700	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAOG64qOTrV=CRS=UMnXL1PY5EqkcCxtsJNpKD9kU0PpqD2USew@mail.gmail.com>

On 8/29/22 11:41 AM, Alviro Iskandar Setiawan wrote:
> On Mon, Aug 29, 2022 at 8:11 AM Ammar Faizi wrote:
>> @@ -251,7 +254,7 @@ net::DefineNetworkTrafficAnnotation("CHNetDelegate", R"(
>>          })");
>>
>>   CHNetDelegate::CHNetDelegate(void):
>> -       thread_("chromium_thread"),
>> +       thread_(*get_thread()),
>>          method_("GET"),
>>          err_("")
>>   {
>> @@ -287,6 +290,7 @@ CHNetDelegate::~CHNetDelegate(void)
>>          r->PostTask(FROM_HERE, base::BindOnce(CHNetDelegateDestruct, &url_req_,
>>                                                &url_req_ctx_, &sig));
>>          sig.Wait();
>> +       put_thread(&thread_);
>>   }
> 
> if @url_req_ and @url_req_ctx_ are both nullptr, this put_thread()
> won't be called and we have a ref count leak

Yes, you're right. Will fix it in the v2 revision.

>>   template <typename T, typename... Types>
>> @@ -629,6 +633,81 @@ static uint32_t g_max_ch_thpool;
>>   static std::mutex g_thpool_lock_;
>>   static struct ch_thpool **g_thpool;
>>
>> +
>> +static base::Thread *get_thread(void)
>> +{
>> +       const uint32_t max_ch_thpool = g_max_ch_thpool;
>> +       const uint32_t nr_ref_split = 2048;
>> +       struct ch_thpool **thp;
>> +       struct ch_thpool *ret = nullptr;
>> +       struct ch_thpool *tmp;
>> +       uint32_t min_ref_idx;
>> +       uint32_t min_ref;
>> +       uint32_t i;
>> +
>> +       g_thpool_lock_.lock();
>> +       thp = g_thpool;
>> +       if (!thp) {
>> +               g_thpool_lock_.unlock();
>> +               return nullptr;
>> +       }
> 
> in what situation @thp can be nullptr?

When the chnet_global_destroy() is called.

>> +       tmp = thp[0];
>> +       if (!tmp) {
>> +               ret = new struct ch_thpool;
>> +               ret->idx_ = 0;
>> +               thp[0] = ret;
>> +               goto out;
>> +       }
>> +
>> +       min_ref = tmp->ref_count_;
>> +       min_ref_idx = 0;
>> +       for (i = 1; i < max_ch_thpool; i++) {
>> +               uint32_t ref;
>> +
>> +               tmp = thp[i];
>> +               if (!tmp) {
>> +                       ret = new struct ch_thpool;
>> +                       ret->idx_ = i;
>> +                       thp[i] = ret;
>> +                       goto out;
>> +               }
>> +
>> +               ref = tmp->ref_count_;
>> +               if (ref < nr_ref_split) {
>> +                       ret = tmp;
>> +                       break;
>> +               }
>> +
>> +               if (ref < min_ref) {
>> +                       min_ref = ref;
>> +                       min_ref_idx = i;
>> +               }
>> +       }
>> +
>> +       if (!ret)
>> +               ret = thp[min_ref_idx];
>> +
>> +out:
>> +       ret->ref_count_++;
>> +       g_thpool_lock_.unlock();
>> +       return &ret->thread_;
>> +}
> 
> this unlock() call will behave as a full memory barrier for that
> @ref_count_ increment, is this really needed? you can have the
> increment after unlock() tho

No, the ref_count needs to be protected by a mutex. Otherwise, we
have a use-after-free bug.

Possible UAF scenario:

       Thread1                Thread2
       ----                   -------
--> get_thread()
     lock()
     unlock()                 --> put_thread()
     # preempted away         lock()
                              decrement
                              delete
                              unlock()
     increment # UAF!!!       return
     return

-- 
Ammar Faizi

  reply	other threads:[~2022-08-29  4:56 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-29  1:11 [RFC PATCH v1 0/2] Fixed number of chromium workers Ammar Faizi
2022-08-29  1:11 ` [RFC PATCH v1 1/2] chnet: Prepare global struct ch_thpool array Ammar Faizi
2022-08-29  4:21   ` Alviro Iskandar Setiawan
2022-08-29  4:47     ` Ammar Nofan Faizi
2022-08-29  1:11 ` [RFC PATCH v1 2/2] chnet: Implement `get_thread()` and `put_thread()` function Ammar Faizi
2022-08-29  4:41   ` Alviro Iskandar Setiawan
2022-08-29  4:54     ` Ammar Nofan Faizi [this message]
2022-08-29  5:17       ` Alviro Iskandar Setiawan
2022-08-29  5:24         ` Alviro Iskandar Setiawan
2022-08-29  5:29           ` Ammar Nofan Faizi
2022-08-29  5:38             ` Alviro Iskandar Setiawan
2022-08-29  5:48               ` Ammar Nofan Faizi
2022-08-29  6:01                 ` Alviro Iskandar Setiawan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox