All of lore.kernel.org
 help / color / mirror / Atom feed
From: "yukuai (C)" <yukuai3@huawei.com>
To: Ming Lei <ming.lei@redhat.com>
Cc: <axboe@kernel.dk>, <josef@toxicpanda.com>, <hch@infradead.org>,
	<linux-block@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<nbd@other.debian.org>, <yi.zhang@huawei.com>
Subject: Re: [PATCH v5 5/6] nbd: convert to use blk_mq_find_and_get_req()
Date: Tue, 14 Sep 2021 15:13:38 +0800	[thread overview]
Message-ID: <374c6b37-b4b2-fe01-66be-ca2dbbc283e9@huawei.com> (raw)
In-Reply-To: <YUBE4BJ7+kN1c4l8@T590>

On 2021/09/14 14:44, Ming Lei wrote:
> On Tue, Sep 14, 2021 at 11:11:06AM +0800, yukuai (C) wrote:
>> On 2021/09/14 9:11, Ming Lei wrote:
>>> On Thu, Sep 09, 2021 at 10:12:55PM +0800, Yu Kuai wrote:
>>>> blk_mq_tag_to_rq() can only ensure to return valid request in
>>>> following situation:
>>>>
>>>> 1) client send request message to server first
>>>> submit_bio
>>>> ...
>>>>    blk_mq_get_tag
>>>>    ...
>>>>    blk_mq_get_driver_tag
>>>>    ...
>>>>    nbd_queue_rq
>>>>     nbd_handle_cmd
>>>>      nbd_send_cmd
>>>>
>>>> 2) client receive respond message from server
>>>> recv_work
>>>>    nbd_read_stat
>>>>     blk_mq_tag_to_rq
>>>>
>>>> If step 1) is missing, blk_mq_tag_to_rq() will return a stale
>>>> request, which might be freed. Thus convert to use
>>>> blk_mq_find_and_get_req() to make sure the returned request is not
>>>> freed.
>>>
>>> But NBD_CMD_INFLIGHT has been added for checking if the reply is
>>> expected, do we still need blk_mq_find_and_get_req() for covering
>>> this issue? BTW, request and its payload is pre-allocated, so there
>>> isn't real use-after-free.
>>
>> Hi, Ming
>>
>> Checking NBD_CMD_INFLIGHT relied on the request founded by tag is valid,
>> not the other way round.
>>
>> nbd_read_stat
>>   req = blk_mq_tag_to_rq()
>>   cmd = blk_mq_rq_to_pdu(req)
>>   mutex_lock(cmd->lock)
>>   checking NBD_CMD_INFLIGHT
> 
> Request and its payload is pre-allocated, and either req->ref or cmd->lock can
> serve the same purpose here. Once cmd->lock is held, you can check if the cmd is
> inflight or not. If it isn't inflight, just return -ENOENT. Is there any
> problem to handle in this way?

Hi, Ming

in nbd_read_stat:

1) get a request by tag first
2) get nbd_cmd by the request
3) hold cmd->lock and check if cmd is inflight

If we want to check if the cmd is inflight in step 3), we have to do
setp 1) and 2) first. As I explained in patch 0, blk_mq_tag_to_rq()
can't make sure the returned request is not freed:

nbd_read_stat
			blk_mq_sched_free_requests
			 blk_mq_free_rqs
   blk_mq_tag_to_rq
   -> get rq before clear mapping
			  blk_mq_clear_rq_mapping
			  __free_pages -> rq is freed
   blk_mq_request_started -> UAF


Thanks,
Kuai





  reply	other threads:[~2021-09-14  7:13 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-09 14:12 [PATCH v5 0/6] handle unexpected message from server Yu Kuai
2021-09-09 14:12 ` [PATCH v5 1/6] nbd: don't handle response without a corresponding request message Yu Kuai
2021-09-14  0:54   ` Ming Lei
2021-09-09 14:12 ` [PATCH v5 2/6] nbd: make sure request completion won't concurrent Yu Kuai
2021-09-14  0:57   ` Ming Lei
2021-09-14  3:11     ` yukuai (C)
2021-09-09 14:12 ` [PATCH v5 3/6] nbd: check sock index in nbd_read_stat() Yu Kuai
2021-09-09 14:12 ` [PATCH v5 4/6] blk-mq: export two symbols to get request by tag Yu Kuai
2021-09-09 14:12 ` [PATCH v5 5/6] nbd: convert to use blk_mq_find_and_get_req() Yu Kuai
2021-09-14  1:11   ` Ming Lei
2021-09-14  3:11     ` yukuai (C)
2021-09-14  6:44       ` Ming Lei
2021-09-14  7:13         ` yukuai (C) [this message]
2021-09-14  7:46           ` Ming Lei
2021-09-14  9:08             ` yukuai (C)
2021-09-14  9:12               ` yukuai (C)
2021-09-14 14:33               ` Ming Lei
2021-09-14  9:19             ` yukuai (C)
2021-09-14 14:37               ` Ming Lei
2021-09-15  1:54                 ` yukuai (C)
2021-09-15  3:16                   ` Ming Lei
2021-09-15  3:36                     ` yukuai (C)
2021-09-15  3:46                       ` Ming Lei
2021-09-09 14:12 ` [PATCH v5 6/6] nbd: don't start request if nbd_queue_rq() failed Yu Kuai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=374c6b37-b4b2-fe01-66be-ca2dbbc283e9@huawei.com \
    --to=yukuai3@huawei.com \
    --cc=axboe@kernel.dk \
    --cc=hch@infradead.org \
    --cc=josef@toxicpanda.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ming.lei@redhat.com \
    --cc=nbd@other.debian.org \
    --cc=yi.zhang@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.