From: Christoph Hellwig <hch@lst.de>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jens Axboe <axboe@kernel.dk>, Mike Snitzer <snitzer@kernel.org>,
Ulf Hansson <ulf.hansson@linaro.org>,
Adrian Hunter <adrian.hunter@intel.com>,
Ritesh Harjani <riteshh@codeaurora.org>,
Asutosh Das <asutoshd@codeaurora.org>,
Alim Akhtar <alim.akhtar@samsung.com>,
Avri Altman <avri.altman@wdc.com>,
dm-devel@redhat.com, linux-block@vger.kernel.org,
linux-mmc@vger.kernel.org, linux-scsi@vger.kernel.org
Subject: Re: [PATCH 2/2] blk-crypto: fix the blk_crypto_profile liftime
Date: Thu, 21 Apr 2022 16:25:35 +0200 [thread overview]
Message-ID: <20220421142535.GA21025@lst.de> (raw)
In-Reply-To: <YmBiAQ/IZbFhRc6o@sol.localdomain>
On Wed, Apr 20, 2022 at 12:41:53PM -0700, Eric Biggers wrote:
> Can you elaborate on what you think the actual problem is here? The lifetime of
> the blk_crypto_profile matches that of the host controller kobject, and I
> thought that it is not destroyed until after higher-level objects such as
> gendisks and request_queues are destroyed.
I don't think all driver authors agree with that assumption (and it isn't
documented anywhere).
The most trivial case is device mapper, where the crypto profіle is freed
before putting the gendisk reference acquired by blk_alloc_disk. So
anyone who opened the sysfs file at some point before the delete can
still have it open and triviall access freed memory when then doing
a read on it after the dm table is freed.
For UFS things seem to work out ok because the ufs_hba is part of
the Scsi_Host, which is the parent device of the gendisk.
> Similar assumptions are made by the
> queue kobject, which assumes it is safe to access the gendisk, and by the
> independent_access_ranges kobject which assumes it is safe to access the queue.
Yes, every queue/ object that references the gendisk has a problem I think.
I've been wading through this code and trying to fix it, which made me
notice this code.
> In any case, this proposal is not correct since it is assuming that each
> blk_crypto_profile is referenced by only one request_queue, which is not
> necessarily the case since a host controller can have multiple disks.
> The same kobject can't be added to multiple places in the hierarchy.
Indeed.
> If we did need to do something differently here, I think we'd either need to put
> the blk_crypto_profile kobject under the host controller one and link to it from
> the queue directories (which I mentioned in commit 20f01f163203 as an
> alternative considered), or duplicate the crypto capabilities in each
> request_queue and only share the actual keyslot management data structures.
Do we even need the link instead of letting the user walk down the
directory hierachy? But yes, having the sysfs attributes on the
actual object is a much better idea.
>
> - Eric
---end quoted text---
WARNING: multiple messages have this Message-ID (diff)
From: Christoph Hellwig <hch@lst.de>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>,
Ulf Hansson <ulf.hansson@linaro.org>,
linux-scsi@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Mike Snitzer <snitzer@kernel.org>,
Adrian Hunter <adrian.hunter@intel.com>,
Ritesh Harjani <riteshh@codeaurora.org>,
linux-block@vger.kernel.org, Avri Altman <avri.altman@wdc.com>,
dm-devel@redhat.com, Alim Akhtar <alim.akhtar@samsung.com>,
linux-mmc@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Asutosh Das <asutoshd@codeaurora.org>
Subject: Re: [dm-devel] [PATCH 2/2] blk-crypto: fix the blk_crypto_profile liftime
Date: Thu, 21 Apr 2022 16:25:35 +0200 [thread overview]
Message-ID: <20220421142535.GA21025@lst.de> (raw)
In-Reply-To: <YmBiAQ/IZbFhRc6o@sol.localdomain>
On Wed, Apr 20, 2022 at 12:41:53PM -0700, Eric Biggers wrote:
> Can you elaborate on what you think the actual problem is here? The lifetime of
> the blk_crypto_profile matches that of the host controller kobject, and I
> thought that it is not destroyed until after higher-level objects such as
> gendisks and request_queues are destroyed.
I don't think all driver authors agree with that assumption (and it isn't
documented anywhere).
The most trivial case is device mapper, where the crypto profіle is freed
before putting the gendisk reference acquired by blk_alloc_disk. So
anyone who opened the sysfs file at some point before the delete can
still have it open and triviall access freed memory when then doing
a read on it after the dm table is freed.
For UFS things seem to work out ok because the ufs_hba is part of
the Scsi_Host, which is the parent device of the gendisk.
> Similar assumptions are made by the
> queue kobject, which assumes it is safe to access the gendisk, and by the
> independent_access_ranges kobject which assumes it is safe to access the queue.
Yes, every queue/ object that references the gendisk has a problem I think.
I've been wading through this code and trying to fix it, which made me
notice this code.
> In any case, this proposal is not correct since it is assuming that each
> blk_crypto_profile is referenced by only one request_queue, which is not
> necessarily the case since a host controller can have multiple disks.
> The same kobject can't be added to multiple places in the hierarchy.
Indeed.
> If we did need to do something differently here, I think we'd either need to put
> the blk_crypto_profile kobject under the host controller one and link to it from
> the queue directories (which I mentioned in commit 20f01f163203 as an
> alternative considered), or duplicate the crypto capabilities in each
> request_queue and only share the actual keyslot management data structures.
Do we even need the link instead of letting the user walk down the
directory hierachy? But yes, having the sysfs attributes on the
actual object is a much better idea.
>
> - Eric
---end quoted text---
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2022-04-21 14:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 6:47 fix blk_crypto_profile liftetime Christoph Hellwig
2022-04-20 6:47 ` [dm-devel] " Christoph Hellwig
2022-04-20 6:47 ` [PATCH 1/2] blk-crypto: merge blk-crypto-sysfs.c into blk-crypto-profile.c Christoph Hellwig
2022-04-20 6:47 ` [dm-devel] " Christoph Hellwig
2022-04-20 6:47 ` [PATCH 2/2] blk-crypto: fix the blk_crypto_profile liftime Christoph Hellwig
2022-04-20 6:47 ` [dm-devel] " Christoph Hellwig
2022-04-20 9:49 ` Ulf Hansson
2022-04-20 9:49 ` [dm-devel] " Ulf Hansson
2022-04-20 19:41 ` Eric Biggers
2022-04-20 19:41 ` [dm-devel] " Eric Biggers
2022-04-21 14:25 ` Christoph Hellwig [this message]
2022-04-21 14:25 ` Christoph Hellwig
2022-04-22 6:27 ` Eric Biggers
2022-04-22 6:27 ` [dm-devel] " Eric Biggers
2022-04-21 14:40 ` Greg Kroah-Hartman
2022-04-21 14:40 ` [dm-devel] " Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220421142535.GA21025@lst.de \
--to=hch@lst.de \
--cc=adrian.hunter@intel.com \
--cc=alim.akhtar@samsung.com \
--cc=asutoshd@codeaurora.org \
--cc=avri.altman@wdc.com \
--cc=axboe@kernel.dk \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=riteshh@codeaurora.org \
--cc=snitzer@kernel.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.