From: Eric Biggers <ebiggers@kernel.org>
To: Nathan Huckleberry <nhuck@google.com>
Cc: linux-block@vger.kernel.org, Jens Axboe <axboe@kernel.dk>,
linux-fscrypt@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] blk-crypto: make blk_crypto_evict_key() always try to evict
Date: Thu, 2 Mar 2023 22:36:51 +0000 [thread overview]
Message-ID: <ZAElA0k4Q/Pb7xNT@gmail.com> (raw)
In-Reply-To: <CAJkfWY4UOmizG=gm4+Zob7PhwMcmDe7mEviTb-hULT7ByCuqew@mail.gmail.com>
On Thu, Mar 02, 2023 at 02:28:00PM -0800, Nathan Huckleberry wrote:
> Hey Eric,
>
> On Sun, Feb 26, 2023 at 12:43 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Once all I/O using a blk_crypto_key has completed, filesystems can call
> > blk_crypto_evict_key(). However, the block layer doesn't call
> > blk_crypto_put_keyslot() until the request is being cleaned up, which
> > happens after upper layers have been told (via bio_endio()) the I/O has
> > completed. This causes a race condition where blk_crypto_evict_key()
> > can see 'slot_refs > 0' without there being an actual bug.
> >
> > This makes __blk_crypto_evict_key() hit the
> > 'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without
> > doing anything, eventually causing a use-after-free in
> > blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only
> > been seen when per-file keys are being used with fscrypt.)
> >
> > There are two options to fix this: either release the keyslot in
> > blk_update_request() just before bio_endio() is called on the request's
> > last bio, or just make __blk_crypto_evict_key() ignore slot_refs. Let's
> > go with the latter solution for now, since it avoids adding overhead to
> > the loop in blk_update_request(). (It does have the disadvantage that
> > hypothetical bugs where a key is evicted while still in-use become
> > harder to detect. But so far there haven't been any such bugs anyway.)
>
> I disagree with the proposal to ignore the race condition in
> blk_crypto_evict_key(). As you said, ignoring the error could lead to
> undetected bugs in the future. Instead, I think we should focus on
> fixing the function ordering so that blk_crypto_put_keyslot() is
> called before blk_crypto_evict_key().
>
> I think the overhead is a necessary trade-off to ensure correctness.
>
> Thanks,
Sure, I'm concerned about pushback on adding something to blk_update_request()
that's not critical, but I'll send out that patch for consideration too.
- Eric
prev parent reply other threads:[~2023-03-02 22:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-26 20:38 [PATCH] blk-crypto: make blk_crypto_evict_key() always try to evict Eric Biggers
2023-03-02 22:28 ` Nathan Huckleberry
2023-03-02 22:36 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAElA0k4Q/Pb7xNT@gmail.com \
--to=ebiggers@kernel.org \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=nhuck@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.