From: Ming Lei <ming.lei@redhat.com> To: linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org, Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org, "Martin K . Petersen" <martin.petersen@oracle.com>, Christoph Hellwig <hch@lst.de> Cc: Bart Van Assche <bvanassche@acm.org>, Khazhy Kumykov <khazhy@google.com>, Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>, Hannes Reinecke <hare@suse.de>, John Garry <john.garry@huawei.com>, David Jeffery <djeffery@redhat.com>, Ming Lei <ming.lei@redhat.com> Subject: [PATCH 0/8] blk-mq: fix request UAF related with iterating over tagset requests Date: Sun, 25 Apr 2021 16:57:45 +0800 [thread overview] Message-ID: <20210425085753.2617424-1-ming.lei@redhat.com> (raw) Hi Guys, Revert 4 patches from Bart which try to fix request UAF issue related with iterating over tagset wide requests, because: 1) request UAF caused by normal completion vs. async completion during iterating can't be covered[1] 2) clearing ->rqs[] is added in fast path, which causes performance loss by 1% according to Bart's test 3) Bart's approach is too complicated, and some changes aren't needed, such as adding two versions of tagset iteration This patchset fixes the request UAF issue by one simpler approach, without any change in fast path. 1) always complete request synchronously when the completing is run via blk_mq_tagset_busy_iter(), done in 1st two patches 2) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter, and release it after calling ->fn, so ->fn won't be called for one request if its queue is frozen, done in 3rd patch 3) clearing any stale request referred in ->rqs[] before freeing the request pool, one per-tags spinlock is added for protecting grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero in bt_tags_iter() is avoided, done in 4th patch. [1] https://lore.kernel.org/linux-block/YISzLal7Ur7jyuiy@T590/T/#u Ming Lei (8): Revert "blk-mq: Fix races between blk_mq_update_nr_hw_queues() and iterating over tags" Revert "blk-mq: Make it safe to use RCU to iterate over blk_mq_tag_set.tag_list" Revert "blk-mq: Fix races between iterating over requests and freeing requests" Revert "blk-mq: Introduce atomic variants of blk_mq_(all_tag|tagset_busy)_iter" blk-mq: blk_mq_complete_request_locally block: drivers: complete request locally from blk_mq_tagset_busy_iter blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter blk-mq: clear stale request in tags->rq[] before freeing one request pool block/blk-core.c | 34 +------ block/blk-mq-tag.c | 147 ++++++------------------------ block/blk-mq-tag.h | 7 +- block/blk-mq.c | 100 +++++++++++++------- block/blk-mq.h | 2 +- block/blk.h | 2 - block/elevator.c | 1 - drivers/block/mtip32xx/mtip32xx.c | 2 +- drivers/block/nbd.c | 2 +- drivers/nvme/host/core.c | 2 +- drivers/scsi/hosts.c | 16 ++-- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/ufs/ufshcd.c | 4 +- include/linux/blk-mq.h | 3 +- 14 files changed, 119 insertions(+), 209 deletions(-) -- 2.29.2
WARNING: multiple messages have this Message-ID (diff)
From: Ming Lei <ming.lei@redhat.com> To: linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org, Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org, "Martin K . Petersen" <martin.petersen@oracle.com>, Christoph Hellwig <hch@lst.de> Cc: Bart Van Assche <bvanassche@acm.org>, Khazhy Kumykov <khazhy@google.com>, Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>, Hannes Reinecke <hare@suse.de>, John Garry <john.garry@huawei.com>, David Jeffery <djeffery@redhat.com>, Ming Lei <ming.lei@redhat.com> Subject: [PATCH 0/8] blk-mq: fix request UAF related with iterating over tagset requests Date: Sun, 25 Apr 2021 16:57:45 +0800 [thread overview] Message-ID: <20210425085753.2617424-1-ming.lei@redhat.com> (raw) Hi Guys, Revert 4 patches from Bart which try to fix request UAF issue related with iterating over tagset wide requests, because: 1) request UAF caused by normal completion vs. async completion during iterating can't be covered[1] 2) clearing ->rqs[] is added in fast path, which causes performance loss by 1% according to Bart's test 3) Bart's approach is too complicated, and some changes aren't needed, such as adding two versions of tagset iteration This patchset fixes the request UAF issue by one simpler approach, without any change in fast path. 1) always complete request synchronously when the completing is run via blk_mq_tagset_busy_iter(), done in 1st two patches 2) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter, and release it after calling ->fn, so ->fn won't be called for one request if its queue is frozen, done in 3rd patch 3) clearing any stale request referred in ->rqs[] before freeing the request pool, one per-tags spinlock is added for protecting grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero in bt_tags_iter() is avoided, done in 4th patch. [1] https://lore.kernel.org/linux-block/YISzLal7Ur7jyuiy@T590/T/#u Ming Lei (8): Revert "blk-mq: Fix races between blk_mq_update_nr_hw_queues() and iterating over tags" Revert "blk-mq: Make it safe to use RCU to iterate over blk_mq_tag_set.tag_list" Revert "blk-mq: Fix races between iterating over requests and freeing requests" Revert "blk-mq: Introduce atomic variants of blk_mq_(all_tag|tagset_busy)_iter" blk-mq: blk_mq_complete_request_locally block: drivers: complete request locally from blk_mq_tagset_busy_iter blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter blk-mq: clear stale request in tags->rq[] before freeing one request pool block/blk-core.c | 34 +------ block/blk-mq-tag.c | 147 ++++++------------------------ block/blk-mq-tag.h | 7 +- block/blk-mq.c | 100 +++++++++++++------- block/blk-mq.h | 2 +- block/blk.h | 2 - block/elevator.c | 1 - drivers/block/mtip32xx/mtip32xx.c | 2 +- drivers/block/nbd.c | 2 +- drivers/nvme/host/core.c | 2 +- drivers/scsi/hosts.c | 16 ++-- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/ufs/ufshcd.c | 4 +- include/linux/blk-mq.h | 3 +- 14 files changed, 119 insertions(+), 209 deletions(-) -- 2.29.2 _______________________________________________ Linux-nvme mailing list Linux-nvme@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-nvme
next reply other threads:[~2021-04-25 8:58 UTC|newest] Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-04-25 8:57 Ming Lei [this message] 2021-04-25 8:57 ` [PATCH 0/8] blk-mq: fix request UAF related with iterating over tagset requests Ming Lei 2021-04-25 8:57 ` [PATCH 1/8] Revert "blk-mq: Fix races between blk_mq_update_nr_hw_queues() and iterating over tags" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 2/8] Revert "blk-mq: Make it safe to use RCU to iterate over blk_mq_tag_set.tag_list" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 3/8] Revert "blk-mq: Fix races between iterating over requests and freeing requests" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 4/8] Revert "blk-mq: Introduce atomic variants of blk_mq_(all_tag|tagset_busy)_iter" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 5/8] blk-mq: blk_mq_complete_request_locally Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 6/8] block: drivers: complete request locally from blk_mq_tagset_busy_iter Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-26 3:02 ` Bart Van Assche 2021-04-26 3:02 ` Bart Van Assche 2021-04-26 6:24 ` Ming Lei 2021-04-26 6:24 ` Ming Lei 2021-04-27 8:54 ` Ming Lei 2021-04-27 8:54 ` Ming Lei 2021-04-25 8:57 ` [PATCH 7/8] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 18:55 ` Bart Van Assche 2021-04-25 18:55 ` Bart Van Assche 2021-04-26 0:41 ` Ming Lei 2021-04-26 0:41 ` Ming Lei 2021-04-25 8:57 ` [PATCH 8/8] blk-mq: clear stale request in tags->rq[] before freeing one request pool Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 20:42 ` Bart Van Assche 2021-04-25 20:42 ` Bart Van Assche 2021-04-26 0:49 ` Ming Lei 2021-04-26 0:49 ` Ming Lei 2021-04-26 1:50 ` Bart Van Assche 2021-04-26 1:50 ` Bart Van Assche 2021-04-26 2:07 ` Ming Lei 2021-04-26 2:07 ` Ming Lei 2021-04-25 9:27 ` [PATCH 0/8] blk-mq: fix request UAF related with iterating over tagset requests Ming Lei 2021-04-25 9:27 ` Ming Lei 2021-04-25 20:53 ` Bart Van Assche 2021-04-25 20:53 ` Bart Van Assche 2021-04-26 1:19 ` Ming Lei 2021-04-26 1:19 ` Ming Lei 2021-04-26 1:57 ` Bart Van Assche 2021-04-26 1:57 ` Bart Van Assche 2021-04-25 16:17 ` Jens Axboe 2021-04-25 16:17 ` Jens Axboe 2021-04-25 18:39 ` Bart Van Assche 2021-04-25 18:39 ` Bart Van Assche 2021-04-25 20:18 ` Jens Axboe 2021-04-25 20:18 ` Jens Axboe
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210425085753.2617424-1-ming.lei@redhat.com \ --to=ming.lei@redhat.com \ --cc=axboe@kernel.dk \ --cc=bvanassche@acm.org \ --cc=djeffery@redhat.com \ --cc=hare@suse.de \ --cc=hch@lst.de \ --cc=john.garry@huawei.com \ --cc=khazhy@google.com \ --cc=linux-block@vger.kernel.org \ --cc=linux-nvme@lists.infradead.org \ --cc=linux-scsi@vger.kernel.org \ --cc=martin.petersen@oracle.com \ --cc=shinichiro.kawasaki@wdc.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.