From: Ming Lei <ming.lei@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
Khazhy Kumykov <khazhy@google.com>,
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>,
Hannes Reinecke <hare@suse.de>,
John Garry <john.garry@huawei.com>,
David Jeffery <djeffery@redhat.com>,
Ming Lei <ming.lei@redhat.com>
Subject: [PATCH V3 0/3] blk-mq: fix request UAF related with iterating over tagset requests
Date: Tue, 27 Apr 2021 23:10:55 +0800 [thread overview]
Message-ID: <20210427151058.2833168-1-ming.lei@redhat.com> (raw)
Hi Jens,
This patchset fixes the request UAF issue by one simple approach,
without clearing ->rqs[] in fast path.
1) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter,
and release it after calling ->fn, so ->fn won't be called for one
request if its queue is frozen, done in 2st patch
2) clearing any stale request referred in ->rqs[] before freeing the
request pool, one per-tags spinlock is added for protecting
grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero
in bt_tags_iter() is avoided, done in 3rd patch.
V3:
- drop patches for completing requests started in iterator ->fn,
because blk-mq guarantees that valid request is passed to ->fn,
and it is driver's responsibility for avoiding double completion.
And drivers works well for not completing rq twice.
- add one patch for avoiding double accounting of flush rq
V2:
- take Bart's suggestion to not add blk-mq helper for completing
requests when it is being iterated
- don't grab rq->ref if the iterator is over static rqs because
the use case do require to iterate over all requests no matter if
the request is initialized or not
Ming Lei (3):
block: avoid double io accounting for flush request
blk-mq: grab rq->refcount before calling ->fn in
blk_mq_tagset_busy_iter
blk-mq: clear stale request in tags->rq[] before freeing one request
pool
block/blk-flush.c | 3 +--
block/blk-mq-tag.c | 29 +++++++++++++++++++------
block/blk-mq-tag.h | 3 +++
block/blk-mq.c | 53 +++++++++++++++++++++++++++++++++++++---------
block/blk-mq.h | 1 +
5 files changed, 71 insertions(+), 18 deletions(-)
--
2.29.2
next reply other threads:[~2021-04-27 15:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-27 15:10 Ming Lei [this message]
2021-04-27 15:10 ` [PATCH V3 1/3] block: avoid double io accounting for flush request Ming Lei
2021-04-27 15:10 ` [PATCH V3 2/3] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Ming Lei
2021-04-27 20:17 ` Bart Van Assche
2021-04-28 0:07 ` Ming Lei
2021-04-28 1:37 ` Bart Van Assche
2021-04-28 2:22 ` Ming Lei
2021-04-27 15:10 ` [PATCH V3 3/3] blk-mq: clear stale request in tags->rq[] before freeing one request pool Ming Lei
2021-04-28 14:30 ` David Jeffery
2021-04-28 15:24 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210427151058.2833168-1-ming.lei@redhat.com \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=djeffery@redhat.com \
--cc=hare@suse.de \
--cc=john.garry@huawei.com \
--cc=khazhy@google.com \
--cc=linux-block@vger.kernel.org \
--cc=shinichiro.kawasaki@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.