From: Bart Van Assche <bvanassche@acm.org> To: Ming Lei <ming.lei@redhat.com>, linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org, Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org, "Martin K . Petersen" <martin.petersen@oracle.com>, Christoph Hellwig <hch@lst.de> Cc: Khazhy Kumykov <khazhy@google.com>, Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>, Hannes Reinecke <hare@suse.de>, John Garry <john.garry@huawei.com>, David Jeffery <djeffery@redhat.com> Subject: Re: [PATCH 7/8] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Date: Sun, 25 Apr 2021 11:55:22 -0700 [thread overview] Message-ID: <6c0b0af9-ca71-d143-b1cc-384adfca5438@acm.org> (raw) In-Reply-To: <20210425085753.2617424-8-ming.lei@redhat.com> On 4/25/21 1:57 AM, Ming Lei wrote: > However, still one request UAF not covered: refcount_inc_not_zero() may > read one freed request, and it will be handled in next patch. This means that patch "blk-mq: clear stale request in tags->rq[] before freeing one request pool" should come before this patch. > @@ -276,12 +277,15 @@ static bool bt_tags_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data) > rq = tags->static_rqs[bitnr]; > else > rq = tags->rqs[bitnr]; > - if (!rq) > + if (!rq || !refcount_inc_not_zero(&rq->ref)) > return true; > if ((iter_data->flags & BT_TAG_ITER_STARTED) && > !blk_mq_request_started(rq)) > - return true; > - return iter_data->fn(rq, iter_data->data, reserved); > + ret = true; > + else > + ret = iter_data->fn(rq, iter_data->data, reserved); > + blk_mq_put_rq_ref(rq); > + return ret; > } Even if patches 7/8 and 8/8 would be reordered, the above code introduces a new use-after-free, a use-after-free that is much worse than the UAF in kernel v5.11. The following sequence can be triggered by the above code: * bt_tags_iter() reads tags->rqs[bitnr] and stores the request pointer in the 'rq' variable. * Request 'rq' completes, tags->rqs[bitnr] is cleared and the memory that backs that request is freed. * The memory that backs 'rq' is used for another purpose and the request reference count becomes nonzero. * bt_tags_iter() increments the request reference count and thereby corrupts memory. Bart.
WARNING: multiple messages have this Message-ID (diff)
From: Bart Van Assche <bvanassche@acm.org> To: Ming Lei <ming.lei@redhat.com>, linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org, Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org, "Martin K . Petersen" <martin.petersen@oracle.com>, Christoph Hellwig <hch@lst.de> Cc: Khazhy Kumykov <khazhy@google.com>, Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>, Hannes Reinecke <hare@suse.de>, John Garry <john.garry@huawei.com>, David Jeffery <djeffery@redhat.com> Subject: Re: [PATCH 7/8] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Date: Sun, 25 Apr 2021 11:55:22 -0700 [thread overview] Message-ID: <6c0b0af9-ca71-d143-b1cc-384adfca5438@acm.org> (raw) In-Reply-To: <20210425085753.2617424-8-ming.lei@redhat.com> On 4/25/21 1:57 AM, Ming Lei wrote: > However, still one request UAF not covered: refcount_inc_not_zero() may > read one freed request, and it will be handled in next patch. This means that patch "blk-mq: clear stale request in tags->rq[] before freeing one request pool" should come before this patch. > @@ -276,12 +277,15 @@ static bool bt_tags_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data) > rq = tags->static_rqs[bitnr]; > else > rq = tags->rqs[bitnr]; > - if (!rq) > + if (!rq || !refcount_inc_not_zero(&rq->ref)) > return true; > if ((iter_data->flags & BT_TAG_ITER_STARTED) && > !blk_mq_request_started(rq)) > - return true; > - return iter_data->fn(rq, iter_data->data, reserved); > + ret = true; > + else > + ret = iter_data->fn(rq, iter_data->data, reserved); > + blk_mq_put_rq_ref(rq); > + return ret; > } Even if patches 7/8 and 8/8 would be reordered, the above code introduces a new use-after-free, a use-after-free that is much worse than the UAF in kernel v5.11. The following sequence can be triggered by the above code: * bt_tags_iter() reads tags->rqs[bitnr] and stores the request pointer in the 'rq' variable. * Request 'rq' completes, tags->rqs[bitnr] is cleared and the memory that backs that request is freed. * The memory that backs 'rq' is used for another purpose and the request reference count becomes nonzero. * bt_tags_iter() increments the request reference count and thereby corrupts memory. Bart. _______________________________________________ Linux-nvme mailing list Linux-nvme@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-nvme
next prev parent reply other threads:[~2021-04-25 18:55 UTC|newest] Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-04-25 8:57 [PATCH 0/8] blk-mq: fix request UAF related with iterating over tagset requests Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 1/8] Revert "blk-mq: Fix races between blk_mq_update_nr_hw_queues() and iterating over tags" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 2/8] Revert "blk-mq: Make it safe to use RCU to iterate over blk_mq_tag_set.tag_list" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 3/8] Revert "blk-mq: Fix races between iterating over requests and freeing requests" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 4/8] Revert "blk-mq: Introduce atomic variants of blk_mq_(all_tag|tagset_busy)_iter" Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 5/8] blk-mq: blk_mq_complete_request_locally Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 8:57 ` [PATCH 6/8] block: drivers: complete request locally from blk_mq_tagset_busy_iter Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-26 3:02 ` Bart Van Assche 2021-04-26 3:02 ` Bart Van Assche 2021-04-26 6:24 ` Ming Lei 2021-04-26 6:24 ` Ming Lei 2021-04-27 8:54 ` Ming Lei 2021-04-27 8:54 ` Ming Lei 2021-04-25 8:57 ` [PATCH 7/8] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 18:55 ` Bart Van Assche [this message] 2021-04-25 18:55 ` Bart Van Assche 2021-04-26 0:41 ` Ming Lei 2021-04-26 0:41 ` Ming Lei 2021-04-25 8:57 ` [PATCH 8/8] blk-mq: clear stale request in tags->rq[] before freeing one request pool Ming Lei 2021-04-25 8:57 ` Ming Lei 2021-04-25 20:42 ` Bart Van Assche 2021-04-25 20:42 ` Bart Van Assche 2021-04-26 0:49 ` Ming Lei 2021-04-26 0:49 ` Ming Lei 2021-04-26 1:50 ` Bart Van Assche 2021-04-26 1:50 ` Bart Van Assche 2021-04-26 2:07 ` Ming Lei 2021-04-26 2:07 ` Ming Lei 2021-04-25 9:27 ` [PATCH 0/8] blk-mq: fix request UAF related with iterating over tagset requests Ming Lei 2021-04-25 9:27 ` Ming Lei 2021-04-25 20:53 ` Bart Van Assche 2021-04-25 20:53 ` Bart Van Assche 2021-04-26 1:19 ` Ming Lei 2021-04-26 1:19 ` Ming Lei 2021-04-26 1:57 ` Bart Van Assche 2021-04-26 1:57 ` Bart Van Assche 2021-04-25 16:17 ` Jens Axboe 2021-04-25 16:17 ` Jens Axboe 2021-04-25 18:39 ` Bart Van Assche 2021-04-25 18:39 ` Bart Van Assche 2021-04-25 20:18 ` Jens Axboe 2021-04-25 20:18 ` Jens Axboe
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=6c0b0af9-ca71-d143-b1cc-384adfca5438@acm.org \ --to=bvanassche@acm.org \ --cc=axboe@kernel.dk \ --cc=djeffery@redhat.com \ --cc=hare@suse.de \ --cc=hch@lst.de \ --cc=john.garry@huawei.com \ --cc=khazhy@google.com \ --cc=linux-block@vger.kernel.org \ --cc=linux-nvme@lists.infradead.org \ --cc=linux-scsi@vger.kernel.org \ --cc=martin.petersen@oracle.com \ --cc=ming.lei@redhat.com \ --cc=shinichiro.kawasaki@wdc.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.