From: "yukuai (C)" <yukuai3@huawei.com>
To: Ming Lei <ming.lei@redhat.com>
Cc: <axboe@kernel.dk>, <josef@toxicpanda.com>, <hch@infradead.org>,
<linux-block@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<nbd@other.debian.org>, <yi.zhang@huawei.com>
Subject: Re: [PATCH v5 5/6] nbd: convert to use blk_mq_find_and_get_req()
Date: Tue, 14 Sep 2021 17:19:31 +0800 [thread overview]
Message-ID: <b8301834-5541-76ee-13a9-0fa565fce7e3@huawei.com> (raw)
In-Reply-To: <YUBTVBioqJ7qas2R@T590>
On 在 2021/09/14 15:46, Ming Lei wrote:
> If the above can happen, blk_mq_find_and_get_req() may not fix it too, just
> wondering why not take the following simpler way for avoiding the UAF?
>
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index 5170a630778d..dfa5cce71f66 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -795,9 +795,13 @@ static void recv_work(struct work_struct *work)
> work);
> struct nbd_device *nbd = args->nbd;
> struct nbd_config *config = nbd->config;
> + struct request_queue *q = nbd->disk->queue;
> struct nbd_cmd *cmd;
> struct request *rq;
>
> + if (!percpu_ref_tryget(&q->q_usage_counter))
> + return;
> +
> while (1) {
> cmd = nbd_read_stat(nbd, args->index);
> if (IS_ERR(cmd)) {
> @@ -813,6 +817,7 @@ static void recv_work(struct work_struct *work)
> if (likely(!blk_should_fake_timeout(rq->q)))
> blk_mq_complete_request(rq);
> }
> + blk_queue_exit(q);
> nbd_config_put(nbd);
> atomic_dec(&config->recv_threads);
> wake_up(&config->recv_wq);
>
Hi, Ming
This apporch is wrong.
If blk_mq_freeze_queue() is called, and nbd is waiting for all
request to complete. percpu_ref_tryget() will fail here, and deadlock
will occur because request can't complete in recv_work().
Thanks,
Kuai
next prev parent reply other threads:[~2021-09-14 9:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-09 14:12 [PATCH v5 0/6] handle unexpected message from server Yu Kuai
2021-09-09 14:12 ` [PATCH v5 1/6] nbd: don't handle response without a corresponding request message Yu Kuai
2021-09-14 0:54 ` Ming Lei
2021-09-09 14:12 ` [PATCH v5 2/6] nbd: make sure request completion won't concurrent Yu Kuai
2021-09-14 0:57 ` Ming Lei
2021-09-14 3:11 ` yukuai (C)
2021-09-09 14:12 ` [PATCH v5 3/6] nbd: check sock index in nbd_read_stat() Yu Kuai
2021-09-09 14:12 ` [PATCH v5 4/6] blk-mq: export two symbols to get request by tag Yu Kuai
2021-09-09 14:12 ` [PATCH v5 5/6] nbd: convert to use blk_mq_find_and_get_req() Yu Kuai
2021-09-14 1:11 ` Ming Lei
2021-09-14 3:11 ` yukuai (C)
2021-09-14 6:44 ` Ming Lei
2021-09-14 7:13 ` yukuai (C)
2021-09-14 7:46 ` Ming Lei
2021-09-14 9:08 ` yukuai (C)
2021-09-14 9:12 ` yukuai (C)
2021-09-14 14:33 ` Ming Lei
2021-09-14 9:19 ` yukuai (C) [this message]
2021-09-14 14:37 ` Ming Lei
2021-09-15 1:54 ` yukuai (C)
2021-09-15 3:16 ` Ming Lei
2021-09-15 3:36 ` yukuai (C)
2021-09-15 3:46 ` Ming Lei
2021-09-09 14:12 ` [PATCH v5 6/6] nbd: don't start request if nbd_queue_rq() failed Yu Kuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b8301834-5541-76ee-13a9-0fa565fce7e3@huawei.com \
--to=yukuai3@huawei.com \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=nbd@other.debian.org \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.