From: Ming Lei <ming.lei@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
Khazhy Kumykov <khazhy@google.com>,
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>,
Hannes Reinecke <hare@suse.de>,
John Garry <john.garry@huawei.com>,
David Jeffery <djeffery@redhat.com>,
Ming Lei <ming.lei@redhat.com>
Subject: [PATCH V2 0/3] blk-mq: fix request UAF related with iterating over tagset requests
Date: Tue, 27 Apr 2021 09:45:37 +0800 [thread overview]
Message-ID: <20210427014540.2747282-1-ming.lei@redhat.com> (raw)
Hi Guys,
This patchset fixes the request UAF issue by one simple approach,
without clearing ->rqs[] in fast path.
1) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter,
and release it after calling ->fn, so ->fn won't be called for one
request if its queue is frozen, done in 1st patch
2) always complete request synchronously when the completing is run
via blk_mq_tagset_busy_iter(), done in 2nd patch
3) clearing any stale request referred in ->rqs[] before freeing the
request pool, one per-tags spinlock is added for protecting
grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero
in bt_tags_iter() is avoided, done in 3rd patch.
V2:
- take Bart's suggestion to not add blk-mq helper for completing
requests when it is being iterated
- don't grab rq->ref if the iterator is over static rqs because
the use case do require to iterate over all requests no matter if
the request is initialized or not
Ming Lei (3):
blk-mq: grab rq->refcount before calling ->fn in
blk_mq_tagset_busy_iter
blk-mq: complete request locally if the completion is from tagset
iterator
blk-mq: clear stale request in tags->rq[] before freeing one request
pool
block/blk-mq-tag.c | 33 ++++++++++++++++++-----
block/blk-mq-tag.h | 3 +++
block/blk-mq.c | 61 +++++++++++++++++++++++++++++++++++-------
block/blk-mq.h | 1 +
include/linux/blkdev.h | 2 ++
5 files changed, 84 insertions(+), 16 deletions(-)
--
2.29.2
next reply other threads:[~2021-04-27 1:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-27 1:45 Ming Lei [this message]
2021-04-27 1:45 ` [PATCH V2 1/3] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Ming Lei
2021-04-27 2:28 ` Bart Van Assche
2021-04-27 2:45 ` Ming Lei
2021-04-27 1:45 ` [PATCH V2 2/3] blk-mq: complete request locally if the completion is from tagset iterator Ming Lei
2021-04-27 2:30 ` Bart Van Assche
2021-04-27 7:06 ` Ming Lei
2021-04-27 9:00 ` Ming Lei
2021-04-27 14:53 ` Bart Van Assche
2021-04-27 1:45 ` [PATCH V2 3/3] blk-mq: clear stale request in tags->rq[] before freeing one request pool Ming Lei
2021-04-27 2:34 ` Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210427014540.2747282-1-ming.lei@redhat.com \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=djeffery@redhat.com \
--cc=hare@suse.de \
--cc=john.garry@huawei.com \
--cc=khazhy@google.com \
--cc=linux-block@vger.kernel.org \
--cc=shinichiro.kawasaki@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).