From: Al Viro <viro@zeniv.linux.org.uk>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org
Subject: Re: UAF in blk_add_rq_to_plug()?
Date: Mon, 31 Oct 2022 23:35:24 +0000 [thread overview]
Message-ID: <Y2BbvIdYGM/4L66H@ZenIV> (raw)
In-Reply-To: <1a46585b-878b-a3b7-3090-36bddba86dbd@kernel.dk>
On Mon, Oct 31, 2022 at 04:42:11PM -0600, Jens Axboe wrote:
> On 10/31/22 4:12 PM, Al Viro wrote:
> > static void blk_add_rq_to_plug(struct blk_plug *plug, struct request *rq)
> > {
> > struct request *last = rq_list_peek(&plug->mq_list);
> >
> > Suppose it's not NULL...
> >
> > if (!plug->rq_count) {
> > trace_block_plug(rq->q);
> > } else if (plug->rq_count >= blk_plug_max_rq_count(plug) ||
> > (!blk_queue_nomerges(rq->q) &&
> > blk_rq_bytes(last) >= BLK_PLUG_FLUSH_SIZE)) {
> > ... and we went here:
> > blk_mq_flush_plug_list(plug, false);
> > All requests, including the one last points to, might get fed ->queue_rq()
> > here. At which point there seems to be nothing to prevent them getting
> > completed and freed on another CPU, possibly before we return here.
> >
> > trace_block_plug(rq->q);
> > }
> >
> > if (!plug->multiple_queues && last && last->q != rq->q)
> > ... and here we dereference last.
> >
> > Shouldn't we reset last to NULL after the call of blk_mq_flush_plug_list()
> > above?
>
> There's no UAF here as the requests aren't freed. We could clear 'last'
> to make the code more explicit, and that would avoid any potential
> suboptimal behavior with ->multiple_queues being wrong.
Umm...
Suppose ->has_elevator is false and so's ->multiple_queues.
No ->queue_rqs(), so blk_mq_flush_plug_list() grabs rcu_read_lock() and
hit blk_mq_plug_issue_direct().
blk_mq_plug_issue_direct() picks the first request off the list
and passes it to blk_mq_request_issue_directly(), which passes it
to __blk_mq_request_issue_directly(). There we grab a tag and
proceed to __blk_mq_issue_directly(), which feeds request to ->queue_rq().
What's to stop e.g. worker on another CPU from picking that sucker,
completing it and calling blk_mq_end_request() which completes all
bio involved and calls blk_mq_free_request()?
If all of that manages to happen before blk_mq_flush_plug_list()
returns to caller... Sure, you probably won't hit in on bare
metal, but if you are in a KVM and this virtual CPU happens to
lose the host timeslice... I've seen considerably more narrow
race windows getting hit on such setups.
Am I missing something subtle here? It's been a long time since
I've read through that area - as the matter of fact, I'm trying
to refresh my memories of the bio_submit()-related code paths
at the moment...
next prev parent reply other threads:[~2022-10-31 23:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-31 22:12 UAF in blk_add_rq_to_plug()? Al Viro
2022-10-31 22:42 ` Jens Axboe
2022-10-31 23:35 ` Al Viro [this message]
2022-11-01 0:03 ` Jens Axboe
2022-11-01 0:06 ` Jens Axboe
2022-11-01 0:54 ` Al Viro
2022-11-01 2:23 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2BbvIdYGM/4L66H@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.