From: Ming Lei <ming.lei@redhat.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org,
Dan Williams <dan.j.williams@intel.com>,
yukuai <yukuai3@huawei.com>,
Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Subject: Re: [PATCH] block: fix "Directory XXXXX with parent 'block' already present!"
Date: Fri, 22 Apr 2022 14:43:20 +0800 [thread overview]
Message-ID: <YmJOiCifWa7CDy/e@T590> (raw)
In-Reply-To: <YmJFmUyBczk42j15@infradead.org>
On Thu, Apr 21, 2022 at 11:05:13PM -0700, Christoph Hellwig wrote:
> On Fri, Apr 22, 2022 at 11:01:43AM +0800, Ming Lei wrote:
> > Please see the following reasons:
> >
> > 1) disk_release_mq() calls elevator_exit()/rq_qos_exit(), and the two
> > may trigger UAF if q->debugfs_dir is removed in blk_unregister_queue().
>
> Well. The debugfs_remove_recursive already removes all underlying
> entries, so the extra debugfs_remove_recursive calls there can just
> go away.
> >
> > 2) after deleting disk, blktrace still should/can work for tracing
> > passthrough request.
> >
> > 3) "debugfs directory deleted with blktrace active" in block/002 could
> > be triggered
>
> Well, 3 just tests 2, so these are really one.
>
> But how is blktrace supposed to work after the disk is torn down
> anyway? Pretty much all actual block trace traces reference the
> gendisk and/or block device which are getting freed at that point.
> So doing any blktrace action after the gendisk is released will
> lead to memory corruption. For everyting but SCSI the race windows
> are probably small enough to not be seen by accident, but if you
> unbind the SSI ULP this should be fairly reproducible.
blktrace opens the bdev, so it is safe to trace until blktrace closes
the bdev. And del_gendisk() does happen before releasing disk, that
is why I don't think it is good to remove q->debugfs_dir inside
del_gendisk().
thanks,
Ming
next prev parent reply other threads:[~2022-04-22 6:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-21 8:34 [PATCH] block: fix "Directory XXXXX with parent 'block' already present!" Ming Lei
2022-04-21 12:02 ` Shinichiro Kawasaki
2022-04-21 16:09 ` Christoph Hellwig
2022-04-22 3:01 ` Ming Lei
2022-04-22 6:05 ` Christoph Hellwig
2022-04-22 6:43 ` Ming Lei [this message]
2022-04-21 16:37 ` Dan Williams
2022-04-21 17:28 ` Hannes Reinecke
2022-04-22 1:23 ` yukuai (C)
2022-04-22 2:52 ` Ming Lei
2022-04-21 20:54 ` kernel test robot
2022-04-21 23:06 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YmJOiCifWa7CDy/e@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=dan.j.williams@intel.com \
--cc=hch@infradead.org \
--cc=linux-block@vger.kernel.org \
--cc=shinichiro.kawasaki@wdc.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.