From: Ming Lei <ming.lei@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: "linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: Re: [PATCH] block: don't dereference request after flush insertion
Date: Mon, 18 Oct 2021 10:30:06 +0800 [thread overview]
Message-ID: <YWzcLuH8VWPOf0ZU@T590> (raw)
In-Reply-To: <65db3ed2-9cc5-b136-0a54-d477acec9a58@kernel.dk>
On Sun, Oct 17, 2021 at 08:16:25PM -0600, Jens Axboe wrote:
> On 10/17/21 8:11 PM, Ming Lei wrote:
> > On Mon, Oct 18, 2021 at 10:02:32AM +0800, Ming Lei wrote:
> >> On Sun, Oct 17, 2021 at 07:50:24PM -0600, Jens Axboe wrote:
> >>> On 10/17/21 7:49 PM, Ming Lei wrote:
> >>>> On Sat, Oct 16, 2021 at 07:35:39PM -0600, Jens Axboe wrote:
> >>>>> We could have a race here, where the request gets freed before we call
> >>>>> into blk_mq_run_hw_queue(). If this happens, we cannot rely on the state
> >>>>> of the request.
> >>>>>
> >>>>> Grab the hardware context before inserting the flush.
> >>>>>
> >>>>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> >>>>>
> >>>>> ---
> >>>>>
> >>>>> diff --git a/block/blk-mq.c b/block/blk-mq.c
> >>>>> index 2197cfbf081f..22b30a89bf3a 100644
> >>>>> --- a/block/blk-mq.c
> >>>>> +++ b/block/blk-mq.c
> >>>>> @@ -2468,9 +2468,10 @@ void blk_mq_submit_bio(struct bio *bio)
> >>>>> }
> >>>>>
> >>>>> if (unlikely(is_flush_fua)) {
> >>>>> + struct blk_mq_hw_ctx *hctx = rq->mq_hctx;
> >>>>> /* Bypass scheduler for flush requests */
> >>>>> blk_insert_flush(rq);
> >>>>> - blk_mq_run_hw_queue(rq->mq_hctx, true);
> >>>>> + blk_mq_run_hw_queue(hctx, true);
> >>>>
> >>>> If the request is freed before running queue, the request queue could
> >>>> be released and the hctx may be freed.
> >>>
> >>> No, we still hold a queue enter ref.
> >>
> >> But that one is released when rq is freed since ac7c5675fa45 ("blk-mq: allow
> >> blk_mq_make_request to consume the q_usage_counter reference"), isn't
> >> it?
> >
> > With commit ac7c5675fa45, any reference to hctx after queuing request could
> > lead to UAF in the code path of blk_mq_submit_bio(). Maybe we need to grab
> > two ref in queue enter, and release one after the bio is submitted.
>
> I'd rather audit and see if there are any, because extra get+put isn't
> exactly free.
Only direct issue needn't that, looks others do need grab one extra
ref if the request has to be queued somewhere before dispatch.
Thanks,
Ming
next prev parent reply other threads:[~2021-10-18 2:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-17 1:35 [PATCH] block: don't dereference request after flush insertion Jens Axboe
2021-10-18 1:49 ` Ming Lei
2021-10-18 1:50 ` Jens Axboe
2021-10-18 2:02 ` Ming Lei
2021-10-18 2:10 ` Jens Axboe
2021-10-18 8:34 ` Christoph Hellwig
2021-10-18 2:11 ` Ming Lei
2021-10-18 2:16 ` Jens Axboe
2021-10-18 2:30 ` Ming Lei [this message]
2021-10-18 2:42 ` Ming Lei
2021-10-18 2:44 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YWzcLuH8VWPOf0ZU@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox