From: Eric Biggers <ebiggers@kernel.org>
To: Nathan Huckleberry <nhuck@google.com>
Cc: linux-block@vger.kernel.org, Jens Axboe <axboe@kernel.dk>,
linux-fscrypt@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] blk-crypto: make blk_crypto_evict_key() always try to evict
Date: Thu, 2 Mar 2023 22:36:51 +0000 [thread overview]
Message-ID: <ZAElA0k4Q/Pb7xNT@gmail.com> (raw)
In-Reply-To: <CAJkfWY4UOmizG=gm4+Zob7PhwMcmDe7mEviTb-hULT7ByCuqew@mail.gmail.com>
On Thu, Mar 02, 2023 at 02:28:00PM -0800, Nathan Huckleberry wrote:
> Hey Eric,
>
> On Sun, Feb 26, 2023 at 12:43 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Once all I/O using a blk_crypto_key has completed, filesystems can call
> > blk_crypto_evict_key(). However, the block layer doesn't call
> > blk_crypto_put_keyslot() until the request is being cleaned up, which
> > happens after upper layers have been told (via bio_endio()) the I/O has
> > completed. This causes a race condition where blk_crypto_evict_key()
> > can see 'slot_refs > 0' without there being an actual bug.
> >
> > This makes __blk_crypto_evict_key() hit the
> > 'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without
> > doing anything, eventually causing a use-after-free in
> > blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only
> > been seen when per-file keys are being used with fscrypt.)
> >
> > There are two options to fix this: either release the keyslot in
> > blk_update_request() just before bio_endio() is called on the request's
> > last bio, or just make __blk_crypto_evict_key() ignore slot_refs. Let's
> > go with the latter solution for now, since it avoids adding overhead to
> > the loop in blk_update_request(). (It does have the disadvantage that
> > hypothetical bugs where a key is evicted while still in-use become
> > harder to detect. But so far there haven't been any such bugs anyway.)
>
> I disagree with the proposal to ignore the race condition in
> blk_crypto_evict_key(). As you said, ignoring the error could lead to
> undetected bugs in the future. Instead, I think we should focus on
> fixing the function ordering so that blk_crypto_put_keyslot() is
> called before blk_crypto_evict_key().
>
> I think the overhead is a necessary trade-off to ensure correctness.
>
> Thanks,
Sure, I'm concerned about pushback on adding something to blk_update_request()
that's not critical, but I'll send out that patch for consideration too.
- Eric
prev parent reply other threads:[~2023-03-02 22:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-26 20:38 [PATCH] blk-crypto: make blk_crypto_evict_key() always try to evict Eric Biggers
2023-03-02 22:28 ` Nathan Huckleberry
2023-03-02 22:36 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAElA0k4Q/Pb7xNT@gmail.com \
--to=ebiggers@kernel.org \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=nhuck@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).