Re: v4.20-rc6: Sporadic use-after-free in bt_iter()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/20/18 2:23 PM, Bart Van Assche wrote:
> On Thu, 2018-12-20 at 14:00 -0700, Jens Axboe wrote:
>> On 12/20/18 1:56 PM, Bart Van Assche wrote:
>>> @@ -96,6 +97,9 @@ static void blk_mq_check_inflight(struct blk_mq_hw_ctx *hctx,
>>>  {
>>>  	struct mq_inflight *mi = priv;
>>>  
>>> +	if (rq->q != mi->q)
>>> +		return;
>>
>> Aren't you back to square one with this one, if the tags are shared? You
>> can't dereference it before you know it matches.
> 
> My patch can only work if the new rq->q = NULL assignment in __blk_mq_free_request()
> is executed before the request tag is freed and if freeing a tag does not happen
> concurrently with any bt_iter() call. Would you accept that I add a seqlock to avoid
> this scenario?

Ugh no, let's not go that far. Why not just use my approach that avoids
any need to dereference rq, unless we know it belongs to the queue in
question? I think that's cheaper than resetting ->queue as well when the
rq completes, I'm always wary of adding new stores in the completion
path.

-- 
Jens Axboe




[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux