On 10/03/2021 16:00, Bart Van Assche wrote:
So I can incorporate any changes and suggestions so far and send a
non-RFC version - that may get more attention if none extra comes.
As mentioned on the cover letter, if patch 2+3/3 are accepted, then
patch 1/3 could be simplified. But I plan to leave as is.
BTW, any issue with putting your suggested-by on patch 2/3?
Hi Bart,
I have added my Reviewed-by to patch 2/3.
OK, thanks.
Please note that I still want to check further whether some of Ming's
series "blk-mq: implement queue quiesce via percpu_ref for
BLK_MQ_F_BLOCKING" can be used.
Regarding the other two patches in this series: I do not agree with
patch 3/3. As I have explained, I am concerned that that patch breaks
existing block drivers.
Understood. I need to check your concern further to allay any fears.
So I could probably change that patch to drop the early return.
Instead we just need to ensure that we complete any existing calls to
blk_mq_tagset_busy_iter() prior to freeing the IO scheduler requests.
Then we don't need to return early and can iter as before - but, as I
said previously, there should be no active tags to iter.
Are patches 1/3 and 3/3 necessary? Or in other words, is patch 2/3
sufficient to fix the use-after-free?
No, we need them all in some form.
So far, reports are that 1/3 solves the most common seen UAF. It is
pretty easy to trigger.
But the scenarios associated with 2/3 and 3/3 are much harder to
trigger, and I needed to add delays in the code just to trigger them.
Thanks,
John
