Hi Guys,
This patchset fixes the request UAF issue by one simple approach,
without clearing ->rqs[] in fast path.
1) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter,
and release it after calling ->fn, so ->fn won't be called for one
request if its queue is frozen, done in 1st patch
2) always complete request synchronously when the completing is run
via blk_mq_tagset_busy_iter(), done in 2nd patch
3) clearing any stale request referred in ->rqs[] before freeing the
request pool, one per-tags spinlock is added for protecting
grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero
in bt_tags_iter() is avoided, done in 3rd patch.
V2:
- take Bart's suggestion to not add blk-mq helper for completing
requests when it is being iterated
- don't grab rq->ref if the iterator is over static rqs because
the use case do require to iterate over all requests no matter if
the request is initialized or not
Ming Lei (3):
blk-mq: grab rq->refcount before calling ->fn in
blk_mq_tagset_busy_iter
blk-mq: complete request locally if the completion is from tagset
iterator
blk-mq: clear stale request in tags->rq[] before freeing one request
pool
block/blk-mq-tag.c | 33 ++++++++++++++++++-----
block/blk-mq-tag.h | 3 +++
block/blk-mq.c | 61 +++++++++++++++++++++++++++++++++++-------
block/blk-mq.h | 1 +
include/linux/blkdev.h | 2 ++
5 files changed, 84 insertions(+), 16 deletions(-)
--
2.29.2
