On May 07, 2021 / 22:42, Ming Lei wrote: > Hi Jens, > > This patchset fixes the request UAF issue by one simple approach, > without clearing ->rqs[] in fast path, please consider it for 5.13. > > 1) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter, > and release it after calling ->fn, so ->fn won't be called for one > request if its queue is frozen, done in 2st patch > > 2) clearing any stale request referred in ->rqs[] before freeing the > request pool, one per-tags spinlock is added for protecting > grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero > in bt_tags_iter() is avoided, done in 3rd patch. Ming, thank you for your effort to fix the UAF issue. I applied the V6 series to the kernel v5.13-rc1, and confirmed that the series avoids the UAF I had been observing with blktests block/005 and HDD behind HBA. This is good. However, I found that the series triggered block/029 hang. Let me share the kernel message below, which was printed at the hang. KASAN reported null-ptr-deref. [ 2124.489023] run blktests block/029 at 2021-05-11 13:42:22 [ 2124.561386] null_blk: module loaded [ 2125.201166] general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] SMP KASAN PTI [ 2125.212387] KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] [ 2125.220656] CPU: 2 PID: 26514 Comm: check Not tainted 5.13.0-rc1+ #3 [ 2125.227710] Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 [ 2125.235793] RIP: 0010:blk_mq_exit_hctx+0x21b/0x580 [ 2125.241298] Code: 00 00 00 31 db 48 89 44 24 20 85 d2 74 54 49 89 c5 48 b8 00 00 00 00 00 fc ff df 49 c1 ed 03 4c 01 e8 48 89 04 24 48 8b 04 24 <80> 38 00 0f 85 8a 02 00 00 49 8b 87 90 00 00 00 48 63 d3 be 08 00 [ 2125.260747] RSP: 0018:ffff888110677c08 EFLAGS: 00010286 [ 2125.266674] RAX: dffffc0000000012 RBX: 0000000000000000 RCX: ffffffffa4f3710f [ 2125.274500] RDX: 0000000000000040 RSI: 0000000000000004 RDI: ffff88811f80c4e8 [ 2125.282326] RBP: ffff8881483c0000 R08: 0000000000000000 R09: ffff88811f80c4eb [ 2125.290153] R10: ffffed1023f0189d R11: 0000000000000001 R12: ffff88811f80c400 [ 2125.297978] R13: 0000000000000012 R14: ffff88810c506038 R15: 0000000000000000 [ 2125.305807] FS: 00007f6dc4d4a740(0000) GS:ffff8883e1480000(0000) knlGS:0000000000000000 [ 2125.314592] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2125.321032] CR2: 00005566b34e55f0 CR3: 000000012c33e005 CR4: 00000000001706e0 [ 2125.328860] Call Trace: [ 2125.332013] blk_mq_realloc_hw_ctxs+0x71a/0x15f0 [ 2125.337338] ? blk_mq_map_queues+0x20c/0x650 [ 2125.342317] blk_mq_update_nr_hw_queues+0x4cc/0xb70 [ 2125.347905] ? blk_mq_init_queue+0xb0/0xb0 [ 2125.352709] nullb_device_submit_queues_store+0x10f/0x1f0 [null_blk] [ 2125.359781] ? __null_lookup_page.isra.0+0xd0/0xd0 [null_blk] [ 2125.366243] ? __null_lookup_page.isra.0+0xd0/0xd0 [null_blk] [ 2125.372697] configfs_write_file+0x2bb/0x450 [ 2125.377676] vfs_write+0x1cb/0x840 [ 2125.381783] ksys_write+0xe9/0x1b0 [ 2125.385890] ? __ia32_sys_read+0xb0/0xb0 [ 2125.390517] ? syscall_enter_from_user_mode+0x27/0x80 [ 2125.396276] do_syscall_64+0x40/0x80 [ 2125.400553] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 2125.406308] RIP: 0033:0x7f6dc4e3f4e7 [ 2125.410590] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 2125.430036] RSP: 002b:00007ffc7ee29928 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2125.438306] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f6dc4e3f4e7 [ 2125.446132] RDX: 0000000000000002 RSI: 00005566b34e55f0 RDI: 0000000000000001 [ 2125.453957] RBP: 00005566b34e55f0 R08: 000000000000000a R09: 00007f6dc4ed60c0 [ 2125.461783] R10: 00007f6dc4ed5fc0 R11: 0000000000000246 R12: 0000000000000002 [ 2125.469610] R13: 00007f6dc4f12520 R14: 0000000000000002 R15: 00007f6dc4f12720 [ 2125.477446] Modules linked in: null_blk xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_nat_tftp nf_conntrack_tftp tun nft_objref nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_tables ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security bridge stp llc ip_set rfkill nfnetlink target_core_user ebtable_filter ebtables target_core_mod ip6table_filter ip6_tables iptable_filter sunrpc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iTCO_wdt intel_pmc_bxt iTCO_vendor_support kvm irqbypass rapl intel_cstate intel_uncore joydev i2c_i801 pcspkr i2c_smbus ses enclosure lpc_ich mei_me mei ioatdma wmi ipmi_ssif acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter [ 2125.477718] acpi_pad zram ip_tables drm_vram_helper drm_kms_helper cec drm_ttm_helper ttm crct10dif_pclmul crc32_pclmul crc32c_intel drm ghash_clmulni_intel igb mpt3sas nvme nvme_core dca i2c_algo_bit raid_class scsi_transport_sas fuse [last unloaded: null_blk] [ 2125.588156] ---[ end trace 94b8e87c4a29c520 ]--- [ 2125.615124] RIP: 0010:blk_mq_exit_hctx+0x21b/0x580 [ 2125.620628] Code: 00 00 00 31 db 48 89 44 24 20 85 d2 74 54 49 89 c5 48 b8 00 00 00 00 00 fc ff df 49 c1 ed 03 4c 01 e8 48 89 04 24 48 8b 04 24 <80> 38 00 0f 85 8a 02 00 00 49 8b 87 90 00 00 00 48 63 d3 be 08 00 [ 2125.640077] RSP: 0018:ffff888110677c08 EFLAGS: 00010286 [ 2125.646007] RAX: dffffc0000000012 RBX: 0000000000000000 RCX: ffffffffa4f3710f [ 2125.653844] RDX: 0000000000000040 RSI: 0000000000000004 RDI: ffff88811f80c4e8 [ 2125.661675] RBP: ffff8881483c0000 R08: 0000000000000000 R09: ffff88811f80c4eb [ 2125.669502] R10: ffffed1023f0189d R11: 0000000000000001 R12: ffff88811f80c400 [ 2125.677327] R13: 0000000000000012 R14: ffff88810c506038 R15: 0000000000000000 [ 2125.685158] FS: 00007f6dc4d4a740(0000) GS:ffff8883e1480000(0000) knlGS:0000000000000000 [ 2125.693941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2125.700382] CR2: 00005566b34e55f0 CR3: 000000012c33e005 CR4: 00000000001706e0 -- Best Regards, Shin'ichiro Kawasaki
