On Tue, May 11, 2021 at 11:22:32PM +0800, Ming Lei wrote: > Hi Jens, > > This patchset fixes the request UAF issue by one simple approach, > without clearing ->rqs[] in fast path, please consider it for 5.13. > > 1) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter, > and release it after calling ->fn, so ->fn won't be called for one > request if its queue is frozen, done in 2st patch > > 2) clearing any stale request referred in ->rqs[] before freeing the > request pool, one per-tags spinlock is added for protecting > grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero > in bt_tags_iter() is avoided, done in 3rd patch. > > V7: > - fix one null-ptr-deref during updating nr_hw_queues, because > blk_mq_clear_flush_rq_mapping() may touch non-mapped hw queue's > tags, only patch 4/4 is modified, reported and verified by > Shinichiro Kawasaki > - run blktests and not see regression Hi Jens, We have been working on this issue for a bit long, so any chance to get the fixes merged? Either 5.13 or 5.14 is fine. Thanks, Ming
