On 5/13/21 6:43 PM, Ming Lei wrote: > On Tue, May 11, 2021 at 11:22:32PM +0800, Ming Lei wrote: >> Hi Jens, >> >> This patchset fixes the request UAF issue by one simple approach, >> without clearing ->rqs[] in fast path, please consider it for 5.13. >> >> 1) grab request's ref before calling ->fn in blk_mq_tagset_busy_iter, >> and release it after calling ->fn, so ->fn won't be called for one >> request if its queue is frozen, done in 2st patch >> >> 2) clearing any stale request referred in ->rqs[] before freeing the >> request pool, one per-tags spinlock is added for protecting >> grabbing request ref vs. clearing ->rqs[tag], so UAF by refcount_inc_not_zero >> in bt_tags_iter() is avoided, done in 3rd patch. >> >> V7: >> - fix one null-ptr-deref during updating nr_hw_queues, because >> blk_mq_clear_flush_rq_mapping() may touch non-mapped hw queue's >> tags, only patch 4/4 is modified, reported and verified by >> Shinichiro Kawasaki >> - run blktests and not see regression > > Hi Jens, > > We have been working on this issue for a bit long, so any chance to get > the fixes merged? Either 5.13 or 5.14 is fine. Let's get it queued up for 5.14 - we can backport to stable as needed. I'll do that now. -- Jens Axboe
