Thread (34 messages) 34 messages, 5 authors, 2019-02-21

Re: v4.20-rc6: Sporadic use-after-free in bt_iter()

From: Jens Axboe <axboe@kernel.dk>
Date: 2018-12-20 21:26:17

On 12/20/18 2:23 PM, Bart Van Assche wrote:
On Thu, 2018-12-20 at 14:00 -0700, Jens Axboe wrote:
quoted
On 12/20/18 1:56 PM, Bart Van Assche wrote:
quoted
@@ -96,6 +97,9 @@ static void blk_mq_check_inflight(struct blk_mq_hw_ctx *hctx,
 {
 	struct mq_inflight *mi = priv;
 
+	if (rq->q != mi->q)
+		return;
Aren't you back to square one with this one, if the tags are shared? You
can't dereference it before you know it matches.
My patch can only work if the new rq->q = NULL assignment in __blk_mq_free_request()
is executed before the request tag is freed and if freeing a tag does not happen
concurrently with any bt_iter() call. Would you accept that I add a seqlock to avoid
this scenario?
Ugh no, let's not go that far. Why not just use my approach that avoids
any need to dereference rq, unless we know it belongs to the queue in
question? I think that's cheaper than resetting ->queue as well when the
rq completes, I'm always wary of adding new stores in the completion
path.

-- 
Jens Axboe
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help