| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ba6bd7b2-ac24-9e62-795d-d494434fc152@huawei.com>
Date: Mon, 8 Mar 2021 10:37:51 +0000
From: John Garry <john.garry@...wei.com>
To: Bart Van Assche <bvanassche@....org>, <hare@...e.de>,
<ming.lei@...hat.com>, <axboe@...nel.dk>, <hch@....de>
CC: <linux-block@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<pragalla@...eaurora.org>, <kashyap.desai@...adcom.com>,
<yuyufen@...wei.com>
Subject: Re: [RFC PATCH v3 1/3] blk-mq: Clean up references to old requests
when freeing rqs
On 06/03/2021 18:13, Bart Van Assche wrote:
> On 3/5/21 7:14 AM, John Garry wrote:
>> @@ -2296,10 +2296,14 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
>>
>> for (i = 0; i < tags->nr_tags; i++) {
>> struct request *rq = tags->static_rqs[i];
>> + int j;
>>
>> if (!rq)
>> continue;
>> set->ops->exit_request(set, rq, hctx_idx);
>> + /* clean up any references which occur in @ref_tags */
>> + for (j = 0; ref_tags && j < ref_tags->nr_tags; j++)
>> + cmpxchg(&ref_tags->rqs[j], rq, 0);
>> tags->static_rqs[i] = NULL;
>> }
>> }
Hi Bart,
> What prevents blk_mq_tagset_busy_iter() from reading hctx->tags[...]
> before the cmpxcg() call and dereferencing it after blk_mq_free_rqs()
> has called __free_pages()?
>
So there is nothing in this patch to stop that. But it's pretty
unlikely, as the window is very narrow generally between reading
hctx->tags[...] and actually dereferencing it. However, something like
that should be made safe in patch 2/3.
Thanks,
John
Powered by blists - more mailing lists