lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1ac95df7-db0e-2571-3953-4897cac43a6f@huawei.com>
Date:   Wed, 10 Mar 2021 17:26:53 +0000
From:   John Garry <john.garry@...wei.com>
To:     Bart Van Assche <bvanassche@....org>, <hare@...e.de>,
        <ming.lei@...hat.com>, <axboe@...nel.dk>, <hch@....de>
CC:     <linux-block@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <pragalla@...eaurora.org>, <kashyap.desai@...adcom.com>,
        <yuyufen@...wei.com>
Subject: Re: [RFC PATCH v3 3/3] blk-mq: Lockout tagset iterator when exiting
 elevator

On 10/03/2021 16:00, Bart Van Assche wrote:
>> So I can incorporate any changes and suggestions so far and send a 
>> non-RFC version - that may get more attention if none extra comes.
>>
>> As mentioned on the cover letter, if patch 2+3/3 are accepted, then 
>> patch 1/3 could be simplified. But I plan to leave as is.
>>
>> BTW, any issue with putting your suggested-by on patch 2/3?
> 

Hi Bart,

> 
> I have added my Reviewed-by to patch 2/3.
> 

OK, thanks.

Please note that I still want to check further whether some of Ming's 
series "blk-mq: implement queue quiesce via percpu_ref for 
BLK_MQ_F_BLOCKING" can be used.

> Regarding the other two patches in this series: I do not agree with 
> patch 3/3. As I have explained, I am concerned that that patch breaks 
> existing block drivers.

Understood. I need to check your concern further to allay any fears.

So I could probably change that patch to drop the early return.

Instead we just need to ensure that we complete any existing calls to 
blk_mq_tagset_busy_iter() prior to freeing the IO scheduler requests. 
Then we don't need to return early and can iter as before - but, as I 
said previously, there should be no active tags to iter.

> 
> Are patches 1/3 and 3/3 necessary? Or in other words, is patch 2/3 
> sufficient to fix the use-after-free?

No, we need them all in some form.

So far, reports are that 1/3 solves the most common seen UAF. It is 
pretty easy to trigger.

But the scenarios associated with 2/3 and 3/3 are much harder to 
trigger, and I needed to add delays in the code just to trigger them.

Thanks,
John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ