lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fff92b15-d483-ad6a-bb01-ef61117b7cbd@acm.org>
Date:   Tue, 16 Mar 2021 10:00:02 -0700
From:   Bart Van Assche <bvanassche@....org>
To:     John Garry <john.garry@...wei.com>, Ming Lei <ming.lei@...hat.com>
Cc:     "hare@...e.de" <hare@...e.de>, "axboe@...nel.dk" <axboe@...nel.dk>,
        "hch@....de" <hch@....de>,
        "linux-block@...r.kernel.org" <linux-block@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "pragalla@...eaurora.org" <pragalla@...eaurora.org>,
        "kashyap.desai@...adcom.com" <kashyap.desai@...adcom.com>,
        yuyufen <yuyufen@...wei.com>
Subject: Re: [RFC PATCH v3 2/3] blk-mq: Freeze and quiesce all queues for
 tagset in elevator_exit()

On 3/16/21 9:15 AM, John Garry wrote:
> I'll have a look at this ASAP -  a bit busy.
> 
> But a quick scan and I notice this:
> 
>  > @@ -226,6 +226,7 @@ static inline void __blk_mq_put_driver_tag(struct 
> blk_mq_hw_ctx *hctx,
>  >                          struct request *rq)
>  >   {
>  >       blk_mq_put_tag(hctx->tags, rq->mq_ctx, rq->tag);
>  > +    rcu_assign_pointer(hctx->tags->rqs[rq->tag], NULL);
> 
> Wasn't a requirement to not touch the fastpath at all, including even if 
> only NULLifying a pointer?
> 
> IIRC, Kashyap some time ago had a patch like above (but without RCU 
> usage), but the request from Jens was to not touch the fastpath.
> 
> Maybe I'm mistaken - I will try to dig up the thread.

Hi John,

I agree that Jens asked at the end of 2018 not to touch the fast path to 
fix this use-after-free (maybe that request has been repeated more 
recently). If Jens or anyone else feels strongly about not clearing 
hctx->tags->rqs[rq->tag] from the fast path then I will make that 
change. My motivation for clearing these pointers from the fast path is 
as follows:
- This results in code that is easier to read and easier to maintain.
- Every modern CPU pipelines store instructions so the performance 
impact of adding an additional store should be small.
- Since the block layer has a tendency to reuse tags that have been 
freed recently, it is likely that hctx->tags->rqs[rq->tag] will be used 
for a next request and hence that it will have to be loaded into the CPU 
cache anyway.

Bart.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ