lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 16 Mar 2021 17:43:37 +0000
From:   John Garry <john.garry@...wei.com>
To:     Bart Van Assche <bvanassche@....org>,
        Ming Lei <ming.lei@...hat.com>
CC:     "hare@...e.de" <hare@...e.de>, "axboe@...nel.dk" <axboe@...nel.dk>,
        "hch@....de" <hch@....de>,
        "linux-block@...r.kernel.org" <linux-block@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "pragalla@...eaurora.org" <pragalla@...eaurora.org>,
        "kashyap.desai@...adcom.com" <kashyap.desai@...adcom.com>,
        yuyufen <yuyufen@...wei.com>
Subject: Re: [RFC PATCH v3 2/3] blk-mq: Freeze and quiesce all queues for
 tagset in elevator_exit()

On 16/03/2021 17:00, Bart Van Assche wrote:
> On 3/16/21 9:15 AM, John Garry wrote:
>> I'll have a look at this ASAP -  a bit busy.
>>
>> But a quick scan and I notice this:
>>
>>  > @@ -226,6 +226,7 @@ static inline void 
>> __blk_mq_put_driver_tag(struct blk_mq_hw_ctx *hctx,
>>  >                          struct request *rq)
>>  >   {
>>  >       blk_mq_put_tag(hctx->tags, rq->mq_ctx, rq->tag);
>>  > +    rcu_assign_pointer(hctx->tags->rqs[rq->tag], NULL);
>>
>> Wasn't a requirement to not touch the fastpath at all, including even 
>> if only NULLifying a pointer?
>>
>> IIRC, Kashyap some time ago had a patch like above (but without RCU 
>> usage), but the request from Jens was to not touch the fastpath.
>>
>> Maybe I'm mistaken - I will try to dig up the thread.
> 

Hi Bart,

> 
> I agree that Jens asked at the end of 2018 not to touch the fast path to 
> fix this use-after-free (maybe that request has been repeated more 
> recently). If Jens or anyone else feels strongly about not clearing 
> hctx->tags->rqs[rq->tag] from the fast path then I will make that 
> change. 

Is that possible for this same approach? I need to check the code more..

And don't we still have the problem that some iter callbacks may 
sleep/block, which is not allowed in an RCU read-side critical section?

> My motivation for clearing these pointers from the fast path is 
> as follows:
> - This results in code that is easier to read and easier to maintain.
> - Every modern CPU pipelines store instructions so the performance 
> impact of adding an additional store should be small.
> - Since the block layer has a tendency to reuse tags that have been 
> freed recently, it is likely that hctx->tags->rqs[rq->tag] will be used 
> for a next request and hence that it will have to be loaded into the CPU 
> cache anyway.
> 

Those points make sense to me, but obviously it's the maintainers call.

Thanks,
john

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ