lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 24 Aug 2023 22:44:02 +0800
From:   chengming.zhou@...ux.dev
To:     axboe@...nel.dk, hch@....de, ming.lei@...hat.com,
        bvanassche@....org, kbusch@...nel.org
Cc:     mst@...hat.com, sagi@...mberg.me, damien.lemoal@...nsource.wdc.com,
        kch@...dia.com, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org, zhouchengming@...edance.com
Subject: [PATCH 5/6] blk-mq: fix potential reorder of request state and deadline

From: Chengming Zhou <zhouchengming@...edance.com>

CPU0				CPU1
blk_mq_start_request()		blk_mq_req_expired()
  WRITE_ONCE(rq->deadline)
  WRITE_ONCE(rq->state)
				  if (READ_ONCE(rq->state) != IN_FLIGHT)
				    return
				  deadline = READ_ONCE(rq->deadline)

If CPU1 speculately reorder rq->deadline LOAD before rq->state, the
deadline will be the initial value 0.

CPU0				CPU1
blk_mq_start_request()		blk_mq_req_expired()
				  deadline = READ_ONCE(rq->deadline)
  WRITE_ONCE(rq->deadline)
  WRITE_ONCE(rq->state)
				  if (READ_ONCE(rq->state) != IN_FLIGHT)
				    return

Signed-off-by: Chengming Zhou <zhouchengming@...edance.com>
---
 block/blk-mq.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index ff1b0f3ab3a8..49cbf826b100 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1258,6 +1258,8 @@ void blk_mq_start_request(struct request *rq)
 	WARN_ON_ONCE(blk_mq_rq_state(rq) != MQ_RQ_IDLE);
 
 	blk_add_timer(rq);
+	/* Pair with smp_rmb in blk_mq_req_expired(). */
+	smp_wmb();
 	WRITE_ONCE(rq->state, MQ_RQ_IN_FLIGHT);
 	rq->mq_hctx->tags->rqs[rq->tag] = rq;
 
@@ -1568,6 +1570,12 @@ static bool blk_mq_req_expired(struct request *rq, struct blk_expired_data *expi
 	if (rq->rq_flags & RQF_TIMED_OUT)
 		return false;
 
+	/*
+	 * Order LOADs of rq->state and rq->deadline, pair with
+	 * smp_wmb in blk_mq_start_request().
+	 */
+	smp_rmb();
+
 	deadline = READ_ONCE(rq->deadline);
 	if (time_after_eq(expired->timeout_start, deadline))
 		return true;
-- 
2.41.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ