Re: [RFC PATCH v3 3/3] blk-mq: Lockout tagset iterator when exiting elevator

[John Garry]

On 10/03/2021 16:00, Bart Van Assche wrote:
> > So I can incorporate any changes and suggestions so far and send a 
> > non-RFC version - that may get more attention if none extra comes.
> >
> > As mentioned on the cover letter, if patch 2+3/3 are accepted, then 
> > patch 1/3 could be simplified. But I plan to leave as is.
> >
> > BTW, any issue with putting your suggested-by on patch 2/3?

Hi Bart,

> I have added my Reviewed-by to patch 2/3.

OK, thanks.

Please note that I still want to check further whether some of Ming's 
series "blk-mq: implement queue quiesce via percpu_ref for 
BLK_MQ_F_BLOCKING" can be used.

> Regarding the other two patches in this series: I do not agree with 
> patch 3/3. As I have explained, I am concerned that that patch breaks 
> existing block drivers.

Understood. I need to check your concern further to allay any fears.

So I could probably change that patch to drop the early return.

Instead we just need to ensure that we complete any existing calls to 
blk_mq_tagset_busy_iter() prior to freeing the IO scheduler requests. 
Then we don't need to return early and can iter as before - but, as I 
said previously, there should be no active tags to iter.

> Are patches 1/3 and 3/3 necessary? Or in other words, is patch 2/3 
> sufficient to fix the use-after-free?

No, we need them all in some form.

So far, reports are that 1/3 solves the most common seen UAF. It is 
pretty easy to trigger.

But the scenarios associated with 2/3 and 3/3 are much harder to 
trigger, and I needed to add delays in the code just to trigger them.

Thanks,
John