Re: [RFC PATCH v2 2/2] blk-mq: Lockout tagset iter when freeing rqs

[John Garry]

On 21/12/2020 18:09, Bart Van Assche wrote:
> On 12/21/20 4:06 AM, John Garry wrote:
> > On 18/12/2020 22:43, Bart Van Assche wrote:
> > > Does this mean that we do not yet have
> > > a full explanation about why the above call stack can be triggered?
> >
> > We understand it, and I'll describe my experiment in detail:
> > a. fio runs on 2x disks, sda (root partition disk) and sdb.
> > b. for sda, userpace triggers blk_mq_queue_tag_busy_iter(), as in
> > stackframe above. Since its request queue is not frozen, it will iter
> > the busy tags.
> > c. on sdb, I continuously change the IO scheduler.
> >
> > So sdb request queue gets frozen as we switch IO sched, but we could
> > have this sequence of events:
> > - blk_mq_queue_tag_busy_iter() on sda takes reference to a sdb request
> >     - Getting a tag and updating ->rqs[] in tagset is not atomic
> > - requests for sdb cleared in tagset and request memory is freed
> > - blk_mq_queue_tag_busy_iter() on sda still holds reference to sdb
> > request and dereferences it -> UAF
> >
> > Hope it's clear. It is a bit unlikely, I will admit, but it still can
> > happen and UAF is never good. So please let me know if other idea to solve.
>
> Hi John,
>
> Do you agree that all partitions (struct block_device) of a disk share a
> request queue (block_device.bd_disk->queue)? I'm asking this because it
> seems like in the above explanation it has been assumed that different
> partitions use different request queues.
>
> Thanks,
>
> Bart.

Hi Bart,

Yes, I agree, and I'm not sure what I wrote to give that impression.

About "root partition", above, I'm just saying that / is mounted on a 
sda partition:

root@ubuntu:/home/john# mount | grep sda
/dev/sda2 on / type ext4 (rw,relatime,errors=remount-ro,stripe=32)
/dev/sda1 on /boot/efi type vfat 
(rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

Thanks,
John