linux/block
Ming Lei 2e315dc07d blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter
Grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter(), and
this way will prevent the request from being re-used when ->fn is
running. The approach is same as what we do during handling timeout.

Fix request use-after-free(UAF) related with completion race or queue
releasing:

- If one rq is referred before rq->q is frozen, then queue won't be
frozen before the request is released during iteration.

- If one rq is referred after rq->q is frozen, refcount_inc_not_zero()
will return false, and we won't iterate over this request.

However, still one request UAF not covered: refcount_inc_not_zero() may
read one freed request, and it will be handled in next patch.

Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210511152236.763464-3-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-05-24 06:47:22 -06:00
..
partitions block/partitions/efi.c: Fix the efi_partition() kernel-doc header 2021-05-14 09:00:06 -06:00
badblocks.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
bfq-cgroup.c block, bfq: merge bursts of newly-created queues 2021-03-25 10:50:07 -06:00
bfq-iosched.c block, bfq: avoid circular stable merges 2021-05-12 07:39:23 -06:00
bfq-iosched.h block, bfq: merge bursts of newly-created queues 2021-03-25 10:50:07 -06:00
bfq-wf2q.c block, bfq: always inject I/O of queues blocked by wakers 2021-03-25 10:50:07 -06:00
bio-integrity.c block: remove BLK_BOUNCE_ISA support 2021-04-06 09:28:17 -06:00
bio.c Revert "bio: limit bio max size" 2021-05-08 21:49:48 -06:00
blk-cgroup-rwstat.c blk-cgroup: Fix the recursive blkg rwstat 2021-03-05 11:32:15 -07:00
blk-cgroup-rwstat.h blk-cgroup: separate out blkg_rwstat under CONFIG_BLK_CGROUP_RWSTAT 2019-11-07 12:28:13 -07:00
blk-cgroup.c blkcg: drop CLONE_IO check in blkcg_can_attach() 2021-05-24 06:47:21 -06:00
blk-core.c block_dump: remove block_dump feature 2021-05-24 06:47:21 -06:00
blk-crypto-fallback.c block: rename BIO_MAX_PAGES to BIO_MAX_VECS 2021-03-11 07:47:48 -07:00
blk-crypto-internal.h block: make blk_crypto_rq_bio_prep() able to fail 2020-10-05 10:47:43 -06:00
blk-crypto.c dm: support key eviction from keyslot managers of underlying devices 2021-02-11 09:45:25 -05:00
blk-exec.c block: drop removed argument from kernel-doc of blk_execute_rq() 2021-01-29 07:43:29 -07:00
blk-flush.c block: avoid double io accounting for flush request 2021-05-24 06:47:21 -06:00
blk-integrity.c block: remove the unused blk_integrity_merge_bio export 2020-10-06 07:29:53 -06:00
blk-ioc.c block: remove retry loop in ioc_release_fn() 2020-07-16 10:22:15 -06:00
blk-iocost.c blk-iocost: fix weight updates of inner active iocgs 2021-05-11 20:50:35 -06:00
blk-iolatency.c block: Remove redundant 'return' statement 2020-10-08 07:59:48 -06:00
blk-lib.c block: rename BIO_MAX_PAGES to BIO_MAX_VECS 2021-03-11 07:47:48 -07:00
blk-map.c block: remove an incorrect check from blk_rq_append_bio 2021-04-12 06:45:12 -06:00
blk-merge.c block: recalculate segment count for multi-segment discards correctly 2021-03-23 10:39:57 -06:00
blk-mq-cpumap.c blk-mq: remove the calling of local_memory_node() 2020-10-20 07:08:17 -06:00
blk-mq-debugfs-zoned.c
blk-mq-debugfs.c for-5.13/block-2021-04-27 2021-04-28 14:27:12 -07:00
blk-mq-debugfs.h
blk-mq-pci.c
blk-mq-rdma.c
blk-mq-sched.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
blk-mq-sched.h block: get rid of the trace rq insert wrapper 2021-02-22 06:37:41 -07:00
blk-mq-sysfs.c blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue 2020-10-09 12:46:28 -06:00
blk-mq-tag.c blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter 2021-05-24 06:47:22 -06:00
blk-mq-tag.h blk-mq: Relocate hctx_may_queue() 2020-09-03 15:20:47 -06:00
blk-mq-virtio.c blk-mq: Fix typo in comment 2020-03-17 20:55:21 +01:00
blk-mq.c blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter 2021-05-24 06:47:22 -06:00
blk-mq.h blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter 2021-05-24 06:47:22 -06:00
blk-pm.c scsi: block: Fix a race in the runtime power management code 2020-12-09 11:41:41 -05:00
blk-pm.h block: Remove unused blk_pm_*() function definitions 2021-02-22 06:33:48 -07:00
blk-rq-qos.c Revert "blk-rq-qos: remove redundant finish_wait to rq_qos_wait." 2020-07-15 09:33:37 -06:00
blk-rq-qos.h blk-rq-qos: fix first node deletion of rq_qos_del() 2019-10-15 10:13:13 -06:00
blk-settings.c block-5.13-2021-05-09 2021-05-09 13:25:14 -07:00
blk-stat.c blk-stat: make q->stats->lock irqsafe 2020-09-01 16:48:46 -06:00
blk-stat.h
blk-sysfs.c block: remove unneeded parenthesis from blk-sysfs 2021-05-24 06:47:21 -06:00
blk-throttle.c block: store a block_device pointer in struct bio 2021-01-24 18:17:20 -07:00
blk-timeout.c block: blk-timeout: delete duplicated word 2020-07-31 16:29:47 -06:00
blk-wbt.c blk: wbt: remove unused parameter from wbt_should_throttle 2021-01-26 13:13:00 -07:00
blk-wbt.h blk-wbt: remove wbt_update_limits 2020-05-29 16:30:39 -06:00
blk-zoned.c blk-zoned: Remove the definition of blk_zone_start() 2021-04-07 14:31:45 -06:00
blk.h block: refactor blk_drop_partitions 2021-04-08 10:24:36 -06:00
bounce.c block: stop calling blk_queue_bounce for passthrough requests 2021-04-06 09:28:18 -06:00
bsg-lib.c block: drop double zeroing 2020-09-23 09:18:13 -06:00
bsg.c block: remove unnecessary argument from blk_execute_rq 2021-01-24 21:52:39 -07:00
cmdline-parser.c
elevator.c blk-mq: set default elevator as deadline in case of hctx shared tagset 2021-04-07 10:15:23 -06:00
genhd.c block: prevent block device lookups at the beginning of del_gendisk 2021-05-20 07:59:35 -06:00
ioctl.c block: return -EBUSY when there are open partitions in blkdev_reread_part 2021-04-21 10:49:37 -06:00
ioprio.c block: Fix sys_ioprio_set(.which=IOPRIO_WHO_PGRP) task iteration 2021-04-08 13:43:53 -06:00
Kconfig blk-wbt: Remove obsolete multiqueue I/O scheduling comment 2020-09-01 16:49:26 -06:00
Kconfig.iosched treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
keyslot-manager.c - Fix DM integrity's HMAC support to provide enhanced security of 2021-02-22 10:22:54 -08:00
kyber-iosched.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
Makefile blk-mq: merge blk-softirq.c into blk-mq.c 2020-06-24 09:15:56 -06:00
mq-deadline.c kyber: fix out of bounds access when preempted 2021-05-11 08:12:14 -06:00
opal_proto.h block: sed-opal: Change the check condition for regular session validity 2020-03-12 08:00:10 -06:00
scsi_ioctl.c block: Remove an obsolete comment from sg_io() 2021-04-13 11:23:52 -06:00
sed-opal.c block: sed-opal: Change the check condition for regular session validity 2020-03-12 08:00:10 -06:00
t10-pi.c block: Allow t10-pi to be modular 2020-01-06 20:59:04 -07:00