blk-mq: clearing flush request reference in tags->rqs[]

stable inclusion from stable-5.10.64 commit 798679af7978bf4d9df1a907fd4100d4c1f90c03 bugzilla: 182256 https://gitee.com/openeuler/kernel/issues/I4EG0U Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=798679af7978bf4d9df1a907fd4100d4c1f90c03 -------------------------------- commit 364b6181 upstream. Before we free request queue, clearing flush request reference in tags->rqs[], so that potential UAF can be avoided. Based on one patch written by David Jeffery. Tested-by: N John Garry <john.garry@huawei.com> Reviewed-by: N Bart Van Assche <bvanassche@acm.org> Reviewed-by: N David Jeffery <djeffery@redhat.com> Signed-off-by: N Ming Lei <ming.lei@redhat.com> Link: https://lore.kernel.org/r/20210511152236.763464-5-ming.lei@redhat.comSigned-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

blk-mq: clearing flush request reference in tags->rqs[]
stable inclusion from stable-5.10.64 commit 798679af7978bf4d9df1a907fd4100d4c1f90c03 bugzilla: 182256 https://gitee.com/openeuler/kernel/issues/I4EG0U Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=798679af7978bf4d9df1a907fd4100d4c1f90c03 -------------------------------- commit 364b6181 upstream. Before we free request queue, clearing flush request reference in tags->rqs[], so that potential UAF can be avoided. Based on one patch written by David Jeffery. Tested-by: N John Garry <john.garry@huawei.com> Reviewed-by: N Bart Van Assche <bvanassche@acm.org> Reviewed-by: N David Jeffery <djeffery@redhat.com> Signed-off-by: N Ming Lei <ming.lei@redhat.com> Link: https://lore.kernel.org/r/20210511152236.763464-5-ming.lei@redhat.comSigned-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
dcf12397 · Ming Lei · Zheng Zengkai · 86aaad4c · dcf12397
隐藏空白更改
内联并排

Showing with 34 addition and 1 deletion

block/blk-mq.c block/blk-mq.c +34 -1

未找到文件。
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2588,16 +2588,49 @@ static void blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx)
 					    &hctx->cpuhp_dead);
 }

+/*
+ * Before freeing hw queue, clearing the flush request reference in
+ * tags->rqs[] for avoiding potential UAF.
+ */
+static void blk_mq_clear_flush_rq_mapping(struct blk_mq_tags *tags,
+		unsigned int queue_depth, struct request *flush_rq)
+{
+	int i;
+	unsigned long flags;
+
+	/* The hw queue may not be mapped yet */
+	if (!tags)
+		return;
+
+	WARN_ON_ONCE(refcount_read(&flush_rq->ref) != 0);
+
+	for (i = 0; i < queue_depth; i++)
+		cmpxchg(&tags->rqs[i], flush_rq, NULL);
+
+	/*
+	 * Wait until all pending iteration is done.
+	 *
+	 * Request reference is cleared and it is guaranteed to be observed
+	 * after the ->lock is released.
+	 */
+	spin_lock_irqsave(&tags->lock, flags);
+	spin_unlock_irqrestore(&tags->lock, flags);
+}
+
 /* hctx->ctxs will be freed in queue's release handler */
 static void blk_mq_exit_hctx(struct request_queue *q,
 		struct blk_mq_tag_set *set,
 		struct blk_mq_hw_ctx *hctx, unsigned int hctx_idx)
 {
+	struct request *flush_rq = hctx->fq->flush_rq;
+
 	if (blk_mq_hw_queue_mapped(hctx))
 		blk_mq_tag_idle(hctx);

+	blk_mq_clear_flush_rq_mapping(set->tags[hctx_idx],
+			set->queue_depth, flush_rq);
 	if (set->ops->exit_request)
-		set->ops->exit_request(set, hctx->fq->flush_rq, hctx_idx);
+		set->ops->exit_request(set, flush_rq, hctx_idx);

 	if (set->ops->exit_hctx)
 		set->ops->exit_hctx(hctx, hctx_idx);