[v5,05/10] blk-mq: Unregister debugfs attributes earlier

Message ID	20170425203745.19946-6-bart.vanassche@sandisk.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-block-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates 63.163.107.21 as permitted sender) receiver=protection.outlook.com; client-ip=63.163.107.21; helo=milsmgep15.sandisk.com; From: Bart Van Assche <bart.vanassche@sandisk.com> To: Jens Axboe <axboe@kernel.dk> CC: <linux-block@vger.kernel.org>, Bart Van Assche <bart.vanassche@sandisk.com> Subject: [PATCH v5 05/10] blk-mq: Unregister debugfs attributes earlier Date: Tue, 25 Apr 2017 13:37:40 -0700 Message-ID: <20170425203745.19946-6-bart.vanassche@sandisk.com> In-Reply-To: <20170425203745.19946-1-bart.vanassche@sandisk.com> References: <20170425203745.19946-1-bart.vanassche@sandisk.com> MIME-Version: 1.0 Content-Type: text/plain WDCIPOUTBOUND: EOP-TRUE X-Microsoft-Exchange-Diagnostics: 1; BLUPR04MB884; 20:yIDFL22hbIWFh0HZqimYqbhhSUsoaG1ipsDgZ/dMh7zBOGjtDLciRQRD+QIge88TkTivY0SjW1zH5lQNyn++1KYgFYpj44VxKxssIxzDWu8g9cB5yJ6XZrEPWwKeqM2XdOiMkwnTVYurT7KQlWQBc12NhRbTjWsBzWKa9tmjukWSKXoVquW2RB3Hr6Lfb8HQxYIZP7Y39gKc40Chc7QqJKl8cqQpBMK4J6aK1C3OryIssJRcycydK5ta64J2vdl0S5k5E0CPMH9kvilg5adTkgyeraX79vS19mvbPIb2ZP/lrQYSaFAEjFM1E4iPhZ6Une7V44FU4Gga8/ar5Psd7pBr2qOTRhmVYN95bd3rBT7E4ts3nvbVqG9UGZ1ev2KopulKPIWoN/VcB1wnFvymblfjjWb6l3Db7ku8oQzmc6cUYev9kEqlB3vtdUJgITSA2PPnXihoCGxzz+sj/BVkCjhQ+yAc4w//NQ6WxOOsowCZDmImhFwUPGmYEVY0y6YP SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BLUPR04MB884; 7:JIyPsMxupL3dnYZGSjfuhTHmokn8k87Ukoz8l3RXJu5An15pg1gny7OQPS0FzNOLBTdwOGmFpx4AbgtmHG2AIpq6lO+G11qBuH1fxU+J42YiYW6dx9zhvOn6Egfrla2R4hXFOCFNQRURTkoBzi4GLOpc1VquF9ZFN2x2Hv5rTviGnfU4i3wzjNT1FPuallJ0S9+kHbZbx36Om1OVIG7OJpvYroivr8t6QzY0zlvaKa4mn2TBWETUlnm0n6L+TC0KTTnLWIJfHC6t8xDfIzscotuDqjmRVMgNds8wvqQiYGj/dr1I8CCFnwy5JHgQ8xzNqzPT9uWqeOFFBQ/k/XBxNA==; 20:+lcPgezjt+F/XDmH/1DsmhxF7VtJpapCXCUviJZKy3PCD0CJieSWb1OebB5xXsUTTx3Ia72HX0kXI2lu1RlVLT+AJE/ucevfd9tYGDjOFyo8WH7HEO97tJ0wsxXgqh0+l6QW2UQV6qDJlZaObtLCwHNEnEtfVT5ea9NtbxRTgq0= Sender: linux-block-owner@vger.kernel.org Precedence: bulk

Bart Van Assche April 25, 2017, 8:37 p.m. UTC

One of the debugfs attributes allows to run a queue. Since running
a queue after a queue has entered the "dead" state is not allowed
and triggers a use-after-free, unregister the debugfs attributes
before a queue reaches the "dead" state.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Omar Sandoval <osandov@fb.com>
---
 block/blk-core.c | 5 +++++
 1 file changed, 5 insertions(+)

Omar Sandoval April 25, 2017, 9:30 p.m. UTC | #1

On Tue, Apr 25, 2017 at 01:37:40PM -0700, Bart Van Assche wrote:
> One of the debugfs attributes allows to run a queue. Since running
> a queue after a queue has entered the "dead" state is not allowed
> and triggers a use-after-free, unregister the debugfs attributes
> before a queue reaches the "dead" state.

Still not happy with this commit message. I'd prefer:

We currently call blk_mq_free_queue() from blk_cleanup_queue() before we
unregister the debugfs attributes for that queue in blk_release_queue().
This leaves a window open during which accessing most of the mq debugfs
attributes would cause a use-after-free. Additionally, the "state"
attribute allows running the queue, which we should not do after the
queue has entered the "dead" state. Fix both of these cases by
unregistering the debugfs attributes before this.

Jens, could you ack that dropping the lock is okay?

> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
> Reviewed-by: Hannes Reinecke <hare@suse.com>
> Reviewed-by: Omar Sandoval <osandov@fb.com>
> ---
>  block/blk-core.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/block/blk-core.c b/block/blk-core.c
> index a49b0830aaaf..33c91a4bee97 100644
> --- a/block/blk-core.c
> +++ b/block/blk-core.c
> @@ -566,6 +566,11 @@ void blk_cleanup_queue(struct request_queue *q)
>  	spin_lock_irq(lock);
>  	if (!q->mq_ops)
>  		__blk_drain_queue(q, true);
> +	spin_unlock_irq(lock);
> +
> +	blk_mq_debugfs_unregister_mq(q);
> +
> +	spin_lock_irq(lock);
>  	queue_flag_set(QUEUE_FLAG_DEAD, q);
>  	spin_unlock_irq(lock);
>  
> -- 
> 2.12.2
>

Jens Axboe April 25, 2017, 9:41 p.m. UTC | #2

On 04/25/2017 02:30 PM, Omar Sandoval wrote:
> On Tue, Apr 25, 2017 at 01:37:40PM -0700, Bart Van Assche wrote:
>> One of the debugfs attributes allows to run a queue. Since running
>> a queue after a queue has entered the "dead" state is not allowed
>> and triggers a use-after-free, unregister the debugfs attributes
>> before a queue reaches the "dead" state.
> 
> Still not happy with this commit message. I'd prefer:
> 
> We currently call blk_mq_free_queue() from blk_cleanup_queue() before we
> unregister the debugfs attributes for that queue in blk_release_queue().
> This leaves a window open during which accessing most of the mq debugfs
> attributes would cause a use-after-free. Additionally, the "state"
> attribute allows running the queue, which we should not do after the
> queue has entered the "dead" state. Fix both of these cases by
> unregistering the debugfs attributes before this.
> 
> Jens, could you ack that dropping the lock is okay?

Looks fine to me. However, I think there's room for improvement here.
Why don't we just make it:

	if (!q->mq_ops) {
		spin_lock_irq(lock);
		__blk_drain_queue(q, true);
	} else {
		blk_mq_debugfs_unregister_mq(q);
		spin_lock_irq(lock);
	}

	queue_flag_set(QUEUE_FLAG_DEAD, q);
	[...]

Would seem much more readable to me, and less dropping/acquiring for
cases where we don't need it.

Bart Van Assche April 25, 2017, 10:24 p.m. UTC | #3

On Tue, 2017-04-25 at 14:30 -0700, Omar Sandoval wrote:
> On Tue, Apr 25, 2017 at 01:37:40PM -0700, Bart Van Assche wrote:
> > One of the debugfs attributes allows to run a queue. Since running
> > a queue after a queue has entered the "dead" state is not allowed
> > and triggers a use-after-free, unregister the debugfs attributes
> > before a queue reaches the "dead" state.
> 
> Still not happy with this commit message. I'd prefer:
> 
> We currently call blk_mq_free_queue() from blk_cleanup_queue() before we
> unregister the debugfs attributes for that queue in blk_release_queue().
> This leaves a window open during which accessing most of the mq debugfs
> attributes would cause a use-after-free. Additionally, the "state"
> attribute allows running the queue, which we should not do after the
> queue has entered the "dead" state. Fix both of these cases by
> unregistering the debugfs attributes before this.

Hello Omar,

That's a very verbose description. How about this?

    Unregister the debugfs attributes before freeing of request queue
    resources starts to avoid that a use-after-free can be triggered
    through one of the debugfs attributes.

Bart.

Jens Axboe April 25, 2017, 10:29 p.m. UTC | #4

On 04/25/2017 03:24 PM, Bart Van Assche wrote:
> On Tue, 2017-04-25 at 14:30 -0700, Omar Sandoval wrote:
>> On Tue, Apr 25, 2017 at 01:37:40PM -0700, Bart Van Assche wrote:
>>> One of the debugfs attributes allows to run a queue. Since running
>>> a queue after a queue has entered the "dead" state is not allowed
>>> and triggers a use-after-free, unregister the debugfs attributes
>>> before a queue reaches the "dead" state.
>>
>> Still not happy with this commit message. I'd prefer:
>>
>> We currently call blk_mq_free_queue() from blk_cleanup_queue() before we
>> unregister the debugfs attributes for that queue in blk_release_queue().
>> This leaves a window open during which accessing most of the mq debugfs
>> attributes would cause a use-after-free. Additionally, the "state"
>> attribute allows running the queue, which we should not do after the
>> queue has entered the "dead" state. Fix both of these cases by
>> unregistering the debugfs attributes before this.
> 
> Hello Omar,
> 
> That's a very verbose description. How about this?
> 
>     Unregister the debugfs attributes before freeing of request queue
>     resources starts to avoid that a use-after-free can be triggered
>     through one of the debugfs attributes.

Personally I find Omar's commit message much cleaner to read, and
more easily understandable. We really don't need to be laconic in
commit messages.

Omar Sandoval April 25, 2017, 10:30 p.m. UTC | #5

On Tue, Apr 25, 2017 at 10:24:48PM +0000, Bart Van Assche wrote:
> On Tue, 2017-04-25 at 14:30 -0700, Omar Sandoval wrote:
> > On Tue, Apr 25, 2017 at 01:37:40PM -0700, Bart Van Assche wrote:
> > > One of the debugfs attributes allows to run a queue. Since running
> > > a queue after a queue has entered the "dead" state is not allowed
> > > and triggers a use-after-free, unregister the debugfs attributes
> > > before a queue reaches the "dead" state.
> > 
> > Still not happy with this commit message. I'd prefer:
> > 
> > We currently call blk_mq_free_queue() from blk_cleanup_queue() before we
> > unregister the debugfs attributes for that queue in blk_release_queue().
> > This leaves a window open during which accessing most of the mq debugfs
> > attributes would cause a use-after-free. Additionally, the "state"
> > attribute allows running the queue, which we should not do after the
> > queue has entered the "dead" state. Fix both of these cases by
> > unregistering the debugfs attributes before this.
> 
> Hello Omar,
> 
> That's a very verbose description. How about this?
> 
>     Unregister the debugfs attributes before freeing of request queue
>     resources starts to avoid that a use-after-free can be triggered
>     through one of the debugfs attributes.
> 
> Bart.

Are you aware that there is nothing wrong with a descriptive commit
message?

Bart Van Assche April 26, 2017, 8:32 p.m. UTC | #6

On Tue, 2017-04-25 at 14:30 -0700, Omar Sandoval wrote:
> Jens, could you ack that dropping the lock is okay?

Hello Omar,

If you have a look at the block layer history then you will see that the
current approach for shutting down block layer queues is an approach that
I had introduced myself. See also commits 3f3299d5c026, 807592a4fafb and
c246e80d8673.

Bart.

Jens Axboe April 26, 2017, 8:37 p.m. UTC | #7

On 04/26/2017 01:32 PM, Bart Van Assche wrote:
> On Tue, 2017-04-25 at 14:30 -0700, Omar Sandoval wrote:
>> Jens, could you ack that dropping the lock is okay?
> 
> Hello Omar,
> 
> If you have a look at the block layer history then you will see that the
> current approach for shutting down block layer queues is an approach that
> I had introduced myself. See also commits 3f3299d5c026, 807592a4fafb and
> c246e80d8673.

Bart, did you see my reply on the topic?

Omar Sandoval April 26, 2017, 8:37 p.m. UTC | #8

On Wed, Apr 26, 2017 at 08:32:31PM +0000, Bart Van Assche wrote:
> On Tue, 2017-04-25 at 14:30 -0700, Omar Sandoval wrote:
> > Jens, could you ack that dropping the lock is okay?
> 
> Hello Omar,
> 
> If you have a look at the block layer history then you will see that the
> current approach for shutting down block layer queues is an approach that
> I had introduced myself. See also commits 3f3299d5c026, 807592a4fafb and
> c246e80d8673.
> 
> Bart.

Thanks for the reference. Jens' suggestion looks the cleanest to me.

Bart Van Assche April 26, 2017, 8:38 p.m. UTC | #9

On Tue, 2017-04-25 at 14:41 -0700, Jens Axboe wrote:
> Looks fine to me. However, I think there's room for improvement here.
> Why don't we just make it:
> 
> 	if (!q->mq_ops) {
> 		spin_lock_irq(lock);
> 		__blk_drain_queue(q, true);
> 	} else {
> 		blk_mq_debugfs_unregister_mq(q);
> 		spin_lock_irq(lock);
> 	}
> 
> 	queue_flag_set(QUEUE_FLAG_DEAD, q);
> 	[...]
> 
> Would seem much more readable to me, and less dropping/acquiring for
> cases where we don't need it.

Hello Jens,

This looks fine to me. I will update the patch.

Bart.

[v5,05/10] blk-mq: Unregister debugfs attributes earlier

Commit Message

Comments

Patch