Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp30114pxf;
        Wed, 31 Mar 2021 15:39:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzucm/oXML7k4bRdfivqZcx/DEp5HaUc4dEjQs8JVTbvb+m2TbXwyaYAIyAULIMT5SwDgOD
X-Received: by 2002:aa7:c98f:: with SMTP id c15mr6605240edt.231.1617230351981;
        Wed, 31 Mar 2021 15:39:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617230351; cv=none;
        d=google.com; s=arc-20160816;
        b=I2x59HxtApP9vieZfyR0vcWH9GB1R6BsJWjKrKLI9dxoEG+n5eL4BwpX4aFFeMIjUJ
         oFH7LiTgDJzIG10TZ9hgOn5lqGGP3BVHncrC/Qi10z4NalIMzoGMjNooqYWMC/079/cS
         uflsDtBStP8spZMhaR7kk69C25MWjgTFY7tawcGIg6SKqmZdCMgNF1x2/Dm/TJu0dvz4
         oH/FJXCEEwZMirSyuVdrlRs4FiUv4B8BSvmudj/5ygDmCseqIcuLmHgTbK6/XlRXKI3L
         My6cEtKCvQZd4tCI4iypUP+N5UXrzVnMk3930cPnknSS6jTFgscUWbxJRLCD3zPvy1Vi
         Ztew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=+C5LPs0kaCkAOGtyUr9wjTwxTgqJsfzOVQYj3EvBqCI=;
        b=eFaIPRidlvolwQQLRhf6ikb9GkMFLz5EEBfxLR3WfNvWYpobhC2kE7DLNTrCKi6bmI
         v6NH/WuwRVMgx9x6YQ/six8RQ09Z2gZwb7bxbxu8JcbvhqBtnX2G0u1OWzsAw5n1mYNZ
         kBQ8miPJRaipB/yk0XebhpM25r+6WH4jJaWu5LSPNp4JUEJNz4158Tgl3tEDzNzmr5+z
         UxCBcZCN8XG6IT21tQBM4Tm5JIojEERyrebaDk1XX4RnSVt/V0OaiJCX05WFXSc45ys9
         oYFRc78uKggGmV1FFY3YyZqvKH46cin3xVkBzqRVnD3PjcvFBwG99atQmKueVo11K6a3
         reqw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a21si2733208ejr.620.2021.03.31.15.38.48;
        Wed, 31 Mar 2021 15:39:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231676AbhCaWhe (ORCPT <rfc822;mahongyuan1997@gmail.com>
        + 99 others); Wed, 31 Mar 2021 18:37:34 -0400
Received: from mail-qk1-f171.google.com ([209.85.222.171]:42579 "EHLO
        mail-qk1-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230380AbhCaWhZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Mar 2021 18:37:25 -0400
Received: by mail-qk1-f171.google.com with SMTP id y5so399107qkl.9
        for <linux-kernel@vger.kernel.org>; Wed, 31 Mar 2021 15:37:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=+C5LPs0kaCkAOGtyUr9wjTwxTgqJsfzOVQYj3EvBqCI=;
        b=Ih70V0q5qnh233mEVhOTZnqYNsDR5H1ncJgMAkZGEgDMl4ploRp+74tgO4jmEpLyGS
         f5XoDaeW/agc5q6/M0kuhoVcd4GuEK+c8iks5KwR+PiVFJK54M7KgQcR5v0xdeGyg6iV
         Ui0tn0sWhcRHJ+FuYQTbXYPV6I9d4SkHFfdT9PpYwU8bDcAF0II6pO6wyKZAREtnjH13
         tn4j3roDrNwRfcy3NpWAUWa2g348mC1kc+14CWBLIaFtcyfRwELs4EQvUI5V4DqEXLcH
         HLY6uPd5krkB0AshVRXYONjJz5WnpBj1VuS42KlK1c4y9mMyaYuWDw33GjOb0dbVbXMP
         9Nng==
X-Gm-Message-State: AOAM531gB3Kf8PS8TrDyaOd4GoXN2oh1c1U7NL3Mibl1KzoAz1cSAT9g
        3d8CIJFI6JSwB6y8sv5cKFE=
X-Received: by 2002:a37:bc45:: with SMTP id m66mr5692073qkf.82.1617230244711;
        Wed, 31 Mar 2021 15:37:24 -0700 (PDT)
Received: from ?IPv6:2600:1700:65a0:78e0:6302:5415:8f3:c3fc? ([2600:1700:65a0:78e0:6302:5415:8f3:c3fc])
        by smtp.gmail.com with ESMTPSA id j18sm2387930qtl.83.2021.03.31.15.37.23
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 31 Mar 2021 15:37:24 -0700 (PDT)
Subject: Re: [PATCH v2] nvme-tcp: Check if request has started before
 processing it
To:     Keith Busch <kbusch@kernel.org>
Cc:     "Ewan D. Milne" <emilne@redhat.com>,
        Daniel Wagner <dwagner@suse.de>,
        linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
        Jens Axboe <axboe@fb.com>, Hannes Reinecke <hare@suse.de>,
        Christoph Hellwig <hch@lst.de>
References: <20210301175601.116405-1-dwagner@suse.de>
 <6b51a989-5551-e243-abda-5872411ec3ff@grimberg.me>
 <20210311094345.ogm2lxqfuszktuhp@beryllium.lan>
 <70af5b02-10c1-ab0b-1dfc-5906216871b4@grimberg.me>
 <2fc7a320c86f75507584453dd2fbd744de5c170d.camel@redhat.com>
 <ed3ccac0-79ed-fe10-89eb-d403820b4c6a@grimberg.me>
 <20210330232813.GA1935968@dhcp-10-100-145-180.wdc.com>
From:   Sagi Grimberg <sagi@grimberg.me>
Message-ID: <756aef10-e693-276f-82ac-514a2832b07f@grimberg.me>
Date:   Wed, 31 Mar 2021 15:37:22 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <20210330232813.GA1935968@dhcp-10-100-145-180.wdc.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


>>>> It is, but in this situation, the controller is sending a second
>>>> completion that results in a use-after-free, which makes the
>>>> transport irrelevant. Unless there is some other flow (which is
>>>> unclear
>>>> to me) that causes this which is a bug that needs to be fixed rather
>>>> than hidden with a safeguard.
>>>>
>>>
>>> The kernel should not crash regardless of any network traffic that is
>>> sent to the system.  It should not be possible to either intentionally
>>> of mistakenly contruct packets that will deny service in this way.
>>
>> This is not specific to nvme-tcp. I can build an rdma or pci controller
>> that can trigger the same crash... I saw a similar patch from Hannes
>> implemented in the scsi level, and not the individual scsi transports..
> 
> If scsi wants this too, this could be made generic at the blk-mq level.
> We just need to make something like blk_mq_tag_to_rq(), but return NULL
> if the request isn't started.

Makes sense...

>> I would also mention, that a crash is not even the scariest issue that
>> we can see here, because if the request happened to be reused we are
>> in the silent data corruption realm...
> 
> If this does happen, I think we have to come up with some way to
> mitigate it. We're not utilizing the full 16 bits of the command_id, so
> maybe we can append something like a generation sequence number that can
> be checked for validity.

That's actually a great idea. scsi needs unique tags so it encodes the
hwq in the upper 16 bits giving the actual tag the lower 16 bits which
is more than enough for a single queue. We can do the same with
a gencnt that will increment in both submission and completion and we
can validate against it.

This will be useful for all transports, so maintaining it in
nvme_req(rq)->genctr and introducing a helper like:
rq = nvme_find_tag(tagset, cqe->command_id)
That will filter genctr, locate the request.

Also:
nvme_validate_request_gen(rq, cqe->command_id) that would
compare against it.


And then a helper to set the command_id like:
cmd->common.command_id = nvme_request_command_id(rq)
that will both increment the genctr and build a command_id
from it.

Thoughts?