Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4959589rdb;
        Fri, 15 Sep 2023 19:18:01 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHZDEf+7yMya+hePLtgzc1oH7vnRzTfvudW1FMiDdyH2Eg9MABpVEHZnUnXXHfAy5ytfsQF
X-Received: by 2002:a17:902:d4c7:b0:1c1:e52e:49e3 with SMTP id o7-20020a170902d4c700b001c1e52e49e3mr3186638plg.36.1694830680918;
        Fri, 15 Sep 2023 19:18:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694830680; cv=none;
        d=google.com; s=arc-20160816;
        b=0juQ/I5zf4Za6HF/Mk7i4vIYsExAqJYnVSWpHdeSb3VmJkceB6AM5s3VFqKR8YIYXa
         vOP4cNd5zVFubKLDdO3SE0GTCAK6qdqeDgGadmVntLeZYrHAeGT3NHWTZf7lr1G8pT6x
         2e6ZO2knVYD6N916Qg1fkzSthY7e00bxNF+DdMFtDs59UBv/wh6hhznZPxuvUjWu8PIo
         cYs6lBcy4+SAPWCuXODHjfOhM/zgqukXMnL7z6cuF2Bh+1qC0zlIqnTAErsoz2GelBT3
         GvAfI/3qfhC51r/02XJXYA8syePmq/AWspSmTOp7Bl6zXkBTRNAdSdTljI2Mo7G9d4z7
         0Cpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version:date
         :message-id:subject:references:in-reply-to:cc:to:from:dkim-signature;
        bh=n2G/8FvmJuP7Q+IcP+fUXoKKLeBYjk4CrYgaYipCuRQ=;
        fh=icL4gYDIlATYDOtnHOFMLtlBSrXh0DpM4nCZuyFc398=;
        b=gAJB5+a01xmJS0cR97wVD205ps7zU3B8NGfjzCCCt7PvW7lu9lYgeo2jD82G7RWxRb
         cd1ZF3JUiB3sf2q6Bz+81dTMFa94Kx5Kh8Ert7KnWG8iWPkr6KuQ3wGDQFvsgkSV4uLq
         7PgrtJFY86FyHodSsMDv49k4hI4GSSkcE/gj3dDUXZzzmjG07YHOoT59n3f1AaGEkaFK
         /k6vvWlSBJwx26iinGoV/vp+BJpCmZhT/AurXU93SwlAcqtxzuS2V26/mcOaaw1+hGb7
         8zoaNrFn1n5+VMcr1XXl+qJAItnUSVpNKDs4SFlHUgKsJyLwia2QOxpul4IcLrJ351WH
         vXWA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=PNfPgDum;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id e7-20020a17090301c700b001bc5a4f56fcsi4237190plh.554.2023.09.15.19.18.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Sep 2023 19:18:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=PNfPgDum;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id CB270821E1AD;
	Thu, 14 Sep 2023 09:06:04 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241503AbjINQF7 (ORCPT <rfc822;benlin170369@gmail.com>
        + 99 others); Thu, 14 Sep 2023 12:05:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59522 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241469AbjINQF6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Sep 2023 12:05:58 -0400
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9559B1BE1
        for <linux-kernel@vger.kernel.org>; Thu, 14 Sep 2023 09:05:54 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id ca18e2360f4ac-792973a659fso1650739f.0
        for <linux-kernel@vger.kernel.org>; Thu, 14 Sep 2023 09:05:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1694707554; x=1695312354; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:date:message-id:subject
         :references:in-reply-to:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=n2G/8FvmJuP7Q+IcP+fUXoKKLeBYjk4CrYgaYipCuRQ=;
        b=PNfPgDumQkQ4UmlqIouS6Kw+Vx3luxj/Gcvk6Qz7OOZZjbkoEx7ly4ntzaMqMfzk04
         S3iSNqN59eTzSn1wYspIPO35SZ23QgZl8lM7KhdVCgin5DIXQvEkoIMYaS+5hHfHSYLu
         1gDj9uo57Fif3cywrNK+m6Uzb6LtPWJ+BMMbHJeXLVdISt24GPC4qhbEW3lfyZOZW4tk
         I/K7TLE9SFgySnXjngOl3kuFDOuRtPQuHSoUMbZxK5XewjbW72xWwVStlfRkYGwfgvjs
         DEWVjFT4+x7LBT/JsaJf3dBqXZgfIRyGb6ZCevV7miK7phMXWVCD54eOsLTL+LU2LhXz
         24yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1694707554; x=1695312354;
        h=content-transfer-encoding:mime-version:date:message-id:subject
         :references:in-reply-to:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=n2G/8FvmJuP7Q+IcP+fUXoKKLeBYjk4CrYgaYipCuRQ=;
        b=ZLdM29biSkYUGyz9rlX/mMA6V9z5vgG8Xw2+SlmHyC7KICvHrZCRlWCb2+4Hil6DJ3
         KHFsReMd+BpEnVFeWG9PNsiOivdmYPnR8WaeFwbs0HngwcX6733MJ1PeWeG1ip+tbXTn
         yxTgMJJjHAzLOw6OG835n5NdJ4SwyqNXWVvb+KbQ2px1Ig6JcEVtSlIIoywqY9raB373
         nwntxtoRq5zPOGO4yFa1TIUqYNcyLAkLhxYrJV+GK5/PHF6J4A8OPo0EfcF89Xo1F4Gq
         SWwlCRTjPeBGDpK9lIWAOpgDwhZuKi6MY+43it5ST2YWdaOEg50vrGjsT6OOVu4cHNUA
         nbeA==
X-Gm-Message-State: AOJu0YxMhjKMLLVpToMUvPPM17NfKIU8w4kSTNTxXY/W91kvXlSwKBup
        Do170h7BL7zkk8OplKgJanWp6Erljmk+W+vVFQ3ojg==
X-Received: by 2002:a92:c948:0:b0:34f:3b12:799e with SMTP id i8-20020a92c948000000b0034f3b12799emr6157784ilq.0.1694707553871;
        Thu, 14 Sep 2023 09:05:53 -0700 (PDT)
Received: from [127.0.0.1] ([96.43.243.2])
        by smtp.gmail.com with ESMTPSA id e7-20020a926907000000b0034cd2c0afe8sm523083ilc.56.2023.09.14.09.05.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 Sep 2023 09:05:53 -0700 (PDT)
From:   Jens Axboe <axboe@kernel.dk>
To:     ming.lei@redhat.com, chengming.zhou@linux.dev
Cc:     linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
        Chengming Zhou <zhouchengming@bytedance.com>,
        Yi Zhang <yi.zhang@redhat.com>
In-Reply-To: <20230908005702.2183908-1-chengming.zhou@linux.dev>
References: <20230908005702.2183908-1-chengming.zhou@linux.dev>
Subject: Re: [PATCH] blk-mq: fix tags UAF when shrink nr_hw_queues
Message-Id: <169470755284.1974464.819655197479037967.b4-ty@kernel.dk>
Date:   Thu, 14 Sep 2023 10:05:52 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: b4 0.13-dev-034f2
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 14 Sep 2023 09:06:04 -0700 (PDT)


On Fri, 08 Sep 2023 08:57:02 +0800, chengming.zhou@linux.dev wrote:
> When nr_hw_queues shrink, we free the excess tags before realloc
> hw_ctxs for each queue, during that we may need to access those
> tags, like blk_mq_tag_idle(hctx) will access queue shared tags.
> 
> So slab-use-after-free caused and reported by KASAN. Fix it by
> moving the releasing of excess tags to the end.
> 
> [...]

Applied, thanks!

[1/1] blk-mq: fix tags UAF when shrink nr_hw_queues
      (no commit info)

Best regards,
-- 
Jens Axboe