On Wed, Jan 08, 2025 at 06:31:15PM +0800, Ming Lei wrote:
> > - if (!(q->limits.features & BLK_FEAT_POLL) &&
> > - (bio->bi_opf & REQ_POLLED)) {
> > + if ((bio->bi_opf & REQ_POLLED) && !bdev_can_poll(bdev)) {
>
> submit_bio_noacct() is called without grabbing .q_usage_counter,
> so tagset may be freed now, then use-after-free on q->tag_set?
Indeed. That also means the previous check wasn't reliable either.
I think we can simple move the check into
blk_mq_submit_bio/__submit_bio which means we'll do a bunch more
checks before we eventually fail, but otherwise it'll work the
same.
