On Mon, Feb 03, 2020 at 01:07:48PM -0800, Bijan Mottahedeh wrote: > My concern is with the code below for the single bio async case: > > qc = submit_bio(bio); > > if (polled) > WRITE_ONCE(iocb->ki_cookie, qc); > > The bio/dio can be freed before the the cookie is written which is what I'm > seeing, and I thought this may lead to a scenario where that iocb request > could be completed, freed, reallocated, and resubmitted in io_uring layer; > i.e., I thought the cookie could be written into the wrong iocb. I think we do have a potential use after free of the iocb here. But taking a bio reference isn't going to help with that, as the iocb and bio/dio life times are unrelated. I vaguely remember having that discussion with Jens a while ago, and tried to pass a pointer to the qc to submit_bio so that we can set it at submission time, but he came up with a reason why that might not be required. I'd have to dig out all notes unless Jens remembers better.
