On 3/11/20 4:37 AM, Sahitya Tummala wrote: > There is a potential race between ioc_release_fn() and > ioc_clear_queue() as shown below, due to which below kernel > crash is observed. It also can result into use-after-free > issue. > > context#1: context#2: > ioc_release_fn() __ioc_clear_queue() gets the same icq > ->spin_lock(&ioc->lock); ->spin_lock(&ioc->lock); > ->ioc_destroy_icq(icq); > ->list_del_init(&icq->q_node); > ->call_rcu(&icq->__rcu_head, > icq_free_icq_rcu); > ->spin_unlock(&ioc->lock); > ->ioc_destroy_icq(icq); > ->hlist_del_init(&icq->ioc_node); > This results into below crash as this memory > is now used by icq->__rcu_head in context#1. > There is a chance that icq could be free'd > as well. > > 22150.386550: <6> Unable to handle kernel write to read-only memory > at virtual address ffffffaa8d31ca50 Fix looks good to me, applied. -- Jens Axboe
