On 3/19/20 5:18 AM, Zhiqiang Liu wrote: > > In bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is > not in bfqd-lock critical section. The bfqq, which is not > equal to NULL in bfq_idle_slice_timer, may be freed after passing > to bfq_idle_slice_timer_body. So we will access the freed memory. > > In addition, considering the bfqq may be in race, we should > firstly check whether bfqq is in service before doing something > on it in bfq_idle_slice_timer_body func. If the bfqq in race is > not in service, it means the bfqq has been expired through > __bfq_bfqq_expire func, and wait_request flags has been cleared in > __bfq_bfqd_reset_in_service func. So we do not need to re-clear the > wait_request of bfqq which is not in service. Applied, thanks. -- Jens Axboe
