On 3/16/21 10:43 AM, John Garry wrote: > On 16/03/2021 17:00, Bart Van Assche wrote: >> I agree that Jens asked at the end of 2018 not to touch the fast path >> to fix this use-after-free (maybe that request has been repeated more >> recently). If Jens or anyone else feels strongly about not clearing >> hctx->tags->rqs[rq->tag] from the fast path then I will make that change. > > Is that possible for this same approach? I need to check the code more.. If the fast path should not be modified, I'm considering to borrow patch 1/3 from your patch series and to add an rcu_barrier() between the code that clears the request pointers and that frees the scheduler requests. > And don't we still have the problem that some iter callbacks may > sleep/block, which is not allowed in an RCU read-side critical section? Thanks for having brought this up. Since none of the functions that iterate over requests should be called from the hot path of a block driver, I think that we can use srcu_read_(un|)lock() inside bt_iter() and bt_tags_iter() instead of rcu_read_(un|)lock(). Bart.
