On Wed, Apr 28, 2021 at 10:28:10AM +0800, Ming Lei wrote: > ... Can you please avoid the full quote? > > + * 1) the bio is beeing initialized and bi_bdev is NULL. We can just > > + * simply nothing in this case > > + * 2) the bio points to a not poll enabled device. bio_poll will catch > > + * this and return 0 > > + * 3) the bio points to a poll capable device, including but not > > + * limited to the one that the original bio pointed to. In this > > + * case we will call into the actual poll method and poll for I/O, > > + * even if we don't need to, but it won't cause harm either. > > + */ > > + rcu_read_lock(); > > + bio = READ_ONCE(kiocb->private); > > + if (bio && bio->bi_bdev) > > ->bi_bdev and associated disk/request_queue/hctx/... refrerred in bio_poll() > may have being freed now, so there is UAF risk. the block device is RCU freed, so we are fine there. There rest OTOH is more interesting. Let me think of a good defense using some kind of liveness check.
