On Thu, Apr 29, 2021 at 09:20:28AM +0200, Christoph Hellwig wrote: > On Wed, Apr 28, 2021 at 10:28:10AM +0800, Ming Lei wrote: > > > ... > > Can you please avoid the full quote? > > > > + * 1) the bio is beeing initialized and bi_bdev is NULL. We can just > > > + * simply nothing in this case > > > + * 2) the bio points to a not poll enabled device. bio_poll will catch > > > + * this and return 0 > > > + * 3) the bio points to a poll capable device, including but not > > > + * limited to the one that the original bio pointed to. In this > > > + * case we will call into the actual poll method and poll for I/O, > > > + * even if we don't need to, but it won't cause harm either. > > > + */ > > > + rcu_read_lock(); > > > + bio = READ_ONCE(kiocb->private); > > > + if (bio && bio->bi_bdev) > > > > ->bi_bdev and associated disk/request_queue/hctx/... refrerred in bio_poll() > > may have being freed now, so there is UAF risk. > > the block device is RCU freed, so we are fine there. There rest OTOH > is more interesting. Let me think of a good defense using some kind > of liveness check. Or hold gendisk reference in bdev lifetime, then everything referred won't be released until bdev is freed. Thanks, Ming
