On 4/28/21 7:34 PM, Ming Lei wrote: > Grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter(), and > this way will prevent the request from being re-used when ->fn is > running. The approach is same as what we do during handling timeout. > > Fix request UAF related with completion race or queue releasing: > > - If one rq is referred before rq->q is frozen, then queue won't be > frozen before the request is released during iteration. > > - If one rq is referred after rq->q is frozen, refcount_inc_not_zero() > will return false, and we won't iterate over this request. > > However, still one request UAF not covered: refcount_inc_not_zero() may > read one freed request, and it will be handled in next patch. Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>
