On Thu, Apr 29, 2021 at 11:50:36AM +0200, Christoph Hellwig wrote: > On Thu, Apr 29, 2021 at 03:36:14PM +0800, Ming Lei wrote: > > > > ->bi_bdev and associated disk/request_queue/hctx/... refrerred in bio_poll() > > > > may have being freed now, so there is UAF risk. > > > > > > the block device is RCU freed, so we are fine there. There rest OTOH > > > is more interesting. Let me think of a good defense using some kind > > > of liveness check. > > > > Or hold gendisk reference in bdev lifetime, then everything referred > > won't be released until bdev is freed. > > The whole device bdev controls the gendisk liftetime, so that one is > easy. But for partitions it is probably a good idea to ensure that > the gendisk is kept allocated as long as the block devices are around > as well. Looks we needn't to care if the bdev is disk or partition: bdev is always associated with gendisk via ->bd_disk, the gendisk instance has to be kept alive since bio->bi_bdev->bd_disk is used everywhere almost. Thanks, Ming
