On Fri, Jun 18, 2021 at 10:27:20PM +0800, Ming Lei wrote: > > How? On a block device the caller needs to hold the block device open > > to read/write from it. On a file systems the file systems needs to > > be mounted, which also holds a bdev reference. > > + rcu_read_lock(); > + bio = READ_ONCE(kiocb->private); > + if (bio && bio->bi_bdev) > > The bio may be ended now from another polling job, then the disk is > closed & deleted, and released. Then request queue & hctxs are released. > > + ret = bio_poll(bio, flags); > > But disk & request queue & hctx can still be referred in above bio_poll(). I don't see how this can happen. A bio stashed into kiocb->private needs to belong to the correct device initially. For it to point to the "wrong" device it needs to have been completed on the correct one, and then be reused for a different device. At the point it is reused that device must obviously have been alive, and for it to be freed a RCU grace period must have been passed. And that grace period can't have started earlier than when iocb_bio_iopoll was called.
