On 4/24/21 5:09 PM, Ming Lei wrote: > However, blk_mq_wait_for_tag_iter() still may return before > blk_mq_wait_for_tag_iter() is done because blk_mq_wait_for_tag_iter() > supposes all request reference is just done inside bt_tags_iter(), > especially .iter_rwsem and read rcu lock is added in bt_tags_iter(). The comment above blk_mq_wait_for_tag_iter() needs to be updated but I believe that the code is fine. Waiting for bt_tags_iter() to finish should be sufficient to fix the UAF. What matters is that the pointer read by rcu_dereference(tags->rqs[bitnr]) remains valid until the callback function has finished. I think that is guaranteed by the current implementation. Bart.
