On Sun, Apr 25, 2021 at 02:01:11PM -0700, Bart Van Assche wrote: > On 4/24/21 5:09 PM, Ming Lei wrote: > > However, blk_mq_wait_for_tag_iter() still may return before > > blk_mq_wait_for_tag_iter() is done because blk_mq_wait_for_tag_iter() > > supposes all request reference is just done inside bt_tags_iter(), > > especially .iter_rwsem and read rcu lock is added in bt_tags_iter(). > > The comment above blk_mq_wait_for_tag_iter() needs to be updated but I > believe that the code is fine. Waiting for bt_tags_iter() to finish > should be sufficient to fix the UAF. What matters is that the pointer > read by rcu_dereference(tags->rqs[bitnr]) remains valid until the > callback function has finished. I think that is guaranteed by the > current implementation. It depends if 'rq' will be passed to another new context from ->fn(), since 'rq' still can be USEed in the new context after ->fn() returns. thanks, Ming
