On Mon, Dec 13, 2021 at 05:24:00PM +0800, QiuLaibin wrote:

quoted

* This function is called synchronously on the issue path. The bio isn't
   seen by the queue and device driver yet and nothing can race to issue it
   before this function returns.

The bio is under throttle here, this submit_bio return directly. And
current process will queue a dispatch work by
throtl_schedule_pending_timer() to submit this bio before BIO_THROTTLED flag
set. If the bio is completed quickly after the dispatch work is queued, UAF
of bio will happen.

You are right, the timer can get to it. Can't it be solved by just
reordering spin_unlock and setting BIO_THROTTLED?

quoted

* Now we're not setting BIO_THROTTLED when we're taking a different return
   path through the out_unlock label and risks calling back into blk_throtl
   again on the same bio.

In my opinion, This flag can prevent the request from being throttled
multiple times. If the request itself does not need to be throttled, the
result of repeated entry will be the same.
If necessary, I think we can use other methods to achieve this effect for
request does not need to be throttled.

So that we don't change anything regarding this?

Thanks.

-- 
tejun