On 2021/12/14 4:12, Tejun Heo wrote:

On Mon, Dec 13, 2021 at 05:24:00PM +0800, QiuLaibin wrote:

quoted

quoted

* This function is called synchronously on the issue path. The bio isn't
    seen by the queue and device driver yet and nothing can race to issue it
    before this function returns.

The bio is under throttle here, this submit_bio return directly. And
current process will queue a dispatch work by
throtl_schedule_pending_timer() to submit this bio before BIO_THROTTLED flag
set. If the bio is completed quickly after the dispatch work is queued, UAF
of bio will happen.

You are right, the timer can get to it. Can't it be solved by just
reordering spin_unlock and setting BIO_THROTTLED?

I think it can be solved by setting BIO_THROTTLED before queue dispatch 
work.

quoted

quoted

* Now we're not setting BIO_THROTTLED when we're taking a different return
    path through the out_unlock label and risks calling back into blk_throtl
    again on the same bio.

In my opinion, This flag can prevent the request from being throttled
multiple times. If the request itself does not need to be throttled, the
result of repeated entry will be the same.
If necessary, I think we can use other methods to achieve this effect for
request does not need to be throttled.

So that we don't change anything regarding this?

I am thinking of adding a new bio tag (like BIO_THROTTLE_BYPASS) to 
avoid those requests which do not need to be throttled to enter the 
throttle multiple times.

Thanks.