Re: v4.20-rc6: Sporadic use-after-free in bt_iter()
From: Bart Van Assche <bvanassche@acm.org>
Date: 2018-12-20 21:40:47
From: Bart Van Assche <bvanassche@acm.org>
Date: 2018-12-20 21:40:47
On Thu, 2018-12-20 at 14:34 -0700, Jens Axboe wrote:
Yeah, I don't think it's bullet proof either, it just closes the gap. I'm fine with fiddling with the tag iteration. On top of what I sent, we could have tag iteration hold the RCU read lock, and then we just need to ensure that the tags are freed with RCU.
Do you mean using call_rcu() to free tags? Would that require to add a struct rcu_head to every request? Would it be acceptable to increase the size of struct request with an rcu_head? Additionally, could that reduce the queue depth if the time between grace periods is larger than the time between I/O submissions? Thanks, Bart.