Re: [PATCH 1/1] block: Manage bio references so the bio persists until necessary
From: Christoph Hellwig <hch@infradead.org>
Date: 2020-02-04 07:51:27
Also in:
io-uring
From: Christoph Hellwig <hch@infradead.org>
Date: 2020-02-04 07:51:27
Also in:
io-uring
On Mon, Feb 03, 2020 at 01:07:48PM -0800, Bijan Mottahedeh wrote:
My concern is with the code below for the single bio async case: qc = submit_bio(bio); if (polled) WRITE_ONCE(iocb->ki_cookie, qc); The bio/dio can be freed before the the cookie is written which is what I'm seeing, and I thought this may lead to a scenario where that iocb request could be completed, freed, reallocated, and resubmitted in io_uring layer; i.e., I thought the cookie could be written into the wrong iocb.
I think we do have a potential use after free of the iocb here. But taking a bio reference isn't going to help with that, as the iocb and bio/dio life times are unrelated. I vaguely remember having that discussion with Jens a while ago, and tried to pass a pointer to the qc to submit_bio so that we can set it at submission time, but he came up with a reason why that might not be required. I'd have to dig out all notes unless Jens remembers better.