Re: [PATCH] blk-mq: Fix races between iterating over requests and freeing requests
From: Bart Van Assche <bvanassche@acm.org>
Date: 2021-03-22 23:39:13
From: Bart Van Assche <bvanassche@acm.org>
Date: 2021-03-22 23:39:13
On 3/22/21 3:39 PM, Khazhy Kumykov wrote:
On Thu, Mar 18, 2021 at 6:00 PM Bart Van Assche [off-list ref] wrote:quoted
Multiple users have reported use-after-free complaints similar to the following (see also https://lore.kernel.org/linux-block/1545261885.185366.488.camel@acm.org/ (local)):This fixes the crashes I was seeing. I also looked over the patch and the dereferencing rules seem correct, although that q_usage_counter check in the bad case seems racy itself? Thanks! Reviewed-By: Khazhismel Kumykov <redacted>
Thanks Khazy for the review and for the testing. The purpose of the q_usage_counter check in blk_mq_tag_to_rq() is to catch calls of blk_mq_tag_to_rq() from outside .queue_rq() that happen during or after queue deletion. Maybe I should change that check into a test of QUEUE_FLAG_DYING. Bart.