Re: [PATCH 0/8]: blk-mq: use static_rqs to iterate busy tags

Date: Mon Mar 18 2019 - 21:22:53 EST

Hi Bart

Thanks for your kindly and detailed comment on this.

On 3/19/19 1:28 AM, Bart Van Assche wrote:
> On Fri, 2019-03-15 at 16:57 +0800, Jianchao Wang wrote:
>> [2]
> Hi Jianchao,
> That is a reference to the "BUG: KASAN: use-after-free in bt_iter" issue.
> I think that issue can be fixed in another way than modifying all code that
> iterates over tags, namely by adding an rcu_read_lock() / rcu_read_unlock()
> pair in bt_for_each() and bt_tags_for_each() and by changing the calls in
> blk_mq_free_rqs() and blk_free_flush_queue() that free the data structures
> used by the tag iteration functions into kfree_rcu() or call_rcu() calls.

Do you mean this patch from Jens ?

+ rcu_read_lock();
sbitmap_for_each_set(&bt->sb, bt_iter, &iter_data);
+ rcu_read_unlock();

The busy_iter_fn could sleep for nvme
-> blk_mq_rq_timed_out
-> q->mq_ops->timeout
-> nvme_dev_disable
-> mutex_lock dev->shutdown_lock