Re: [RFC PATCH v3 2/3] blk-mq: Freeze and quiesce all queues for tagset in elevator_exit()

[Bart Van Assche]

On 3/16/21 10:43 AM, John Garry wrote:
> On 16/03/2021 17:00, Bart Van Assche wrote:
>> I agree that Jens asked at the end of 2018 not to touch the fast path
>> to fix this use-after-free (maybe that request has been repeated more
>> recently). If Jens or anyone else feels strongly about not clearing
>> hctx->tags->rqs[rq->tag] from the fast path then I will make that change. 
> 
> Is that possible for this same approach? I need to check the code more..

If the fast path should not be modified, I'm considering to borrow patch
1/3 from your patch series and to add an rcu_barrier() between the code
that clears the request pointers and that frees the scheduler requests.

> And don't we still have the problem that some iter callbacks may
> sleep/block, which is not allowed in an RCU read-side critical section?

Thanks for having brought this up. Since none of the functions that
iterate over requests should be called from the hot path of a block
driver, I think that we can use srcu_read_(un|)lock() inside bt_iter()
and bt_tags_iter() instead of rcu_read_(un|)lock().

Bart.