Please enable JavaScript.
Coggle requires JavaScript to display documents.
fix request UAF wrt. stale sched rqs - Coggle Diagram
fix request UAF wrt. stale sched rqs
ideas
iterate side
hold one per-tags spinlock to read rq & grab its refcnt
before freeing sched rqs
clearing all requests to be freeed on ->rqs[]
still hold the per-tags spinlock
complete rq sync during iterating
analysis
read one sched request which is before queue is frozen
refcnt is grabbed, so queue won't be freezed
read one sched request after queue is frozen
rq->refcnt is zero, so iterator code finds the case
->fn() won't be called
free sched rqs after clearning ->rqs[]
so grab rq->refcnt won't cause UAF
that is value of clearing rq mapping
just need one spin lock
hold it when read ->rq[tag] and grab its ref
hold it when clearing rq map
Bart's patch needs semaphone or rcu read lock when calling ->fn()