Re: [PATCH v13 6/8] blk-mq: prevent offlining hk CPUs with associated online isolated CPUs

Next message: Rosen Penev: "[PATCH] smc: Use flexible array for SMCD connections"
Previous message: Rosen Penev: "[PATCH] target: iblock: Use flexible array for per-CPU plugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Aaron Tomlin

Date: Mon May 18 2026 - 20:51:57 EST

On Tue, May 12, 2026 at 08:55:07PM -0400, Aaron Tomlin wrote:
> + if (fallback_isolated_cpu != -1) {
> + /*
> + * Use READ_ONCE() to prevent compiler double-fetch TOCTOU
> + * issues if the disk is removed concurrently.
> + */
> + disk = READ_ONCE(hctx->queue->disk);
> + pr_warn("%s: trying to offline hctx%d but online isolated CPU %d is still mapped to it\n",
> + disk ? disk->disk_name : "?", hctx->queue_num,
> + fallback_isolated_cpu);
> + return false;
> + }

This looks like a use-after-free BUG.

Consider the following scenario:

1. The per-CPU hotplug thread reads the pointer, and is immediately
preempted.

2. A concurrent SCSI device teardown can invoke disk_release(), which
frees the gendisk structure.

3. When the hotplug thread resumes, it blindly dereferences
disk->disk_name using a pointer to memory that no longer belongs to
it.

I think we should modify the warning message and drop disk->disk_name.

--
Aaron Tomlin

Attachment: signature.asc
Description: PGP signature