On 1/6/26 9:59 AM, Mikulas Patocka wrote:
> @@ -4553,8 +4566,14 @@ static void __blk_mq_realloc_hw_ctxs(str
> * Make sure reading the old queue_hw_ctx from other
> * context concurrently won't trigger uaf.
> */
> - synchronize_rcu_expedited();
> - kfree(hctxs);
> + r = kmalloc(sizeof(struct rcu_free_hctxs), GFP_KERNEL);
> + if (!r) {
> + synchronize_rcu_expedited();
> + kfree(hctxs);
> + } else {
> + r->hctxs = hctxs;
> + call_rcu(&r->head, rcu_free_hctxs);
> + }
> hctxs = new_hctxs;
> }
This is worse in every conceivable way, imho. The proper way to do this
would be to embed the rcu_head in whatever is allocated for the hctxs at
alloc time, if youre doing an alloc here you may as well just use
kfree_rcu_mightsleep() in the first place. There's nothing gained from
open coding that.
Since kfree_rcu_mightsleep() will only run into trouble under strained
conditions anyway, I think the original patch is fine for this.
--
Jens Axboe
