Skip to content

Commit b600de2

Browse files
YuKuai-huaweiaxboe
YuKuai-huawei
authored and
axboe
committed
block, bfq: fix uaf for bfqq in bic_set_bfqq()
After commit 64dc8c7 ("block, bfq: fix possible uaf for 'bfqq->bic'"), bic->bfqq will be accessed in bic_set_bfqq(), however, in some context bic->bfqq will be freed, and bic_set_bfqq() is called with the freed bic->bfqq. Fix the problem by always freeing bfqq after bic_set_bfqq(). Fixes: 64dc8c7 ("block, bfq: fix possible uaf for 'bfqq->bic'") Reported-and-tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com> Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent db3ba97 commit b600de2

File tree

2 files changed

+4
-2
lines changed

2 files changed

+4
-2
lines changed

block/bfq-cgroup.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -769,8 +769,8 @@ static void __bfq_bic_change_cgroup(struct bfq_data *bfqd,
769769
* request from the old cgroup.
770770
*/
771771
bfq_put_cooperator(sync_bfqq);
772-
bfq_release_process_ref(bfqd, sync_bfqq);
773772
bic_set_bfqq(bic, NULL, true);
773+
bfq_release_process_ref(bfqd, sync_bfqq);
774774
}
775775
}
776776
}

block/bfq-iosched.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5425,9 +5425,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)
54255425

54265426
bfqq = bic_to_bfqq(bic, false);
54275427
if (bfqq) {
5428-
bfq_release_process_ref(bfqd, bfqq);
5428+
struct bfq_queue *old_bfqq = bfqq;
5429+
54295430
bfqq = bfq_get_queue(bfqd, bio, false, bic, true);
54305431
bic_set_bfqq(bic, bfqq, false);
5432+
bfq_release_process_ref(bfqd, old_bfqq);
54315433
}
54325434

54335435
bfqq = bic_to_bfqq(bic, true);

0 commit comments

Comments
 (0)