Commit e2f2a39
block, bfq: fix uaf for 'stable_merge_bfqq'
Before commit fd571df ("block, bfq: turn bfqq_data into an array
in bfq_io_cq"), process reference is read before bfq_put_stable_ref(),
and it's safe if bfq_put_stable_ref() put the last reference, because
process reference will be 0 and 'stable_merge_bfqq' won't be accessed
in this case. However, the commit changed the order and will cause
uaf for 'stable_merge_bfqq'.
In order to emphasize that bfq_put_stable_ref() can drop the last
reference, fix the problem by moving bfq_put_stable_ref() to the end of
bfq_setup_stable_merge().
Fixes: fd571df ("block, bfq: turn bfqq_data into an array in bfq_io_cq")
Reported-and-tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Link: https://lore.kernel.org/linux-block/20230307071448.rzihxbm4jhbf5krj@shindev/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>1 parent e330622 commit e2f2a39
1 file changed
+9
-9
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2854 | 2854 | | |
2855 | 2855 | | |
2856 | 2856 | | |
2857 | | - | |
| 2857 | + | |
2858 | 2858 | | |
2859 | | - | |
2860 | | - | |
2861 | | - | |
| 2859 | + | |
| 2860 | + | |
| 2861 | + | |
2862 | 2862 | | |
2863 | 2863 | | |
2864 | 2864 | | |
| |||
2873 | 2873 | | |
2874 | 2874 | | |
2875 | 2875 | | |
| 2876 | + | |
| 2877 | + | |
| 2878 | + | |
| 2879 | + | |
| 2880 | + | |
2876 | 2881 | | |
2877 | 2882 | | |
2878 | 2883 | | |
| |||
2933 | 2938 | | |
2934 | 2939 | | |
2935 | 2940 | | |
2936 | | - | |
2937 | | - | |
2938 | | - | |
2939 | | - | |
2940 | | - | |
2941 | 2941 | | |
2942 | 2942 | | |
2943 | 2943 | | |
| |||
0 commit comments