On Fri, 29 Nov 2024 17:15:09 +0800, Yu Kuai wrote:
> Set new allocated bfqq to bic or remove freed bfqq from bic are both
> protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq
> from bic without the lock, this can lead to UAF if the io_context is
> shared by multiple tasks.
>
> For example, test bfq with io_uring can trigger following UAF in v6.6:
>
> [...]
Applied, thanks!
[1/1] block, bfq: fix bfqq uaf in bfq_limit_depth()
commit: e8b8344de3980709080d86c157d24e7de07d70ad
Best regards,
--
Jens Axboe
