Re: [PATCH] block, bfq: fix uaf for bfqq in bic_set_bfqq()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

在 2023/01/13 21:38, Holger Hoffstätte 写道:
On 2023-01-13 10:44, Yu Kuai wrote:
After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed first, and bic_set_bfqq() is called with the freed
bic->bfqq.

Fix the problem by always freeing bfqq after bic_set_bfqq().

Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
Reported-and-tested-by: Shinichiro Kawasaki <shinichiro.kawasaki-Sjgp3cTcYWE@xxxxxxxxxxxxxxxx>
Signed-off-by: Yu Kuai <yukuai3-hv44wF8Li93QT0dZR+AlfA@xxxxxxxxxxxxxxxx>
---
  block/bfq-cgroup.c  | 2 +-
  block/bfq-iosched.c | 4 +++-
  2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index a6e8da5f5cfd..feb13ac25557 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -749,8 +749,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd,
           * old cgroup.
           */
          bfq_put_cooperator(sync_bfqq);
-        bfq_release_process_ref(bfqd, sync_bfqq);
          bic_set_bfqq(bic, NULL, true, act_idx);
+        bfq_release_process_ref(bfqd, sync_bfqq);
      }
  }
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index 815b884d6c5a..2ddf831221c4 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -5581,9 +5581,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)
      bfqq = bic_to_bfqq(bic, false, bfq_actuator_index(bfqd, bio));
      if (bfqq) {
-        bfq_release_process_ref(bfqd, bfqq);
+        struct bfq_queue *old_bfqq = bfqq;
+
          bfqq = bfq_get_queue(bfqd, bio, false, bic, true);
          bic_set_bfqq(bic, bfqq, false, bfq_actuator_index(bfqd, bio));
+        bfq_release_process_ref(bfqd, old_bfqq);
      }
      bfqq = bic_to_bfqq(bic, true, bfq_actuator_index(bfqd, bio));


Hello,

does this condition also affect the current code? I ask since the patch does not apply as bfq_sync_bfqq_move() is only part of the multi-actuator work, which is only in Jens' for-next. Comparing the code sections it seems it should also be necessary for
current 6.1/6.2, but I wanted to check.

bfq_sync_bfqq_move() already make sure bfq_release_process_ref() is
called after bic_set_bfqq(), so the problem this patch tries to fix
should not exist here.

Thanks,
Kuai

thanks
Holger

.





[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux