On 2/21/23 1:29 AM, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@xxxxxxxxxx>
>
> As explained in commit b600de2d7d3a ("block, bfq: fix uaf for bfqq in
> bic_set_bfqq()"), bfqq should not be freed before bic_set_bfqq().
> However, this is broken while merging commit 9778369a2d6c ("block, bfq:
> split sync bfq_queues on a per-actuator basis") from branch
> for-6.3/block.
>
> Fixes: 9778369a2d6c ("block, bfq: split sync bfq_queues on a per-actuator basis")
> Signed-off-by: Yu Kuai <yukuai3@xxxxxxxxxx>
> ---
> block/bfq-cgroup.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
> index ea3638e06e04..89ffb3aa992c 100644
> --- a/block/bfq-cgroup.c
> +++ b/block/bfq-cgroup.c
> @@ -746,8 +746,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd,
> * old cgroup.
> */
> bfq_put_cooperator(sync_bfqq);
> - bfq_release_process_ref(bfqd, sync_bfqq);
> bic_set_bfqq(bic, NULL, true, act_idx);
> + bfq_release_process_ref(bfqd, sync_bfqq);
> }
> }
This is already in -git, see my reply to Linus. Eg this will apply
to for-6.3/block, but it will not apply to current master that
has it merged because we got that from the 6.2 side.
--
Jens Axboe
