Commit 96276f6d authored by Yu Kuai's avatar Yu Kuai Committed by sanglipeng
Browse files

block, bfq: fix uaf for bfqq in bic_set_bfqq() 

stable inclusion
from stable-v5.10.175
commit 7f77f3dab5066a7c9da73d72d1eee895ff84a8d5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8711T

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7f77f3dab5066a7c9da73d72d1eee895ff84a8d5



--------------------------------

[ Upstream commit b600de2d ]

After commit 64dc8c73 ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
bic->bfqq.

Fix the problem by always freeing bfqq after bic_set_bfqq().

Fixes: 64dc8c73 ("block, bfq: fix possible uaf for 'bfqq->bic'")
Reported-and-tested-by: default avatarShinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarKhazhismel Kumykov <khazhy@google.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarsanglipeng <sanglipeng1@jd.com>
parent b8137480

block/bfq-cgroup.c

+1 −1
Original line number Diff line number Diff line
@@ -744,8 +744,8 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, 
				 * request from the old cgroup.

				 */

				bfq_put_cooperator(sync_bfqq);

				bfq_release_process_ref(bfqd, sync_bfqq);

				bic_set_bfqq(bic, NULL, true);

				bfq_release_process_ref(bfqd, sync_bfqq);

			}

		}

	}

block/bfq-iosched.c

+3 −1
Original line number Diff line number Diff line
@@ -5092,9 +5092,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio) 


	bfqq = bic_to_bfqq(bic, false);

	if (bfqq) {

		bfq_release_process_ref(bfqd, bfqq);

		struct bfq_queue *old_bfqq = bfqq;



		bfqq = bfq_get_queue(bfqd, bio, false, bic);

		bic_set_bfqq(bic, bfqq, false);

		bfq_release_process_ref(bfqd, old_bfqq);

	}



	bfqq = bic_to_bfqq(bic, true);