Commit 96276f6d authored by Yu Kuai's avatar Yu Kuai Committed by sanglipeng
Browse files

block, bfq: fix uaf for bfqq in bic_set_bfqq() 

stable inclusion
from stable-v5.10.175
commit 7f77f3dab5066a7c9da73d72d1eee895ff84a8d5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8711T

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7f77f3dab5066a7c9da73d72d1eee895ff84a8d5



--------------------------------

[ Upstream commit b600de2d ]

After commit 64dc8c73 ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
bic->bfqq.

Fix the problem by always freeing bfqq after bic_set_bfqq().

Fixes: 64dc8c73 ("block, bfq: fix possible uaf for 'bfqq->bic'")
Reported-and-tested-by: default avatarShinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarKhazhismel Kumykov <khazhy@google.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarsanglipeng <sanglipeng1@jd.com>
parent b8137480
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment