Unverified Commit ff870734 authored Feb 22, 2025 by openeuler-ci-bot Committed by Gitee Feb 22, 2025

!15175 block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()

Merge Pull Request from: @ci-robot 
 
PR sync from: Zheng Qixing <zhengqixing@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BJD235CFJ5S4FTB7KHR7FPBMFFLC57HR/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBIQPR 
 
Link:https://gitee.com/openeuler/kernel/pulls/15175

 

Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Zhang Peng <zhangpeng362@huawei.com>
Signed-off-by: Zhang Peng <zhangpeng362@huawei.com>

parents 74286da1 56f22e44

block/bfq-iosched.c

+10 −2

Original line number	Diff line number	Diff line
		@@ -6850,16 +6850,24 @@ static struct bfq_queue bfq_waker_bfqq(struct bfq_queue bfqq)
		if (new_bfqq == waker_bfqq) {
		/*
		* If waker_bfqq is in the merge chain, and current
		* is the only procress.
		* is the only process, waker_bfqq can be freed.
		*/
		if (bfqq_process_refs(waker_bfqq) == 1)
		return NULL;
		break;

		return waker_bfqq;
		}

		new_bfqq = new_bfqq->new_bfqq;
		}

		/*
		* If waker_bfqq is not in the merge chain, and it's procress reference
		* is 0, waker_bfqq can be freed.
		*/
		if (bfqq_process_refs(waker_bfqq) == 0)
		return NULL;

		return waker_bfqq;
		}