Revision - d29bd41 - block, bfq: reset last_bfqq_created on group change

Revision d29bd41428cfff9b582c248db14a47e2be8457a8 authored by Paolo Valente on 15 October 2021, 14:43:36 UTC, committed by Jens Axboe on 17 October 2021, 13:03:02 UTC

block, bfq: reset last_bfqq_created on group change

Since commit 430a67f9d616 ("block, bfq: merge bursts of newly-created
queues"), BFQ maintains a per-group pointer to the last bfq_queue
created. If such a queue, say bfqq, happens to move to a different
group, then bfqq is no more a valid last bfq_queue created for its
previous group. That pointer must then be cleared. Not resetting such
a pointer may also cause UAF, if bfqq happens to also be freed after
being moved to a different group. This commit performs this missing
reset. As such it fixes commit 430a67f9d616 ("block, bfq: merge bursts
of newly-created queues").

Such a missing reset is most likely the cause of the crash reported in [1].
With some analysis, we found that this crash was due to the
above UAF. And such UAF did go away with this commit applied [1].

Anyway, before this commit, that crash happened to be triggered in
conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup
queue merges"). The latter was then reverted by commit ebc69e897e17
("Revert "block, bfq: honor already-setup queue merges""). Yet commit
2d52c58b9c9b ("block, bfq: honor already-setup queue merges") contains
no error related with the above UAF, and can then be restored.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=214503

Fixes: 430a67f9d616 ("block, bfq: merge bursts of newly-created queues")
Tested-by: Grzegorz Kowal <custos.mentis@gmail.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Link: https://lore.kernel.org/r/20211015144336.45894-2-paolo.valente@linaro.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>

1 parent a204176

Files
Changes

Permalinks

File	Mode	Size
bpf
cgroup
configs
debug
dma
entry
events
gcov
irq
kcsan
livepatch
locking
power
printk
rcu
sched
time
trace
.gitignore	-rw-r--r--	67 bytes
Kconfig.freezer	-rw-r--r--	92 bytes
Kconfig.hz	-rw-r--r--	1.7 KB
Kconfig.locks	-rw-r--r--	4.9 KB
Kconfig.preempt	-rw-r--r--	4.4 KB
Makefile	-rw-r--r--	5.2 KB
acct.c	-rw-r--r--	15.4 KB
async.c	-rw-r--r--	9.3 KB
audit.c	-rw-r--r--	63.5 KB
audit.h	-rw-r--r--	10.4 KB
audit_fsnotify.c	-rw-r--r--	5.2 KB
audit_tree.c	-rw-r--r--	25.5 KB
audit_watch.c	-rw-r--r--	13.7 KB
auditfilter.c	-rw-r--r--	34.1 KB
auditsc.c	-rw-r--r--	71.7 KB
backtracetest.c	-rw-r--r--	1.9 KB
bounds.c	-rw-r--r--	751 bytes
capability.c	-rw-r--r--	14.8 KB
cfi.c	-rw-r--r--	8.1 KB
compat.c	-rw-r--r--	6.8 KB
configs.c	-rw-r--r--	2.0 KB
context_tracking.c	-rw-r--r--	6.4 KB
cpu.c	-rw-r--r--	65.0 KB
cpu_pm.c	-rw-r--r--	6.1 KB
crash_core.c	-rw-r--r--	11.6 KB
crash_dump.c	-rw-r--r--	1.1 KB
cred.c	-rw-r--r--	24.4 KB
delayacct.c	-rw-r--r--	5.4 KB
dma.c	-rw-r--r--	3.3 KB
exec_domain.c	-rw-r--r--	1.1 KB
exit.c	-rw-r--r--	44.8 KB
extable.c	-rw-r--r--	4.4 KB
fail_function.c	-rw-r--r--	7.0 KB
fork.c	-rw-r--r--	77.7 KB
freezer.c	-rw-r--r--	4.4 KB
futex.c	-rw-r--r--	116.7 KB
gen_kheaders.sh	-rwxr-xr-x	3.1 KB
groups.c	-rw-r--r--	4.8 KB
hung_task.c	-rw-r--r--	7.5 KB
iomem.c	-rw-r--r--	4.7 KB
irq_work.c	-rw-r--r--	4.9 KB
jump_label.c	-rw-r--r--	21.4 KB
kallsyms.c	-rw-r--r--	21.9 KB
kcmp.c	-rw-r--r--	5.4 KB
kcov.c	-rw-r--r--	27.7 KB
kexec.c	-rw-r--r--	7.4 KB
kexec_core.c	-rw-r--r--	31.2 KB
kexec_elf.c	-rw-r--r--	11.4 KB
kexec_file.c	-rw-r--r--	33.4 KB
kexec_internal.h	-rw-r--r--	924 bytes
kheaders.c	-rw-r--r--	1.6 KB
kmod.c	-rw-r--r--	5.0 KB
kprobes.c	-rw-r--r--	67.4 KB
ksysfs.c	-rw-r--r--	6.3 KB
kthread.c	-rw-r--r--	40.2 KB
latencytop.c	-rw-r--r--	7.2 KB
module-internal.h	-rw-r--r--	782 bytes
module.c	-rw-r--r--	120.2 KB
module_signature.c	-rw-r--r--	1.1 KB
module_signing.c	-rw-r--r--	1.1 KB
notifier.c	-rw-r--r--	15.8 KB
nsproxy.c	-rw-r--r--	12.8 KB
padata.c	-rw-r--r--	27.4 KB
panic.c	-rw-r--r--	18.2 KB
params.c	-rw-r--r--	23.1 KB
pid.c	-rw-r--r--	17.1 KB
pid_namespace.c	-rw-r--r--	11.3 KB
profile.c	-rw-r--r--	15.0 KB
ptrace.c	-rw-r--r--	37.5 KB
range.c	-rw-r--r--	3.0 KB
reboot.c	-rw-r--r--	21.5 KB
regset.c	-rw-r--r--	1.9 KB
relay.c	-rw-r--r--	30.0 KB
resource.c	-rw-r--r--	48.1 KB
resource_kunit.c	-rw-r--r--	4.3 KB
rseq.c	-rw-r--r--	10.1 KB
scftorture.c	-rw-r--r--	19.7 KB
scs.c	-rw-r--r--	2.8 KB
seccomp.c	-rw-r--r--	61.9 KB
signal.c	-rw-r--r--	122.5 KB
smp.c	-rw-r--r--	33.5 KB
smpboot.c	-rw-r--r--	11.7 KB
smpboot.h	-rw-r--r--	640 bytes
softirq.c	-rw-r--r--	23.5 KB
stackleak.c	-rw-r--r--	3.6 KB
stacktrace.c	-rw-r--r--	9.6 KB
static_call.c	-rw-r--r--	12.5 KB
stop_machine.c	-rw-r--r--	17.8 KB
sys.c	-rw-r--r--	63.1 KB
sys_ni.c	-rw-r--r--	10.1 KB
sysctl-test.c	-rw-r--r--	10.7 KB
sysctl.c	-rw-r--r--	81.1 KB
task_work.c	-rw-r--r--	4.6 KB
taskstats.c	-rw-r--r--	15.2 KB
test_kprobes.c	-rw-r--r--	5.9 KB
torture.c	-rw-r--r--	25.3 KB
tracepoint.c	-rw-r--r--	20.3 KB
tsacct.c	-rw-r--r--	4.7 KB
ucount.c	-rw-r--r--	7.6 KB
uid16.c	-rw-r--r--	5.1 KB
uid16.h	-rw-r--r--	442 bytes
umh.c	-rw-r--r--	15.1 KB
up.c	-rw-r--r--	1.5 KB
user-return-notifier.c	-rw-r--r--	1.3 KB
user.c	-rw-r--r--	5.9 KB
user_namespace.c	-rw-r--r--	35.3 KB
usermode_driver.c	-rw-r--r--	4.3 KB
utsname.c	-rw-r--r--	3.8 KB
utsname_sysctl.c	-rw-r--r--	3.2 KB
watch_queue.c	-rw-r--r--	16.4 KB
watchdog.c	-rw-r--r--	20.1 KB
watchdog_hld.c	-rw-r--r--	7.7 KB
workqueue.c	-rw-r--r--	167.8 KB
workqueue_internal.h	-rw-r--r--	2.4 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...