Revision d29bd41428cfff9b582c248db14a47e2be8457a8 authored by Paolo Valente on 15 October 2021, 14:43:36 UTC, committed by Jens Axboe on 17 October 2021, 13:03:02 UTC
Since commit 430a67f9d616 ("block, bfq: merge bursts of newly-created queues"), BFQ maintains a per-group pointer to the last bfq_queue created. If such a queue, say bfqq, happens to move to a different group, then bfqq is no more a valid last bfq_queue created for its previous group. That pointer must then be cleared. Not resetting such a pointer may also cause UAF, if bfqq happens to also be freed after being moved to a different group. This commit performs this missing reset. As such it fixes commit 430a67f9d616 ("block, bfq: merge bursts of newly-created queues"). Such a missing reset is most likely the cause of the crash reported in [1]. With some analysis, we found that this crash was due to the above UAF. And such UAF did go away with this commit applied [1]. Anyway, before this commit, that crash happened to be triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The latter was then reverted by commit ebc69e897e17 ("Revert "block, bfq: honor already-setup queue merges""). Yet commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") contains no error related with the above UAF, and can then be restored. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503 Fixes: 430a67f9d616 ("block, bfq: merge bursts of newly-created queues") Tested-by: Grzegorz Kowal <custos.mentis@gmail.com> Signed-off-by: Paolo Valente <paolo.valente@linaro.org> Link: https://lore.kernel.org/r/20211015144336.45894-2-paolo.valente@linaro.org Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent a204176
File | Mode | Size |
---|---|---|
acrn | ||
auxdisplay | ||
binderfs | ||
bpf | ||
configfs | ||
connector | ||
ftrace | ||
hidraw | ||
hw_breakpoint | ||
kdb | ||
kfifo | ||
kmemleak | ||
kobject | ||
kprobes | ||
landlock | ||
livepatch | ||
mei | ||
nitro_enclaves | ||
pidfd | ||
pktgen | ||
qmi | ||
rpmsg | ||
seccomp | ||
timers | ||
trace_events | ||
trace_printk | ||
uhid | ||
v4l | ||
vfio-mdev | ||
vfs | ||
watch_queue | ||
watchdog | ||
Kconfig | -rw-r--r-- | 6.9 KB |
Makefile | -rw-r--r-- | 1.3 KB |
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...