Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1786322pxb; Fri, 24 Sep 2021 11:49:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOSbJO1myfZVfr+GL0wG9Hldldcaa1Gsi5AeUF0vPM1Uu4jwe2At+xQkT8VCGRKec5lOV0 X-Received: by 2002:a6b:3e84:: with SMTP id l126mr10657401ioa.151.1632509347773; Fri, 24 Sep 2021 11:49:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632509347; cv=none; d=google.com; s=arc-20160816; b=SwyB0ET8jtm9LU9tEqXceqdqPa9VkF1d2e5Eel9Mvw8btWSD7k1PNVh3PqS7ceyUes ZbnJ/B6NGNU5igda6n1q9WgVA1FkR7CptV9Z5zeV0T9iSXSHhMnVmFtH2V/SzF6OIbLA ky6VTmC1DSMCg85Pn1IeRGyGkGqsCSXRkxO+pBdQdSi2toMvlHxjskyn7QFJBxXZzZr4 fKFNAbv5EQV5xzMNvKvetNHtGHLTFIKheaXaBC+N7q9vutQMjPi7xEaGBZX9ekFHHM/S KYt10B3jYHd7CbzjgSx7sPvh5W9MrdJVbzfvONzWemhOFoIAMkJX6pwZaQOWovY1d3Nt O9qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mPodjon1nzWVlIvvm3czSF4RbnhTfp6gi/+Uj9XXQxA=; b=Muh87epps0NBWLu8FyqejH5xqdoil8y9358sLnAs1eMvZCxS+Pj90hioKZBA9sHJ/6 upmkp/iPuXG+SM//xN0eagGke1FswdasbdLPdQvfEiRSMYRgfKGm4o9V0ULQxhsD7h5T M5sAFIujyVWAMox5NWeljpibFbdO8jEpoOOoDcyQMnh1mtAEWU2B8DFxs2D2AEaj2ZMy NwysHKW6aFQySnYylj/wTvtdR6iQhEpxNZUVSSjYKe953RK5649gTlCRxfmAzYBwFOOY Mw95AkbEkBFmaE+D55TdMg6afxCmLAUt7mHL4yeaaL6SA4S0biDcbOPy15Vmo/CGnYe6 dgVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xi6fXtOy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r14si12799476ill.73.2021.09.24.11.48.56; Fri, 24 Sep 2021 11:49:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xi6fXtOy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346227AbhIXNPK (ORCPT + 99 others); Fri, 24 Sep 2021 09:15:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:37990 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345201AbhIXNK0 (ORCPT ); Fri, 24 Sep 2021 09:10:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1DE1D6154B; Fri, 24 Sep 2021 12:58:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632488298; bh=5ueuVFMfeZXkrX4HfqAr65xsN9ALv+03ktiHWaqLhPI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xi6fXtOy9PIHjAkIqhKyUQQVC88bf3yyx06GFQGLzUMIYu0gwkQGtYRL8yV1IVNtB bsUsBknTttwDlZ4zTV/ZMl7l18jDUVEa6q0iIGjeV1F+RikSXbgzI2A5NIpjfrmPhI Qvx2ReOc5qoWRuy4Y+httDb/hPZfvfXEAffBb+HQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Li Jinlin , Jens Axboe , Sasha Levin Subject: [PATCH 5.10 59/63] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() Date: Fri, 24 Sep 2021 14:44:59 +0200 Message-Id: <20210924124336.293789026@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210924124334.228235870@linuxfoundation.org> References: <20210924124334.228235870@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Li Jinlin [ Upstream commit 884f0e84f1e3195b801319c8ec3d5774e9bf2710 ] The pending timer has been set up in blk_throtl_init(). However, the timer is not deleted in blk_throtl_exit(). This means that the timer handler may still be running after freeing the timer, which would result in a use-after-free. Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit(). Signed-off-by: Li Jinlin Link: https://lore.kernel.org/r/20210907121242.2885564-1-lijinlin3@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- block/blk-throttle.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/blk-throttle.c b/block/blk-throttle.c index 63e9d00a0832..c53a254171a2 100644 --- a/block/blk-throttle.c +++ b/block/blk-throttle.c @@ -2452,6 +2452,7 @@ int blk_throtl_init(struct request_queue *q) void blk_throtl_exit(struct request_queue *q) { BUG_ON(!q->td); + del_timer_sync(&q->td->service_queue.pending_timer); throtl_shutdown_wq(q); blkcg_deactivate_policy(q, &blkcg_policy_throtl); free_percpu(q->td->latency_buckets[READ]); -- 2.33.0