Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp2406824rwl;
        Mon, 26 Dec 2022 14:30:21 -0800 (PST)
X-Google-Smtp-Source: AMrXdXt4h2NTDuQ2XKWthlQODT5h4qqODo+RXS2qtmESVxoYKumxmz8pMxdlo7Pq122uVJHHPSGN
X-Received: by 2002:a05:6a20:8f1c:b0:a9:d06b:ef2 with SMTP id b28-20020a056a208f1c00b000a9d06b0ef2mr31050860pzk.36.1672093820766;
        Mon, 26 Dec 2022 14:30:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672093820; cv=none;
        d=google.com; s=arc-20160816;
        b=vBSLpN63K/KWCnCZlst+GPugIEyXlelI13ZloeyZH4zRVM9+LHK/yNIos84/0S0B7q
         acND6+wbzSKz0uaMRCC2hos4s7Nr/uBoG0JRq2X+HOkfr+sMoCUcPKkbrxrptrJg5O/S
         Llf8F2CQLLby6t+bDaaYmYPUaJfQ6d7W/3+ibkWcM/SVg3Xw2QuvyPqPF4Cncw7FUEBC
         CfnuzaVyWSzBsqUwXEAF3QSjxx2U3DojiVainxgXLr8sUH5qtpNeaP9S+26afIqGHz4x
         VLWVzexje46ZJP9x/VN/Rw0T5lvrr3tUHGQhWVi6hl3ZNxbaaJTQ/qSJBK3XsUOSo17P
         Im1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :dkim-signature;
        bh=YhWabLpDTnB6UAKrZK6Tl8sha0fVHHbdbYiBlIIK1Gw=;
        b=menC+CLAp3aAoskbiP+99Q9/PZLsF4kxOn4MfJo6zkW9AzG26OtQr+2XEOHApCRZJo
         wfqrdGbRLnp6RD9pDC6dpLKjghaOsjMQeqq//FEEdZhC+LMJabN6HD6ND2J3zgSviV0C
         KauNKyDvWoWitmIzxEvhvOoLAkSHHhMXKR2PAzytTukLKBSW+pD1AUNl9DHXBBSIsajx
         LW0Z4Mi+t2JkEuR02y1HqyDpb75ACh699XJ22A2LiYDN/tOY5c7WN0pm4Arl34SRh/0U
         yl0a1iG8f1K7xQbb5wC5lDCbPPsH1dwIMdbAmW+pnuIAfEgBDF97dSdcW7LmKKhpTBuV
         +Qeg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="a2EH1N3/";
       dkim=neutral (no key) header.i=@suse.cz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j186-20020a638bc3000000b00491474ffc35si13056784pge.8.2022.12.26.14.30.11;
        Mon, 26 Dec 2022 14:30:20 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="a2EH1N3/";
       dkim=neutral (no key) header.i=@suse.cz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232350AbiLZV6w (ORCPT <rfc822;a839024@gmail.com> + 67 others);
        Mon, 26 Dec 2022 16:58:52 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35438 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229614AbiLZV6v (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Dec 2022 16:58:51 -0500
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED87D21BF;
        Mon, 26 Dec 2022 13:58:49 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id 5089E2086A;
        Mon, 26 Dec 2022 21:58:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
        t=1672091928; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=YhWabLpDTnB6UAKrZK6Tl8sha0fVHHbdbYiBlIIK1Gw=;
        b=a2EH1N3/k5SUHfA5iOFWkrfswcbGtIUi74pCD8ZD5vyLDQMM5oRWnCtEeCR9yls0ieXCrf
        sycybsVxiodF6JV8RILj3Zi0OxzABSOv6Ws1od+VeFzNRb9DgDB5pdcAmnaQD/prPs0e7d
        ZbO8PRXiYjNsfK10mrM8zx8U485LbGM=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
        s=susede2_ed25519; t=1672091928;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=YhWabLpDTnB6UAKrZK6Tl8sha0fVHHbdbYiBlIIK1Gw=;
        b=GIk2YrUc5+FF2R+STO1MGJBTsXHiE546B7216vGBxvDQjXxqM9KA1fQRHj+GeL8fKBtL6X
        4bMuUKS0oJYP9WDA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3811313456;
        Mon, 26 Dec 2022 21:58:48 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id 4QM2DRgZqmMxOAAAMHmgww
        (envelope-from <jack@suse.cz>); Mon, 26 Dec 2022 21:58:48 +0000
Received: by quack3.suse.cz (Postfix, from userid 1000)
        id E3B74A0733; Mon, 26 Dec 2022 12:18:48 +0100 (CET)
Date:   Mon, 26 Dec 2022 12:18:48 +0100
From:   Jan Kara <jack@suse.cz>
To:     Yu Kuai <yukuai1@huaweicloud.com>
Cc:     paolo.valente@linaro.org, axboe@kernel.dk, jack@suse.cz,
        linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
        yukuai3@huawei.com, yi.zhang@huawei.com
Subject: Re: [PATCH] block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
Message-ID: <20221226111848.oorzy2mecnrignzc@quack3>
References: <20221226030605.1437081-1-yukuai1@huaweicloud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221226030605.1437081-1-yukuai1@huaweicloud.com>
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DATE_IN_PAST_06_12,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon 26-12-22 11:06:05, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@huawei.com>
> 
> Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
> will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()
> can free bfqq first, and then call bic_set_bfqq(), which will cause uaf.
> 
> Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().
> 
> Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
> Reported-by: Yi Zhang <yi.zhang@redhat.com>
> Signed-off-by: Yu Kuai <yukuai3@huawei.com>

Thanks for the patch! Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
>  block/bfq-iosched.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
> index 16f43bbc575a..ccf2204477a5 100644
> --- a/block/bfq-iosched.c
> +++ b/block/bfq-iosched.c
> @@ -5317,8 +5317,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
>  		unsigned long flags;
>  
>  		spin_lock_irqsave(&bfqd->lock, flags);
> -		bfq_exit_bfqq(bfqd, bfqq);
>  		bic_set_bfqq(bic, NULL, is_sync);
> +		bfq_exit_bfqq(bfqd, bfqq);
>  		spin_unlock_irqrestore(&bfqd->lock, flags);
>  	}
>  }
> -- 
> 2.31.1
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR