Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp605005rwb; Fri, 13 Jan 2023 01:44:28 -0800 (PST) X-Google-Smtp-Source: AMrXdXuZnXmTCIoEmmXA708E6qmL9mN6eGQsfXpGbR9PiG2ovjNFOEDL0BxpHRuA3wDZIE1/Kj+W X-Received: by 2002:a17:907:8dcc:b0:84d:21b2:735a with SMTP id tg12-20020a1709078dcc00b0084d21b2735amr23502835ejc.54.1673603068712; Fri, 13 Jan 2023 01:44:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673603068; cv=none; d=google.com; s=arc-20160816; b=uGmMl3MV5l8CXhmkzhDl3WKf9Z3WEt5GVgRKgxBQGGQSK/90LKLNciLc+HoyvLn8j8 yFjmR3WLQjiY6xGmsobkBY2IjFLXZt51Gr0+6JjPBdsdni6KBkXxWGgEamZU02dh3sDg s3afy+c+Ag3MzrhQgXYuxFFqyi5j9K/AcaRMPOG2uJKIcmnF9Qr8U5TqAvYJTlaanrkn A1Q7p3X7shShkqW4Q04tpegniqbOtcYrFZZ2n4gLn3nAl5jeSQLmHA76EbIBhSe9YA6e i9hyzEjkb2G2l9BnBXxw3R2qEDZrdzcqOrKd5mOf1uFTxYLVAyLjJAGr9FUKFmkKhKa8 Nw0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=YlkAPfUn7fD5DChGiRjEAntnbgOmeZJg2pX0dEknSn4=; b=xb05KCzGDtfbZF4m3+T/TkhBg9XPaU9FjD66kLYRRoWkreBJcFMA+pjYKoHlvItk+Z 0yBLEjxM1FQXocT2hW6c5emQJY5heMwBBUpx3boq86LZGqWAy69ck4f7Lgt8gXYEzPTc irsQuT+iTnYKoDxJHXJgbF44ACldma5NpxkYqJF1JRXm8tGhnxko+msGluCQ4KEs/oP6 2M2YOF32X920gNicpQBaUwsCrfAbo6zZmpK0mkecz9Rcx6nycTzJsNPi6FnHzsqC/lTk pWzR3iBhU8AsWSSsf84arQrVLILLRg5P8aghn3M4ed7CGNp7Zy/psL50OQptmMshd1tK JWtA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s19-20020a170906455300b007c10ac8f9afsi16057227ejq.807.2023.01.13.01.44.16; Fri, 13 Jan 2023 01:44:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241126AbjAMJ1A (ORCPT + 51 others); Fri, 13 Jan 2023 04:27:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240903AbjAMJZ6 (ORCPT ); Fri, 13 Jan 2023 04:25:58 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39A3213DD0; Fri, 13 Jan 2023 01:19:50 -0800 (PST) Received: from kwepemm600009.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NtbNL2NLGzqVHW; Fri, 13 Jan 2023 17:14:58 +0800 (CST) Received: from huawei.com (10.175.127.227) by kwepemm600009.china.huawei.com (7.193.23.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Fri, 13 Jan 2023 17:19:46 +0800 From: Yu Kuai To: , , , , , , CC: , , , , , Subject: [PATCH] block, bfq: fix uaf for bfqq in bic_set_bfqq() Date: Fri, 13 Jan 2023 17:44:10 +0800 Message-ID: <20230113094410.2907223-1-yukuai3@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600009.china.huawei.com (7.193.23.164) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), bic->bfqq will be accessed in bic_set_bfqq(), however, in some context bic->bfqq will be freed first, and bic_set_bfqq() is called with the freed bic->bfqq. Fix the problem by always freeing bfqq after bic_set_bfqq(). Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") Reported-and-tested-by: Shinichiro Kawasaki Signed-off-by: Yu Kuai --- block/bfq-cgroup.c | 2 +- block/bfq-iosched.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c index a6e8da5f5cfd..feb13ac25557 100644 --- a/block/bfq-cgroup.c +++ b/block/bfq-cgroup.c @@ -749,8 +749,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd, * old cgroup. */ bfq_put_cooperator(sync_bfqq); - bfq_release_process_ref(bfqd, sync_bfqq); bic_set_bfqq(bic, NULL, true, act_idx); + bfq_release_process_ref(bfqd, sync_bfqq); } } diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 815b884d6c5a..2ddf831221c4 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -5581,9 +5581,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio) bfqq = bic_to_bfqq(bic, false, bfq_actuator_index(bfqd, bio)); if (bfqq) { - bfq_release_process_ref(bfqd, bfqq); + struct bfq_queue *old_bfqq = bfqq; + bfqq = bfq_get_queue(bfqd, bio, false, bic, true); bic_set_bfqq(bic, bfqq, false, bfq_actuator_index(bfqd, bio)); + bfq_release_process_ref(bfqd, old_bfqq); } bfqq = bic_to_bfqq(bic, true, bfq_actuator_index(bfqd, bio)); -- 2.31.1