Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FE61C61D97 for ; Sun, 29 Jan 2023 01:38:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231388AbjA2BiW (ORCPT ); Sat, 28 Jan 2023 20:38:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230008AbjA2BiS (ORCPT ); Sat, 28 Jan 2023 20:38:18 -0500 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43D49CA08; Sat, 28 Jan 2023 17:38:16 -0800 (PST) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4P4DTt6vSmz4f3t0s; Sun, 29 Jan 2023 09:38:10 +0800 (CST) Received: from [10.174.176.73] (unknown [10.174.176.73]) by APP3 (Coremail) with SMTP id _Ch0CgCnUyEDztVjX9x2CQ--.33658S3; Sun, 29 Jan 2023 09:38:13 +0800 (CST) Subject: Re: [PATCH] block, bfq: fix uaf for bfqq in bic_set_bfqq() To: jack@suse.cz, tj@kernel.org, josef@toxicpanda.com, axboe@kernel.dk, paolo.valente@linaro.org, shinichiro.kawasaki@wdc.com Cc: cgroups@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, yukuai1@huaweicloud.com, yi.zhang@huawei.com, yangerkun@huawei.com, "yukuai (C)" References: <20230113094410.2907223-1-yukuai3@huawei.com> From: Yu Kuai Message-ID: <4d3f6183-f9d4-b657-0205-fc240bc24c76@huaweicloud.com> Date: Sun, 29 Jan 2023 09:38:11 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20230113094410.2907223-1-yukuai3@huawei.com> Content-Type: text/plain; charset=gbk; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID: _Ch0CgCnUyEDztVjX9x2CQ--.33658S3 X-Coremail-Antispam: 1UD129KBjvdXoWrKrW7CFyxAFyxXr1rtFyxZrb_yoW3Zrc_WF sayFZ3Ww1UWF18t3W7t3W3CFWxG3yfXr18XryFyr1fXryUZrWxGa1kW34fXrW5WrZ29as3 Jr1kXw4UKr1rZjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUba8FF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j 6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcVAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628vn2kI c2xKxwCYjI0SjxkI62AI1cAE67vIY487MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4 AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE 17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMI IF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Wr1j6rW3 Jr1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcS sGvfC2KfnxnUUI43ZEXa7VUbXdbUUUUUU== X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Jens ?? 2023/01/13 17:44, Yu Kuai ะด??: > After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), > bic->bfqq will be accessed in bic_set_bfqq(), however, in some context > bic->bfqq will be freed first, and bic_set_bfqq() is called with the freed > bic->bfqq. > > Fix the problem by always freeing bfqq after bic_set_bfqq(). > Sorry that I send this patch will wrong email, and you might missed this patch. Can you apply this patch? This patch can't be applied directly to lower version due to Paolo's patchset, I'll send lts patch seperately. Thanks, Kuai > Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") > Reported-and-tested-by: Shinichiro Kawasaki > Signed-off-by: Yu Kuai