diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-01-11 11:17:08 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-01-11 11:17:08 -0800 |
| commit | 05c2d1f2728240f7cd750ea389d4ad87fba0ad03 (patch) | |
| tree | c2164503de812bed7b0e04442515c4d56bbc5695 | |
| parent | 52a5a22d8afe3bd195f7b470c7535c63717f5ff7 (diff) | |
| parent | fcede1f0a043ccefe9bc6ad57f12718e42f63f1d (diff) | |
| download | lwn-05c2d1f2728240f7cd750ea389d4ad87fba0ad03.tar.gz lwn-05c2d1f2728240f7cd750ea389d4ad87fba0ad03.zip | |
Merge tag 'block-6.13-20250111' of git://git.kernel.dk/linux
Pull block fix from Jens Axboe:
"A single fix for a use-after-free in the BFQ IO scheduler"
* tag 'block-6.13-20250111' of git://git.kernel.dk/linux:
block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
| -rw-r--r-- | block/bfq-iosched.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 95dd7b795935..cad16c163611 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -6844,16 +6844,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq) if (new_bfqq == waker_bfqq) { /* * If waker_bfqq is in the merge chain, and current - * is the only procress. + * is the only process, waker_bfqq can be freed. */ if (bfqq_process_refs(waker_bfqq) == 1) return NULL; - break; + + return waker_bfqq; } new_bfqq = new_bfqq->new_bfqq; } + /* + * If waker_bfqq is not in the merge chain, and it's procress reference + * is 0, waker_bfqq can be freed. + */ + if (bfqq_process_refs(waker_bfqq) == 0) + return NULL; + return waker_bfqq; } |