block, bfq: fix re-introduced UAF in bic_set_bfqq()
Commiteca0025faa("block, bfq: split sync bfq_queues on a per-actuator basis"), which is a backport of 9778369a2d6c5e ("block, bfq: split sync bfq_queues on a per-actuator basis") re-introduces UAF bug originally fixed by b600de2d7d3a16 ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") and backported to 6.1 incb1876fc33("block, bfq: fix uaf for bfqq in bic_set_bfqq()"). bfq_release_process_ref() may release the sync_bfqq variable, which points to the same bfqq as bic->bfqq member for call context from __bfq_bic_change_cgroup(). bic_set_bfqq() then accesses bic->bfqq member which leads to the UAF condition. Fix this by bringing the incriminated function calls back in correct order. Fixes:eca0025faa("block, bfq: split sync bfq_queues on a per-actuator basis") Signed-off-by: Jakub Acs <acsjakub@amazon.de> Cc: Hagar Hemdan <hagarhem@amazon.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Acs, Jakub
Greg Kroah-Hartman
parent
49100c0b07
commit
7400fa1729
@ -739,8 +739,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd,
|
|||||||
* old cgroup.
|
* old cgroup.
|
||||||
*/
|
*/
|
||||||
bfq_put_cooperator(sync_bfqq);
|
bfq_put_cooperator(sync_bfqq);
|
||||||
bfq_release_process_ref(bfqd, sync_bfqq);
|
|
||||||
bic_set_bfqq(bic, NULL, true, act_idx);
|
bic_set_bfqq(bic, NULL, true, act_idx);
|
||||||
|
bfq_release_process_ref(bfqd, sync_bfqq);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user