git.baikalelectronics.ru Git - kernel.git/commit

author	Paolo Valente <paolo.valente@linaro.org>
	Fri, 15 Oct 2021 14:43:36 +0000 (16:43 +0200)
committer	Jens Axboe <axboe@kernel.dk>
	Sun, 17 Oct 2021 13:03:02 +0000 (07:03 -0600)
commit	4d534d8403185deaac4560ff8c32653d714b8536
tree	e2521992d6dc6c00eec13749946d4ccdf5d00abc	tree \| snapshot
parent	20b74d2add87469aa1b9427ba5499349faa54898	commit \| diff

block, bfq: reset last_bfqq_created on group change

Since commit 02d44fdaf5f6 ("block, bfq: merge bursts of newly-created
queues"), BFQ maintains a per-group pointer to the last bfq_queue
created. If such a queue, say bfqq, happens to move to a different
group, then bfqq is no more a valid last bfq_queue created for its
previous group. That pointer must then be cleared. Not resetting such
a pointer may also cause UAF, if bfqq happens to also be freed after
being moved to a different group. This commit performs this missing
reset. As such it fixes commit 02d44fdaf5f6 ("block, bfq: merge bursts
of newly-created queues").

Such a missing reset is most likely the cause of the crash reported in [1].
With some analysis, we found that this crash was due to the
above UAF. And such UAF did go away with this commit applied [1].

Anyway, before this commit, that crash happened to be triggered in
conjunction with commit 25e159ba6dbe ("block, bfq: honor already-setup
queue merges"). The latter was then reverted by commit b4e099ae1b63
("Revert "block, bfq: honor already-setup queue merges""). Yet commit
25e159ba6dbe ("block, bfq: honor already-setup queue merges") contains
no error related with the above UAF, and can then be restored.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=214503

Fixes: 02d44fdaf5f6 ("block, bfq: merge bursts of newly-created queues")
Tested-by: Grzegorz Kowal <custos.mentis@gmail.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Link: https://lore.kernel.org/r/20211015144336.45894-2-paolo.valente@linaro.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>