| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Y4fAJpKcVL7Q9hgY@slm.duckdns.org>
Date: Wed, 30 Nov 2022 10:42:14 -1000
From: Tejun Heo <tj@...nel.org>
To: Li Nan <linan122@...wei.com>
Cc: josef@...icpanda.com, axboe@...nel.dk, cgroups@...r.kernel.org,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
yukuai3@...wei.com, yi.zhang@...wei.com
Subject: Re: [PATCH -next v2 7/9] blk-iocost: fix UAF in ioc_pd_free
On Wed, Nov 30, 2022 at 09:21:54PM +0800, Li Nan wrote:
> T1 T2 T3
> //delete device
> del_gendisk
> bdi_unregister
> bdi_remove_from_list
> synchronize_rcu_expedited
>
> //rmdir cgroup
> blkcg_destroy_blkgs
> blkg_destroy
> percpu_ref_kill
> blkg_release
> call_rcu
> rq_qos_exit
> ioc_rqos_exit
> kfree(ioc)
> __blkg_release
> blkg_free
> blkg_free_workfn
> pd_free_fn
> ioc_pd_free
> spin_lock_irqsave
> ->ioc is freed
>
> Fix the problem by moving the operation on ioc in ioc_pd_free() to
> ioc_pd_offline(), and just free resource in ioc_pd_free() like iolatency
> and throttle.
>
> Signed-off-by: Li Nan <linan122@...wei.com>
I wonder what we really wanna do is pinning ioc while blkgs are still around
but I think this should work too.
Acked-by: Tejun Heo <tj@...nel.org>
Thanks.
--
tejun
Powered by blists - more mailing lists