lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230221082905.3389012-1-yukuai1@huaweicloud.com>
Date:   Tue, 21 Feb 2023 16:29:05 +0800
From:   Yu Kuai <yukuai1@...weicloud.com>
To:     jack@...e.cz, axboe@...nel.dk, paolo.valente@...aro.org,
        damien.lemoal@...nsource.wdc.com
Cc:     linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
        yukuai3@...wei.com, yukuai1@...weicloud.com, yi.zhang@...wei.com,
        yangerkun@...wei.com
Subject: [PATCH] block, bfq: free 'sync_bfqq' after bic_set_bfqq() in bfq_sync_bfqq_move()

From: Yu Kuai <yukuai3@...wei.com>

As explained in commit b600de2d7d3a ("block, bfq: fix uaf for bfqq in
bic_set_bfqq()"), bfqq should not be freed before bic_set_bfqq().
However, this is broken while merging commit 9778369a2d6c ("block, bfq:
split sync bfq_queues on a per-actuator basis") from branch
for-6.3/block.

Fixes: 9778369a2d6c ("block, bfq: split sync bfq_queues on a per-actuator basis")
Signed-off-by: Yu Kuai <yukuai3@...wei.com>
---
 block/bfq-cgroup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index ea3638e06e04..89ffb3aa992c 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -746,8 +746,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd,
 		 * old cgroup.
 		 */
 		bfq_put_cooperator(sync_bfqq);
-		bfq_release_process_ref(bfqd, sync_bfqq);
 		bic_set_bfqq(bic, NULL, true, act_idx);
+		bfq_release_process_ref(bfqd, sync_bfqq);
 	}
 }
 
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ