| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <89f3fc0e-ea04-4b29-a79e-5d2f2ef7af6a@kernel.dk> Date: Thu, 9 Jan 2025 06:52:19 -0700 From: Jens Axboe <axboe@...nel.dk> To: Jan Kara <jack@...e.cz>, Yu Kuai <yukuai1@...weicloud.com> Cc: linux-block@...r.kernel.org, linux-kernel@...r.kernel.org, yi.zhang@...wei.com, yangerkun@...wei.com, "yukuai (C)" <yukuai3@...wei.com> Subject: Re: [PATCH] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() On 1/9/25 1:50 AM, Jan Kara wrote: > On Thu 09-01-25 09:32:08, Yu Kuai wrote: >> Hi, >> >> ? 2025/01/08 22:42, Jan Kara ??: >>> >>> >>>> */ >>>> if (bfqq_process_refs(waker_bfqq) == 1) >>>> return NULL; >>>> - break; >>>> + >>>> + return waker_bfqq; >>> >>> So how do you know bfqq_process_refs(waker_bfqq) is not 0 in this case? >> >> Because in this case, waker_bfqq is in the merge chain of bfqq, and bfqq >> is obtained frm the current process, which means waker_bfqq should have >> at least one process reference that is from current thread. > > Ah, right. Thanks for explanation. The except for the typo the patch looks > good to me. Feel free to add: > > Reviewed-by: Jan Kara <jack@...e.cz> > > (although I can see Jens has already picked up the patch so probably this > is immaterial). Still useful! The patch has a link to this thread, so it's still connected even if the commit itself isn't updated. Though with the typo in process, I'm kind of pondering just amending the commit and then I'll add your reviewed-by as well. But usually I don't, but still appreciate reviews after it's been queued. -- Jens Axboe
Powered by blists - more mailing lists