| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <syxzk4eauh3zzs37y6eirzlblp5lin6wyrpanw2mleliyj6cnr@2y3a7hrnet2o> Date: Thu, 9 Jan 2025 09:50:51 +0100 From: Jan Kara <jack@...e.cz> To: Yu Kuai <yukuai1@...weicloud.com> Cc: Jan Kara <jack@...e.cz>, axboe@...nel.dk, linux-block@...r.kernel.org, linux-kernel@...r.kernel.org, yi.zhang@...wei.com, yangerkun@...wei.com, "yukuai (C)" <yukuai3@...wei.com> Subject: Re: [PATCH] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() On Thu 09-01-25 09:32:08, Yu Kuai wrote: > Hi, > > 在 2025/01/08 22:42, Jan Kara 写道: > > > > > > > */ > > > if (bfqq_process_refs(waker_bfqq) == 1) > > > return NULL; > > > - break; > > > + > > > + return waker_bfqq; > > > > So how do you know bfqq_process_refs(waker_bfqq) is not 0 in this case? > > Because in this case, waker_bfqq is in the merge chain of bfqq, and bfqq > is obtained frm the current process, which means waker_bfqq should have > at least one process reference that is from current thread. Ah, right. Thanks for explanation. The except for the typo the patch looks good to me. Feel free to add: Reviewed-by: Jan Kara <jack@...e.cz> (although I can see Jens has already picked up the patch so probably this is immaterial). Honza -- Jan Kara <jack@...e.com> SUSE Labs, CR
Powered by blists - more mailing lists