Skip to content

Commit d29bd41

Browse files
Algodev-githubaxboe
Algodev-github
authored and
axboe
committed
block, bfq: reset last_bfqq_created on group change
Since commit 430a67f ("block, bfq: merge bursts of newly-created queues"), BFQ maintains a per-group pointer to the last bfq_queue created. If such a queue, say bfqq, happens to move to a different group, then bfqq is no more a valid last bfq_queue created for its previous group. That pointer must then be cleared. Not resetting such a pointer may also cause UAF, if bfqq happens to also be freed after being moved to a different group. This commit performs this missing reset. As such it fixes commit 430a67f ("block, bfq: merge bursts of newly-created queues"). Such a missing reset is most likely the cause of the crash reported in [1]. With some analysis, we found that this crash was due to the above UAF. And such UAF did go away with this commit applied [1]. Anyway, before this commit, that crash happened to be triggered in conjunction with commit 2d52c58 ("block, bfq: honor already-setup queue merges"). The latter was then reverted by commit ebc69e8 ("Revert "block, bfq: honor already-setup queue merges""). Yet commit 2d52c58 ("block, bfq: honor already-setup queue merges") contains no error related with the above UAF, and can then be restored. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503 Fixes: 430a67f ("block, bfq: merge bursts of newly-created queues") Tested-by: Grzegorz Kowal <[email protected]> Signed-off-by: Paolo Valente <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe <[email protected]>
1 parent a204176 commit d29bd41

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

block/bfq-cgroup.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -666,6 +666,12 @@ void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
666666
bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
667667
bfqg_and_blkg_put(bfqq_group(bfqq));
668668

669+
if (entity->parent &&
670+
entity->parent->last_bfqq_created == bfqq)
671+
entity->parent->last_bfqq_created = NULL;
672+
else if (bfqd->last_bfqq_created == bfqq)
673+
bfqd->last_bfqq_created = NULL;
674+
669675
entity->parent = bfqg->my_entity;
670676
entity->sched_data = &bfqg->sched_data;
671677
/* pin down bfqg and its associated blkg */

0 commit comments

Comments
 (0)