block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq

YuKuai-huawei · gregkh · commit 7949b0df3dd9 · 2023-01-12T11:58:43.000+01:00
[ Upstream commit 246cf66 ] Commit 64dc8c7 ("block, bfq: fix possible uaf for 'bfqq->bic'") will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq(). Fixes: 64dc8c7 ("block, bfq: fix possible uaf for 'bfqq->bic'") Reported-by: Yi Zhang <yi.zhang@redhat.com> Signed-off-by: Yu Kuai <yukuai3@huawei.com> Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
@@ -5251,8 +5251,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
 		unsigned long flags;
 
 		spin_lock_irqsave(&bfqd->lock, flags);
-		bfq_exit_bfqq(bfqd, bfqq);
 		bic_set_bfqq(bic, NULL, is_sync);
+		bfq_exit_bfqq(bfqd, bfqq);
 		spin_unlock_irqrestore(&bfqd->lock, flags);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -5251,8 +5251,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)`
`5251`	`5251`	`unsigned long flags;`
`5252`	`5252`
`5253`	`5253`	`spin_lock_irqsave(&bfqd->lock, flags);`
`5254`		`- bfq_exit_bfqq(bfqd, bfqq);`
`5255`	`5254`	`bic_set_bfqq(bic, NULL, is_sync);`
	`5255`	`+ bfq_exit_bfqq(bfqd, bfqq);`
`5256`	`5256`	`spin_unlock_irqrestore(&bfqd->lock, flags);`
`5257`	`5257`	`}`
`5258`	`5258`	`}`