• Paolo Valente's avatar
    block, bfq: fix use after free in bfq_bfqq_expire · eed47d19
    Paolo Valente authored
    The function bfq_bfqq_expire() invokes the function
    __bfq_bfqq_expire(), and the latter may free the in-service bfq-queue.
    If this happens, then no other instruction of bfq_bfqq_expire() must
    be executed, or a use-after-free will occur.
    
    Basing on the assumption that __bfq_bfqq_expire() invokes
    bfq_put_queue() on the in-service bfq-queue exactly once, the queue is
    assumed to be freed if its refcounter is equal to one right before
    invoking __bfq_bfqq_expire().
    
    But, since commit 9dee8b3b ("block, bfq: fix queue removal from
    weights tree") this assumption is false. __bfq_bfqq_expire() may also
    invoke bfq_weights_tree_remove() and, since commit 9dee8b3b
    ("block, bfq: fix queue removal from weights tree"), also
    the latter function may invoke bfq_put_queue(). So __bfq_bfqq_expire()
    may invoke bfq_put_queue() twice, and this is the actual case where
    the in-service queue may happen to be freed.
    
    To address this issue, this commit moves the check on the refcounter
    of the queue right around the last bfq_put_queue() that may be invoked
    on the queue.
    
    Fixes: 9dee8b3b ("block, bfq: fix queue removal from weights tree")
    Reported-by: default avatarDmitrii Tcvetkov <demfloro@demfloro.ru>
    Reported-by: default avatarDouglas Anderson <dianders@chromium.org>
    Tested-by: default avatarDmitrii Tcvetkov <demfloro@demfloro.ru>
    Tested-by: default avatarDouglas Anderson <dianders@chromium.org>
    Signed-off-by: default avatarPaolo Valente <paolo.valente@linaro.org>
    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    eed47d19
bfq-wf2q.c 52.8 KB