[PATCH OLK-6.6] bfq: Lock when clearing the q->elevator entry
hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8717 -------------------------------- In the error path out_free of bfq_init_queue(), the last reference count of eq->kobj is released, causing eq to be freed. Before the caller blk_mq_init_sched() executes "q->elevator = NULL", another process modifies the blkcgroup interface, such as disabling iocost, which triggers wbt_enable_default() to access the already freed elevator, leading to a UAF issue. Lock when clearing the q->elevator entry to solve this issue. And do cleanup on some repeated nulling processes. Fixes: 671fae5e5129 ("blk-wbt: don't enable throttling if default elevator is bfq") Signed-off-by: Zizhi Wo <wozizhi@huawei.com> --- block/bfq-iosched.c | 3 +++ block/blk-mq-sched.c | 4 ++-- block/blk-wbt.c | 2 ++ block/elevator.c | 1 - 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index a8ebf3962f11..a12f0196dc51 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -7417,6 +7417,9 @@ static int bfq_init_queue(struct request_queue *q, struct elevator_type *e) return 0; out_free: + spin_lock_irq(&q->queue_lock); + q->elevator = NULL; + spin_unlock_irq(&q->queue_lock); kfree(bfqd); kobject_put(&eq->kobj); return -ENOMEM; diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c index 7b48630b63a7..bb166403d311 100644 --- a/block/blk-mq-sched.c +++ b/block/blk-mq-sched.c @@ -499,8 +499,6 @@ int blk_mq_init_sched(struct request_queue *q, struct elevator_type *e) err_free_map_and_rqs: blk_mq_sched_free_rqs(q); blk_mq_sched_tags_teardown(q, flags); - - q->elevator = NULL; return ret; } @@ -550,5 +548,7 @@ void blk_mq_exit_sched(struct request_queue *q, struct elevator_queue *e) if (e->type->ops.exit_sched) e->type->ops.exit_sched(e); blk_mq_sched_tags_teardown(q, flags); + spin_lock_irq(&q->queue_lock); q->elevator = NULL; + spin_unlock_irq(&q->queue_lock); } diff --git a/block/blk-wbt.c b/block/blk-wbt.c index 6b81f2c47279..71ca08deb485 100644 --- a/block/blk-wbt.c +++ b/block/blk-wbt.c @@ -732,9 +732,11 @@ void wbt_enable_default(struct gendisk *disk) struct rq_qos *rqos; bool enable = IS_ENABLED(CONFIG_BLK_WBT_MQ); + spin_lock_irq(&q->queue_lock); if (q->elevator && test_bit(ELEVATOR_FLAG_DISABLE_WBT, &q->elevator->flags)) enable = false; + spin_unlock_irq(&q->queue_lock); /* Throttling already enabled? */ rqos = wbt_rq_qos(q); diff --git a/block/elevator.c b/block/elevator.c index ba072d8f660e..e80381765b3c 100644 --- a/block/elevator.c +++ b/block/elevator.c @@ -704,7 +704,6 @@ void elevator_disable(struct request_queue *q) elv_unregister_queue(q); elevator_exit(q); blk_queue_flag_clear(QUEUE_FLAG_SQ_SCHED, q); - q->elevator = NULL; q->nr_requests = q->tag_set->queue_depth; blk_add_trace_msg(q, "elv switch: none"); -- 2.39.2
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/21260 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/R4I... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/21260 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/R4I...
participants (2)
-
patchwork bot -
Zizhi Wo