block-6.13-20250111

-----BEGIN PGP SIGNATURE----- iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmeCmKoQHGF4Ym9lQGtl cm5lbC5kawAKCRD301j7KXHgphBlD/wJWP8Br7NAxl+UxmIZChHFiHjV+/EBEjlH vl6EGB0jLFjrf6XC3WCbKVdloUzkzqUfl4TnuXH/6rQ6tJx5BHR9GV9orrM+hSfP h9KTLtqr8m7Cwhxqd/DoGOm7ciBL8+OPLpSL8vtfDNa9dtRPglodsxJm7IxXCZpB FEuz1XZG3PmAwCjjFkeNeXRX23LqeOJbCbWreyPKWOxUJpm3x2IgrF2LIhA7mvkB G62CStbI4oXG9r2jkifmr3R2vj9E9ikRhWIlRt2AzGNvjJJeN6T9jxTnITft4+Kr xiCCksmWWYFRoF6J/6HVLQhYeizsu1FGj652eRu9LcfuS6D2lxBpGtX8CzNCoz2B CphPCpggjwhyxI3OWHe731aMZZlm5TpWOZNmNia7ZKBm+Gdg7lqPkCpQHesisdbr y5JdtNmvhFcRvrYxeO+r54AdfmCmP0/KKpr734/E+lc3RU6CXmHmDZyA0msbx+vy KOGiiVqGI6a37xCtES8/lIksq7LD+xX7ozM5qQV7o6Jbg4Sq9QBU2kz0zw/2C2rH UW3eDKSnlQjQUumLafj8AsmJWN4U9iClMT42tC+5ogr9/EjKDPSEmZNCuPjXDAy3 8zfXxQ5ToD+Zmk5EXAt2UCG5KTLgBPAI+1/OLDAZ08mnZ8t9/5eGHfeEKX9DGJ4E 5XrXE1lA3Q== =kvlM -----END PGP SIGNATURE----- Merge tag 'block-6.13-20250111' of git://git.kernel.dk/linux Pull block fix from Jens Axboe: "A single fix for a use-after-free in the BFQ IO scheduler" * tag 'block-6.13-20250111' of git://git.kernel.dk/linux: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
2026-05-24 15:12:13 +02:00 · 2025-01-11 11:17:08 -08:00 · 2025-01-11 11:17:08 -08:00 · 05c2d1f272
commit 05c2d1f272
parent 52a5a22d8a fcede1f0a0
1 changed files with 10 additions and 2 deletions
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@ -6844,16 +6844,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq)
 		if (new_bfqq == waker_bfqq) {
 			/*
 			 * If waker_bfqq is in the merge chain, and current
-			 * is the only procress.
+			 * is the only process, waker_bfqq can be freed.
 			 */
 			if (bfqq_process_refs(waker_bfqq) == 1)
 				return NULL;
-			break;
+
+			return waker_bfqq;
 		}

 		new_bfqq = new_bfqq->new_bfqq;
 	}

+	/*
+	 * If waker_bfqq is not in the merge chain, and it's procress reference
+	 * is 0, waker_bfqq can be freed.
+	 */
+	if (bfqq_process_refs(waker_bfqq) == 0)
+		return NULL;
+
 	return waker_bfqq;
 }