Merge tag 'block-6.13-20250111' of git://git.kernel.dk/linux

Pull block fix from Jens Axboe: "A single fix for a use-after-free in the BFQ IO scheduler" * tag 'block-6.13-20250111' of git://git.kernel.dk/linux: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
mariux64 · Jan 11, 2025 · 05c2d1f · 05c2d1f
2 parents 52a5a22 + fcede1f
commit 05c2d1f
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
@@ -6844,16 +6844,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq)
 		if (new_bfqq == waker_bfqq) {
 			/*
 			 * If waker_bfqq is in the merge chain, and current
-			 * is the only procress.
+			 * is the only process, waker_bfqq can be freed.
 			 */
 			if (bfqq_process_refs(waker_bfqq) == 1)
 				return NULL;
-			break;
+
+			return waker_bfqq;
 		}
 
 		new_bfqq = new_bfqq->new_bfqq;
 	}
 
+	/*
+	 * If waker_bfqq is not in the merge chain, and it's procress reference
+	 * is 0, waker_bfqq can be freed.
+	 */
+	if (bfqq_process_refs(waker_bfqq) == 0)
+		return NULL;
+
 	return waker_bfqq;
 }