diff options
author | Paolo Valente <[email protected]> | 2021-10-15 16:43:36 +0200 |
---|---|---|
committer | Jens Axboe <[email protected]> | 2021-10-17 07:03:02 -0600 |
commit | d29bd41428cfff9b582c248db14a47e2be8457a8 (patch) | |
tree | e2521992d6dc6c00eec13749946d4ccdf5d00abc /drivers/fpga/ts73xx-fpga.c | |
parent | a20417611b98e12a724e5c828c472ea16990b71f (diff) |
block, bfq: reset last_bfqq_created on group change
Since commit 430a67f9d616 ("block, bfq: merge bursts of newly-created
queues"), BFQ maintains a per-group pointer to the last bfq_queue
created. If such a queue, say bfqq, happens to move to a different
group, then bfqq is no more a valid last bfq_queue created for its
previous group. That pointer must then be cleared. Not resetting such
a pointer may also cause UAF, if bfqq happens to also be freed after
being moved to a different group. This commit performs this missing
reset. As such it fixes commit 430a67f9d616 ("block, bfq: merge bursts
of newly-created queues").
Such a missing reset is most likely the cause of the crash reported in [1].
With some analysis, we found that this crash was due to the
above UAF. And such UAF did go away with this commit applied [1].
Anyway, before this commit, that crash happened to be triggered in
conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup
queue merges"). The latter was then reverted by commit ebc69e897e17
("Revert "block, bfq: honor already-setup queue merges""). Yet commit
2d52c58b9c9b ("block, bfq: honor already-setup queue merges") contains
no error related with the above UAF, and can then be restored.
[1] https://bugzilla.kernel.org/show_bug.cgi?id=214503
Fixes: 430a67f9d616 ("block, bfq: merge bursts of newly-created queues")
Tested-by: Grzegorz Kowal <[email protected]>
Signed-off-by: Paolo Valente <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jens Axboe <[email protected]>
Diffstat (limited to 'drivers/fpga/ts73xx-fpga.c')
0 files changed, 0 insertions, 0 deletions