From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Li Jinlin <lijinlin3@huawei.com>, Jens Axboe <axboe@kernel.dk>,
Sasha Levin <sashal@kernel.org>,
tj@kernel.org, cgroups@vger.kernel.org,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 4/5] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit()
Date: Thu, 16 Sep 2021 22:34:48 -0400 [thread overview]
Message-ID: <20210917023449.816713-4-sashal@kernel.org> (raw)
In-Reply-To: <20210917023449.816713-1-sashal@kernel.org>
From: Li Jinlin <lijinlin3@huawei.com>
[ Upstream commit 884f0e84f1e3195b801319c8ec3d5774e9bf2710 ]
The pending timer has been set up in blk_throtl_init(). However, the
timer is not deleted in blk_throtl_exit(). This means that the timer
handler may still be running after freeing the timer, which would
result in a use-after-free.
Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit().
Signed-off-by: Li Jinlin <lijinlin3@huawei.com>
Link: https://lore.kernel.org/r/20210907121242.2885564-1-lijinlin3@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-throttle.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index 18f773e52dfb..bd870f9ae458 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -2414,6 +2414,7 @@ int blk_throtl_init(struct request_queue *q)
void blk_throtl_exit(struct request_queue *q)
{
BUG_ON(!q->td);
+ del_timer_sync(&q->td->service_queue.pending_timer);
throtl_shutdown_wq(q);
blkcg_deactivate_policy(q, &blkcg_policy_throtl);
free_percpu(q->td->latency_buckets[READ]);
--
2.30.2
next prev parent reply other threads:[~2021-09-17 2:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-17 2:34 [PATCH AUTOSEL 5.4 1/5] pwm: img: Don't modify HW state in .remove() callback Sasha Levin
2021-09-17 2:34 ` [PATCH AUTOSEL 5.4 2/5] pwm: rockchip: " Sasha Levin
2021-09-17 2:34 ` Sasha Levin
2021-09-17 2:34 ` Sasha Levin
2021-09-17 2:34 ` [PATCH AUTOSEL 5.4 3/5] pwm: stm32-lp: " Sasha Levin
2021-09-17 2:34 ` Sasha Levin
2021-09-17 2:34 ` Sasha Levin [this message]
2021-09-17 2:34 ` [PATCH AUTOSEL 5.4 5/5] rtc: rx8010: select REGMAP_I2C Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210917023449.816713-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=cgroups@vger.kernel.org \
--cc=lijinlin3@huawei.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.