From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Paolo Valente <paolo.valente@linaro.org>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 64/79] block, bfq: fix use after free in bfq_bfqq_expire
Date: Fri, 26 Apr 2019 21:38:23 -0400 [thread overview]
Message-ID: <20190427013838.6596-64-sashal@kernel.org> (raw)
In-Reply-To: <20190427013838.6596-1-sashal@kernel.org>
From: Paolo Valente <paolo.valente@linaro.org>
[ Upstream commit eed47d19d9362bdd958e4ab56af480b9dbf6b2b6 ]
The function bfq_bfqq_expire() invokes the function
__bfq_bfqq_expire(), and the latter may free the in-service bfq-queue.
If this happens, then no other instruction of bfq_bfqq_expire() must
be executed, or a use-after-free will occur.
Basing on the assumption that __bfq_bfqq_expire() invokes
bfq_put_queue() on the in-service bfq-queue exactly once, the queue is
assumed to be freed if its refcounter is equal to one right before
invoking __bfq_bfqq_expire().
But, since commit 9dee8b3b057e ("block, bfq: fix queue removal from
weights tree") this assumption is false. __bfq_bfqq_expire() may also
invoke bfq_weights_tree_remove() and, since commit 9dee8b3b057e
("block, bfq: fix queue removal from weights tree"), also
the latter function may invoke bfq_put_queue(). So __bfq_bfqq_expire()
may invoke bfq_put_queue() twice, and this is the actual case where
the in-service queue may happen to be freed.
To address this issue, this commit moves the check on the refcounter
of the queue right around the last bfq_put_queue() that may be invoked
on the queue.
Fixes: 9dee8b3b057e ("block, bfq: fix queue removal from weights tree")
Reported-by: Dmitrii Tcvetkov <demfloro@demfloro.ru>
Reported-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Dmitrii Tcvetkov <demfloro@demfloro.ru>
Tested-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bfq-iosched.c | 15 +++++++--------
block/bfq-iosched.h | 2 +-
block/bfq-wf2q.c | 17 +++++++++++++++--
3 files changed, 23 insertions(+), 11 deletions(-)
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index e5ed28629271..72510c470001 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -2804,7 +2804,7 @@ static void bfq_dispatch_remove(struct request_queue *q, struct request *rq)
bfq_remove_request(q, rq);
}
-static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+static bool __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
{
/*
* If this bfqq is shared between multiple processes, check
@@ -2837,9 +2837,11 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
/*
* All in-service entities must have been properly deactivated
* or requeued before executing the next function, which
- * resets all in-service entites as no more in service.
+ * resets all in-service entities as no more in service. This
+ * may cause bfqq to be freed. If this happens, the next
+ * function returns true.
*/
- __bfq_bfqd_reset_in_service(bfqd);
+ return __bfq_bfqd_reset_in_service(bfqd);
}
/**
@@ -3244,7 +3246,6 @@ void bfq_bfqq_expire(struct bfq_data *bfqd,
bool slow;
unsigned long delta = 0;
struct bfq_entity *entity = &bfqq->entity;
- int ref;
/*
* Check whether the process is slow (see bfq_bfqq_is_slow).
@@ -3313,10 +3314,8 @@ void bfq_bfqq_expire(struct bfq_data *bfqd,
* reason.
*/
__bfq_bfqq_recalc_budget(bfqd, bfqq, reason);
- ref = bfqq->ref;
- __bfq_bfqq_expire(bfqd, bfqq);
-
- if (ref == 1) /* bfqq is gone, no more actions on it */
+ if (__bfq_bfqq_expire(bfqd, bfqq))
+ /* bfqq is gone, no more actions on it */
return;
bfqq->injected_service = 0;
diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h
index 746bd570b85a..ca98c98a8179 100644
--- a/block/bfq-iosched.h
+++ b/block/bfq-iosched.h
@@ -993,7 +993,7 @@ bool __bfq_deactivate_entity(struct bfq_entity *entity,
bool ins_into_idle_tree);
bool next_queue_may_preempt(struct bfq_data *bfqd);
struct bfq_queue *bfq_get_next_queue(struct bfq_data *bfqd);
-void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd);
+bool __bfq_bfqd_reset_in_service(struct bfq_data *bfqd);
void bfq_deactivate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq,
bool ins_into_idle_tree, bool expiration);
void bfq_activate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq);
diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c
index 4aab1a8191f0..8077bf71d2ac 100644
--- a/block/bfq-wf2q.c
+++ b/block/bfq-wf2q.c
@@ -1599,7 +1599,8 @@ struct bfq_queue *bfq_get_next_queue(struct bfq_data *bfqd)
return bfqq;
}
-void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd)
+/* returns true if the in-service queue gets freed */
+bool __bfq_bfqd_reset_in_service(struct bfq_data *bfqd)
{
struct bfq_queue *in_serv_bfqq = bfqd->in_service_queue;
struct bfq_entity *in_serv_entity = &in_serv_bfqq->entity;
@@ -1623,8 +1624,20 @@ void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd)
* service tree either, then release the service reference to
* the queue it represents (taken with bfq_get_entity).
*/
- if (!in_serv_entity->on_st)
+ if (!in_serv_entity->on_st) {
+ /*
+ * If no process is referencing in_serv_bfqq any
+ * longer, then the service reference may be the only
+ * reference to the queue. If this is the case, then
+ * bfqq gets freed here.
+ */
+ int ref = in_serv_bfqq->ref;
bfq_put_queue(in_serv_bfqq);
+ if (ref == 1)
+ return true;
+ }
+
+ return false;
}
void bfq_deactivate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq,
--
2.19.1
next prev parent reply other threads:[~2019-04-27 1:40 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-27 1:37 [PATCH AUTOSEL 5.0 01/79] ASoC: tlv320aic3x: fix reset gpio reference counting Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 02/79] ASoC: hdmi-codec: fix S/PDIF DAI Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 03/79] ASoC: ab8500: Mark expected switch fall-through Sasha Levin
2019-04-27 17:14 ` Mark Brown
2019-04-27 17:31 ` Gustavo A. R. Silva
2019-04-27 18:00 ` Mark Brown
2019-04-28 1:06 ` Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 04/79] ASoC: stm32: sai: fix iec958 controls indexation Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 05/79] ASoC: stm32: sai: fix exposed capabilities in spdif mode Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 06/79] ASoC: stm32: sai: fix race condition in irq handler Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 07/79] ASoC:soc-pcm:fix a codec fixup issue in TDM case Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 08/79] ASoC:hdac_hda:use correct format to setup hda codec Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 09/79] ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 10/79] ASoC: dpcm: prevent snd_soc_dpcm use after free Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 11/79] ASoC: nau8824: fix the issue of the widget with prefix name Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 12/79] ASoC: nau8810: fix the issue of widget with prefixed name Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 13/79] ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 14/79] ASoC: rt5682: Check JD status when system resume Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 15/79] ASoC: rt5682: fix jack type detection issue Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 16/79] ASoC: rt5682: recording has no sound after booting Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 17/79] ASoC: wm_adsp: Add locking to wm_adsp2_bus_error Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 18/79] clk: meson-gxbb: round the vdec dividers to closest Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 19/79] ASoC: stm32: dfsdm: manage multiple prepare Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 20/79] ASoC: stm32: dfsdm: fix debugfs warnings on entry creation Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 21/79] ASoC: cs4270: Set auto-increment bit for register writes Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 22/79] ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 23/79] drm/omap: hdmi4_cec: Fix CEC clock handling for PM Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 24/79] IB/hfi1: Clear the IOWAIT pending bits when QP is put into error state Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 25/79] IB/hfi1: Eliminate opcode tests on mr deref Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 26/79] IB/hfi1: Fix the allocation of RSM table Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 27/79] MIPS: KGDB: fix kgdb support for SMP platforms Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 28/79] ASoC: tlv320aic32x4: Fix Common Pins Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 29/79] drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata() Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 30/79] ASoC: dpcm: skip missing substream while applying symmetry Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 31/79] perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 32/79] perf/x86/intel: Initialize TFA MSR Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 33/79] linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 34/79] ALSA: hda/realtek - Move to ACT_INIT state Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 35/79] iov_iter: Fix build error without CONFIG_CRYPTO Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 36/79] xtensa: fix initialization of pt_regs::syscall in start_thread Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 37/79] ASoC: rockchip: pdm: fix regmap_ops hang issue Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 38/79] drm/amdkfd: Add picasso pci id Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 39/79] drm/amdgpu: Adjust IB test timeout for XGMI configuration Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 40/79] drm/amdgpu: amdgpu_device_recover_vram always failed if only one node in shadow_list Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 41/79] drm/amd/display: fix cursor black issue Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 42/79] ASoC: cs35l35: Disable regulators on driver removal Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 43/79] objtool: Add rewind_stack_do_exit() to the noreturn list Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 44/79] powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 45/79] slab: fix a crash by reading /proc/slab_allocators Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 46/79] ASoC: stm32: fix sai driver name initialisation Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 47/79] drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 48/79] virtio_pci: fix a NULL pointer reference in vp_del_vqs Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 49/79] RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 50/79] RDMA/hns: Fix bug that caused srq creation to fail Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 51/79] tpm: fix an invalid condition in tpm_common_poll Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 52/79] KEYS: trusted: fix -Wvarags warning Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 53/79] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 54/79] drm/mediatek: fix possible object reference leak Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 55/79] drm/mediatek: fix the rate and divder of hdmi phy for MT2701 Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 56/79] drm/mediatek: make implementation of recalc_rate() for MT2701 hdmi phy Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 57/79] drm/mediatek: remove flag CLK_SET_RATE_PARENT " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 58/79] drm/mediatek: using new factor for tvdpll " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 59/79] drm/mediatek: no change parent rate in round_rate() " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 60/79] Bluetooth: btusb: request wake pin with NOAUTOEN Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 61/79] ASoC: Intel: kbl: fix wrong number of channels Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 62/79] ASoC: stm32: sai: fix master clock management Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 63/79] ALSA: hda: Fix racy display power access Sasha Levin
2019-04-27 1:38 ` Sasha Levin [this message]
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 65/79] virtio-blk: limit number of hw queues by nr_cpu_ids Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 66/79] blk-mq: introduce blk_mq_complete_request_sync() Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 67/79] nvme: cancel request synchronously Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 68/79] clk: x86: Add system specific quirk to mark clocks as critical Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 69/79] nvme-fc: correct csn initialization and increments on error Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 70/79] nvmet: fix discover log page when offsets are used Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 71/79] platform/x86: pmc_atom: Drop __initconst on dmi table Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 72/79] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 73/79] NFSv4.1 fix incorrect return value in copy_file_range Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 74/79] perf/core: Fix perf_event_disable_inatomic() race Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 75/79] iommu/amd: Set exclusion range correctly Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 76/79] mm: make page ref count overflow check tighter and more explicit Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 77/79] mm: add 'try_get_page()' helper function Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 78/79] mm: prevent get_user_pages() from overflowing page refcount Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 79/79] fs: prevent page refcount overflow in pipe_buf_get Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190427013838.6596-64-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paolo.valente@linaro.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox