Commit 7400fa17 authored Mar 25, 2025 by Acs, Jakub Committed by Greg Kroah-Hartman Mar 28, 2025

block, bfq: fix re-introduced UAF in bic_set_bfqq()



Commit eca0025f ("block, bfq: split sync bfq_queues on a
per-actuator basis"), which is a backport of 9778369a ("block,
bfq: split sync bfq_queues on a per-actuator basis") re-introduces UAF
bug originally fixed by b600de2d ("block, bfq: fix uaf for bfqq in
bic_set_bfqq()") and backported to 6.1 in cb1876fc ("block, bfq:
fix uaf for bfqq in bic_set_bfqq()").

bfq_release_process_ref() may release the sync_bfqq variable, which
points to the same bfqq as bic->bfqq member for call context from
__bfq_bic_change_cgroup(). bic_set_bfqq() then accesses bic->bfqq member
which leads to the UAF condition.

Fix this by bringing the incriminated function calls back in correct
order.

Fixes: eca0025f ("block, bfq: split sync bfq_queues on a per-actuator basis")
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Cc: Hagar Hemdan <hagarhem@amazon.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 49100c0b

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit a4fc1bef
· Nov 05, 2025

mentioned in commit a4fc1bef

mentioned in commit a4fc1bef05011a82d092806b03e9c113b2c55eaa

Toggle commit list

Please to comment