6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Acs, Jakub" acsjakub@amazon.de
Commit eca0025faa96ac ("block, bfq: split sync bfq_queues on a per-actuator basis"), which is a backport of 9778369a2d6c5e ("block, bfq: split sync bfq_queues on a per-actuator basis") re-introduces UAF bug originally fixed by b600de2d7d3a16 ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") and backported to 6.1 in cb1876fc33af26 ("block, bfq: fix uaf for bfqq in bic_set_bfqq()").
bfq_release_process_ref() may release the sync_bfqq variable, which points to the same bfqq as bic->bfqq member for call context from __bfq_bic_change_cgroup(). bic_set_bfqq() then accesses bic->bfqq member which leads to the UAF condition.
Fix this by bringing the incriminated function calls back in correct order.
Fixes: eca0025faa96ac ("block, bfq: split sync bfq_queues on a per-actuator basis") Signed-off-by: Jakub Acs acsjakub@amazon.de Cc: Hagar Hemdan hagarhem@amazon.com Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- block/bfq-cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/block/bfq-cgroup.c +++ b/block/bfq-cgroup.c @@ -739,8 +739,8 @@ static void bfq_sync_bfqq_move(struct bf * old cgroup. */ bfq_put_cooperator(sync_bfqq); - bfq_release_process_ref(bfqd, sync_bfqq); bic_set_bfqq(bic, NULL, true, act_idx); + bfq_release_process_ref(bfqd, sync_bfqq); } }