| From 88aef946099d3538bb55e796676bbe6587ae9f6c Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 7 Sep 2021 20:12:42 +0800 |
| Subject: blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() |
| |
| From: Li Jinlin <lijinlin3@huawei.com> |
| |
| [ Upstream commit 884f0e84f1e3195b801319c8ec3d5774e9bf2710 ] |
| |
| The pending timer has been set up in blk_throtl_init(). However, the |
| timer is not deleted in blk_throtl_exit(). This means that the timer |
| handler may still be running after freeing the timer, which would |
| result in a use-after-free. |
| |
| Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit(). |
| |
| Signed-off-by: Li Jinlin <lijinlin3@huawei.com> |
| Link: https://lore.kernel.org/r/20210907121242.2885564-1-lijinlin3@huawei.com |
| Signed-off-by: Jens Axboe <axboe@kernel.dk> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| block/blk-throttle.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/block/blk-throttle.c b/block/blk-throttle.c |
| index 55c49015e533..7c4e7993ba97 100644 |
| --- a/block/blk-throttle.c |
| +++ b/block/blk-throttle.c |
| @@ -2458,6 +2458,7 @@ int blk_throtl_init(struct request_queue *q) |
| void blk_throtl_exit(struct request_queue *q) |
| { |
| BUG_ON(!q->td); |
| + del_timer_sync(&q->td->service_queue.pending_timer); |
| throtl_shutdown_wq(q); |
| blkcg_deactivate_policy(q, &blkcg_policy_throtl); |
| free_percpu(q->td->latency_buckets[READ]); |
| -- |
| 2.33.0 |
| |