| Message ID | 20200409214530.2413-4-mcgrof@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | blktrace: fix use after free | expand |
On 2020-04-09 14:45, Luis Chamberlain wrote: > Ensure that the reqest_queue ref counts the request_queue ^^^^^^^^^^^^ ^^^^^^^^^^ request_queue? refcounts? > during its full ioctl cycle. This avoids possible races against > removal, given blk_get_queue() also checks to ensure the queue > is not dying. > > This small race is possible if you defer removal of the reqest_queue ^^^^^^^^^^^^ request_queue? > and userspace fires off an ioctl for the device in the meantime. Anyway: Reviewed-by: Bart Van Assche <bvanassche@acm.org>
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c index 15086227592f..17e144d15779 100644 --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -701,6 +701,9 @@ int blk_trace_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg) if (!q) return -ENXIO; + if (!blk_get_queue(q)) + return -ENXIO; + mutex_lock(&q->blk_trace_mutex); switch (cmd) { @@ -729,6 +732,9 @@ int blk_trace_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg) } mutex_unlock(&q->blk_trace_mutex); + + blk_put_queue(q); + return ret; }
Ensure that the reqest_queue ref counts the request_queue during its full ioctl cycle. This avoids possible races against removal, given blk_get_queue() also checks to ensure the queue is not dying. This small race is possible if you defer removal of the reqest_queue and userspace fires off an ioctl for the device in the meantime. Cc: Bart Van Assche <bvanassche@acm.org> Cc: Omar Sandoval <osandov@fb.com> Cc: Hannes Reinecke <hare@suse.com> Cc: Nicolai Stange <nstange@suse.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: yu kuai <yukuai3@huawei.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> --- kernel/trace/blktrace.c | 6 ++++++ 1 file changed, 6 insertions(+)