From 599be431332e31a25ebe203155fa18d34781c3d3 Mon Sep 17 00:00:00 2001 From: Arianna Avanzini Date: Tue, 5 Mar 2013 10:41:49 +0100 Subject: [PATCH] block, bfq: attempt to fix use-after-free which affects SLUB behavior (3.3.0 to 3.8.0) It may happen that a call to bfq_del_bfqq_busy() puts the last reference taken on a queue and frees it. Subsequent accesses to that same queue would result in a use-after-free. Make sure that a queue that has just been deleted from busy is no more touched. --- block/bfq-iosched.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 9378b7d..e9a6514 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -1244,14 +1244,23 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq) __bfq_bfqd_reset_active(bfqd); + /* + * If this bfqq is shared between multiple processes, check + * to make sure that those processes are still issuing I/Os + * within the mean seek distance. If not, it may be time to + * break the queues apart again. + */ + if (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq)) + bfq_mark_bfqq_split_coop(bfqq); + if (RB_EMPTY_ROOT(&bfqq->sort_list)) { - bfq_del_bfqq_busy(bfqd, bfqq, 1); /* * overloading budget_timeout field to store when * the queue remains with no backlog, used by * the weight-raising mechanism */ bfqq->budget_timeout = jiffies ; + bfq_del_bfqq_busy(bfqd, bfqq, 1); } else { bfq_activate_bfqq(bfqd, bfqq); /* @@ -1259,15 +1268,6 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq) */ bfq_rq_pos_tree_add(bfqd, bfqq); } - - /* - * If this bfqq is shared between multiple processes, check - * to make sure that those processes are still issuing I/Os - * within the mean seek distance. If not, it may be time to - * break the queues apart again. - */ - if (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq)) - bfq_mark_bfqq_split_coop(bfqq); } /** -- 1.8.1.4