Re: [PATCH V3] block, bfq: fix use-after-free in bfq_idle_slice_timer_body

From: Jens Axboe
Date: Sat Mar 21 2020 - 16:30:03 EST

Next message: Jens Axboe: "Re: [PATCH BUGFIX 0/4] block, bfq: series of cgroups-related fix"
Previous message: David Abdurachmanov: "Re: [PATCH] RISC-V: Move all address space definition macros to one place"
In reply to: Paolo Valente: "Re: [PATCH V3] block, bfq: fix use-after-free in bfq_idle_slice_timer_body"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/19/20 5:18 AM, Zhiqiang Liu wrote:
>
> In bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is
> not in bfqd-lock critical section. The bfqq, which is not
> equal to NULL in bfq_idle_slice_timer, may be freed after passing
> to bfq_idle_slice_timer_body. So we will access the freed memory.
>
> In addition, considering the bfqq may be in race, we should
> firstly check whether bfqq is in service before doing something
> on it in bfq_idle_slice_timer_body func. If the bfqq in race is
> not in service, it means the bfqq has been expired through
> __bfq_bfqq_expire func, and wait_request flags has been cleared in
> __bfq_bfqd_reset_in_service func. So we do not need to re-clear the
> wait_request of bfqq which is not in service.

Applied, thanks.

--
Jens Axboe

Next message: Jens Axboe: "Re: [PATCH BUGFIX 0/4] block, bfq: series of cgroups-related fix"
Previous message: David Abdurachmanov: "Re: [PATCH] RISC-V: Move all address space definition macros to one place"
In reply to: Paolo Valente: "Re: [PATCH V3] block, bfq: fix use-after-free in bfq_idle_slice_timer_body"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]