Re: [PATCH -next v2 7/9] blk-iocost: fix UAF in ioc_pd_free

From: Tejun Heo
Date: Wed Nov 30 2022 - 15:42:21 EST


On Wed, Nov 30, 2022 at 09:21:54PM +0800, Li Nan wrote:
> T1 T2 T3
> //delete device
> del_gendisk
> bdi_unregister
> bdi_remove_from_list
> synchronize_rcu_expedited
>
> //rmdir cgroup
> blkcg_destroy_blkgs
> blkg_destroy
> percpu_ref_kill
> blkg_release
> call_rcu
> rq_qos_exit
> ioc_rqos_exit
> kfree(ioc)
> __blkg_release
> blkg_free
> blkg_free_workfn
> pd_free_fn
> ioc_pd_free
> spin_lock_irqsave
> ->ioc is freed
>
> Fix the problem by moving the operation on ioc in ioc_pd_free() to
> ioc_pd_offline(), and just free resource in ioc_pd_free() like iolatency
> and throttle.
>
> Signed-off-by: Li Nan <linan122@xxxxxxxxxx>

I wonder what we really wanna do is pinning ioc while blkgs are still around
but I think this should work too.

Acked-by: Tejun Heo <tj@xxxxxxxxxx>

Thanks.

--
tejun