Merge tag 'block-5.17-2022-03-04' of git://git.kernel.dk/linux-block

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull block fix from Jens Axboe:
"Just a small UAF fix for blktrace"

* tag 'block-5.17-2022-03-04' of git://git.kernel.dk/linux-block:
blktrace: fix use after free for struct blk_trace

Linus Torvalds 4 years ago ac84e82f 07ebd38a

+18 -8

1 changed file

expand all

kernel

trace

blktrace.c

+18 -8

kernel/trace/blktrace.c

··· 310 310 local_irq_restore(flags); 311 311 } 312 312 313 - static void blk_trace_free(struct blk_trace *bt) 313 + static void blk_trace_free(struct request_queue *q, struct blk_trace *bt) 314 314 { 315 315 relay_close(bt->rchan); 316 - debugfs_remove(bt->dir); 316 + 317 + /* 318 + * If 'bt->dir' is not set, then both 'dropped' and 'msg' are created 319 + * under 'q->debugfs_dir', thus lookup and remove them. 320 + */ 321 + if (!bt->dir) { 322 + debugfs_remove(debugfs_lookup("dropped", q->debugfs_dir)); 323 + debugfs_remove(debugfs_lookup("msg", q->debugfs_dir)); 324 + } else { 325 + debugfs_remove(bt->dir); 326 + } 317 327 free_percpu(bt->sequence); 318 328 free_percpu(bt->msg_data); 319 329 kfree(bt); ··· 345 335 mutex_unlock(&blk_probe_mutex); 346 336 } 347 337 348 - static void blk_trace_cleanup(struct blk_trace *bt) 338 + static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt) 349 339 { 350 340 synchronize_rcu(); 351 - blk_trace_free(bt); 341 + blk_trace_free(q, bt); 352 342 put_probe_ref(); 353 343 } 354 344 ··· 362 352 return -EINVAL; 363 353 364 354 if (bt->trace_state != Blktrace_running) 365 - blk_trace_cleanup(bt); 355 + blk_trace_cleanup(q, bt); 366 356 367 357 return 0; 368 358 } ··· 582 572 ret = 0; 583 573 err: 584 574 if (ret) 585 - blk_trace_free(bt); 575 + blk_trace_free(q, bt); 586 576 return ret; 587 577 } 588 578 ··· 1626 1616 1627 1617 put_probe_ref(); 1628 1618 synchronize_rcu(); 1629 - blk_trace_free(bt); 1619 + blk_trace_free(q, bt); 1630 1620 return 0; 1631 1621 } 1632 1622 ··· 1657 1647 return 0; 1658 1648 1659 1649 free_bt: 1660 - blk_trace_free(bt); 1650 + blk_trace_free(q, bt); 1661 1651 return ret; 1662 1652 } 1663 1653

Configure Feed

Configure Feed