• Sahitya Tummala's avatar
    block: Fix use-after-free issue accessing struct io_cq · 510b4e06
    Sahitya Tummala authored
    [ Upstream commit 30a2da7b ]
    
    There is a potential race between ioc_release_fn() and
    ioc_clear_queue() as shown below, due to which below kernel
    crash is observed. It also can result into use-after-free
    issue.
    
    context#1:				context#2:
    ioc_release_fn()			__ioc_clear_queue() gets the same icq
    ->spin_lock(&ioc->lock);		->spin_lock(&ioc->lock);
    ->ioc_destroy_icq(icq);
      ->list_del_init(&icq->q_node);
      ->call_rcu(&icq->__rcu_head,
      	icq_free_icq_rcu);
    ->spin_unlock(&ioc->lock);
    					->ioc_destroy_icq(icq);
    					  ->hlist_del_init(&icq->ioc_node);
    					  This results into below crash as this memory
    					  is now used by icq->__rcu_head in context#1.
    					  There is a chance that icq could be free'd
    					  as well.
    
    22150.386550:   <6> Unable to handle kernel write to read-only memory
    at virtual address ffffffaa8d31ca50
    ...
    Call trace:
    22150.607350:   <2>  ioc_destroy_icq+0x44/0x110
    22150.611202:   <2>  ioc_clear_queue+0xac...
    510b4e06
blk-ioc.c 10.4 KB