Skip to content

Commit ac84e82

Browse files
torvaldstorvalds
committed
Merge tag 'block-5.17-2022-03-04' of git://git.kernel.dk/linux-block
Pull block fix from Jens Axboe: "Just a small UAF fix for blktrace" * tag 'block-5.17-2022-03-04' of git://git.kernel.dk/linux-block: blktrace: fix use after free for struct blk_trace
2 parents 07ebd38 + 3093929 commit ac84e82

File tree

1 file changed

+18
-8
lines changed

1 file changed

+18
-8
lines changed

kernel/trace/blktrace.c

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -310,10 +310,20 @@ static void __blk_add_trace(struct blk_trace *bt, sector_t sector, int bytes,
310310
local_irq_restore(flags);
311311
}
312312

313-
static void blk_trace_free(struct blk_trace *bt)
313+
static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
314314
{
315315
relay_close(bt->rchan);
316-
debugfs_remove(bt->dir);
316+
317+
/*
318+
* If 'bt->dir' is not set, then both 'dropped' and 'msg' are created
319+
* under 'q->debugfs_dir', thus lookup and remove them.
320+
*/
321+
if (!bt->dir) {
322+
debugfs_remove(debugfs_lookup("dropped", q->debugfs_dir));
323+
debugfs_remove(debugfs_lookup("msg", q->debugfs_dir));
324+
} else {
325+
debugfs_remove(bt->dir);
326+
}
317327
free_percpu(bt->sequence);
318328
free_percpu(bt->msg_data);
319329
kfree(bt);
@@ -335,10 +345,10 @@ static void put_probe_ref(void)
335345
mutex_unlock(&blk_probe_mutex);
336346
}
337347

338-
static void blk_trace_cleanup(struct blk_trace *bt)
348+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
339349
{
340350
synchronize_rcu();
341-
blk_trace_free(bt);
351+
blk_trace_free(q, bt);
342352
put_probe_ref();
343353
}
344354

@@ -352,7 +362,7 @@ static int __blk_trace_remove(struct request_queue *q)
352362
return -EINVAL;
353363

354364
if (bt->trace_state != Blktrace_running)
355-
blk_trace_cleanup(bt);
365+
blk_trace_cleanup(q, bt);
356366

357367
return 0;
358368
}
@@ -572,7 +582,7 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
572582
ret = 0;
573583
err:
574584
if (ret)
575-
blk_trace_free(bt);
585+
blk_trace_free(q, bt);
576586
return ret;
577587
}
578588

@@ -1616,7 +1626,7 @@ static int blk_trace_remove_queue(struct request_queue *q)
16161626

16171627
put_probe_ref();
16181628
synchronize_rcu();
1619-
blk_trace_free(bt);
1629+
blk_trace_free(q, bt);
16201630
return 0;
16211631
}
16221632

@@ -1647,7 +1657,7 @@ static int blk_trace_setup_queue(struct request_queue *q,
16471657
return 0;
16481658

16491659
free_bt:
1650-
blk_trace_free(bt);
1660+
blk_trace_free(q, bt);
16511661
return ret;
16521662
}
16531663

0 commit comments

Comments
 (0)