Merge tag 'block-6.13-20250111' of git://git.kernel.dk/linux

torvalds · torvalds · commit 05c2d1f27282 · 2025-01-11T11:17:08.000-08:00
Pull block fix from Jens Axboe:
 "A single fix for a use-after-free in the BFQ IO scheduler"

* tag 'block-6.13-20250111' of git://git.kernel.dk/linux:
  block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
@@ -6844,16 +6844,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq)
 		if (new_bfqq == waker_bfqq) {
 			/*
 			 * If waker_bfqq is in the merge chain, and current
-			 * is the only procress.
+			 * is the only process, waker_bfqq can be freed.
 			 */
 			if (bfqq_process_refs(waker_bfqq) == 1)
 				return NULL;
-			break;
+
+			return waker_bfqq;
 		}
 
 		new_bfqq = new_bfqq->new_bfqq;
 	}
 
+	/*
+	 * If waker_bfqq is not in the merge chain, and it's procress reference
+	 * is 0, waker_bfqq can be freed.
+	 */
+	if (bfqq_process_refs(waker_bfqq) == 0)
+		return NULL;
+
 	return waker_bfqq;
 }
 
