archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 05:44:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/block
History
Fengnan Chang 89e1fb7cef blk-mq: fix potential uaf for 'queue_hw_ctx' 
This is just apply Kuai's patch in [1] with mirror changes.

blk_mq_realloc_hw_ctxs() will free the 'queue_hw_ctx'(e.g. undate
submit_queues through configfs for null_blk), while it might still be
used from other context(e.g. switch elevator to none):

t1					t2
elevator_switch
 blk_mq_unquiesce_queue
  blk_mq_run_hw_queues
   queue_for_each_hw_ctx
    // assembly code for hctx = (q)->queue_hw_ctx[i]
    mov    0x48(%rbp),%rdx -> read old queue_hw_ctx

					__blk_mq_update_nr_hw_queues
					 blk_mq_realloc_hw_ctxs
					  hctxs = q->queue_hw_ctx
					  q->queue_hw_ctx = new_hctxs
					  kfree(hctxs)
    movslq %ebx,%rax
    mov    (%rdx,%rax,8),%rdi ->uaf

This problem was found by code review, and I comfirmed that the concurrent
scenario do exist(specifically 'q->queue_hw_ctx' can be changed during
blk_mq_run_hw_queues()), however, the uaf problem hasn't been repoduced yet
without hacking the kernel.

Sicne the queue is freezed in __blk_mq_update_nr_hw_queues(), fix the
problem by protecting 'queue_hw_ctx' through rcu where it can be accessed
without grabbing 'q_usage_counter'.

[1] https://lore.kernel.org/all/20220225072053.2472431-1-yukuai3@huawei.com/

Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Fengnan Chang <changfengnan@bytedance.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2025-11-28 09:09:19 -07:00
..
partitions block: use min() instead of min_t() 2025-11-20 07:44:29 -07:00
badblocks.c badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable < 0 2025-03-10 07:41:58 -06:00
bdev.c fs: rename generic_delete_inode() and generic_drop_inode() 2025-09-15 16:09:42 +02:00
bfq-cgroup.c Revert "block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()" 2024-11-19 19:05:32 -07:00
bfq-iosched.c blk-mq: fix elevator depth_updated method 2025-09-05 13:52:52 -06:00
bfq-iosched.h lib/sbitmap: convert shallow_depth from one word to the whole sbitmap 2025-08-07 06:30:17 -06:00
bfq-wf2q.c block, bfq: inject I/O to underutilized actuators 2023-01-29 15:18:33 -07:00
bio-integrity-auto.c block: make bio auto-integrity deadlock safe 2025-11-04 12:41:50 -07:00
bio-integrity.c block: make bio auto-integrity deadlock safe 2025-11-04 12:41:50 -07:00
bio.c block: accumulate memory segment gaps per bio 2025-11-06 18:11:58 -07:00
blk-cgroup-fc-appid.c block: Replace all non-returning strlcpy with strscpy 2023-06-01 09:13:31 -06:00
blk-cgroup-rwstat.c blk-cgroup: use group allocation/free of per-cpu counters API 2024-04-03 09:10:17 -06:00
blk-cgroup-rwstat.h blk-cgroup: rwstat: fix kernel-doc warnings in header file 2025-01-13 07:47:09 -07:00
blk-cgroup.c block: Remove elevator_lock usage from blkg_conf frozen operations 2025-10-15 08:00:19 -06:00
blk-cgroup.h block: initialize bio issue time in blk_mq_submit_bio() 2025-09-10 05:23:45 -06:00
blk-core.c block: fix typos in comments and strings in blk-core 2025-11-25 10:39:49 -07:00
blk-crypto-fallback.c blk-crypto: convert to use bio_submit_split_bioset() 2025-09-10 05:23:46 -06:00
blk-crypto-internal.h blk-crypto: add ioctls to create and prepare hardware-wrapped keys 2025-02-10 09:54:19 -07:00
blk-crypto-profile.c blk-crypto: export wrapped key functions 2025-05-06 19:08:08 +02:00
blk-crypto-sysfs.c blk-crypto: show supported key types in sysfs 2025-02-10 09:54:19 -07:00
blk-crypto.c blk-crypto: add ioctls to create and prepare hardware-wrapped keys 2025-02-10 09:54:19 -07:00
blk-flush.c block: remove unused parameter 2025-03-12 08:25:28 -06:00
blk-ia-ranges.c block: get rid of request queue ->sysfs_dir_lock 2025-01-29 07:16:47 -07:00
blk-integrity.c for-6.18/block-20250929 2025-10-02 10:16:56 -07:00
blk-ioc.c copy_process: pass clone_flags as u64 across calltree 2025-09-01 15:31:34 +02:00
blk-iocost.c block: use min() instead of min_t() 2025-11-20 07:44:29 -07:00
blk-iolatency.c blk-mq: add QUEUE_FLAG_BIO_ISSUE_TIME 2025-09-10 05:23:45 -06:00
blk-ioprio.c blk-cgroup: Simplify policy files registration 2025-03-11 09:22:55 -10:00
blk-ioprio.h blk-ioprio: remove per-disk structure 2024-07-28 16:47:51 -06:00
blk-lib.c block: ignore __blkdev_issue_discard() return value 2025-11-25 12:19:39 -07:00
blk-map.c block: accumulate memory segment gaps per bio 2025-11-06 18:11:58 -07:00
blk-merge.c Revert "block: consider discard merge last" 2025-11-18 15:00:12 -07:00
blk-mq-cpumap.c blk-mq: add number of queue calc helper 2025-07-01 10:24:19 -06:00
blk-mq-debugfs.c blk-mq: add QUEUE_FLAG_BIO_ISSUE_TIME 2025-09-10 05:23:45 -06:00
blk-mq-debugfs.h block: Replace zone_wlock debugfs entry with zone_wplugs entry 2024-04-17 08:44:03 -06:00
blk-mq-dma.c block-dma: properly take MMIO path 2025-11-14 05:09:56 -07:00
blk-mq-sched.c block: use {alloc|free}_sched data methods 2025-11-13 09:27:49 -07:00
blk-mq-sched.h block: use {alloc|free}_sched data methods 2025-11-13 09:27:49 -07:00
blk-mq-sysfs.c blk-mq: Move flush queue allocation into blk_mq_init_hctx() 2025-09-08 08:05:32 -06:00
blk-mq-tag.c blk-mq: use array manage hctx map instead of xarray 2025-11-28 09:09:19 -07:00
blk-mq.c blk-mq: fix potential uaf for 'queue_hw_ctx' 2025-11-28 09:09:19 -07:00
blk-mq.h blk-mq: use array manage hctx map instead of xarray 2025-11-28 09:09:19 -07:00
blk-pm.c block: force noio scope in blk_mq_freeze_queue 2025-01-31 07:20:08 -07:00
blk-pm.h block: Remove unused blk_pm_*() function definitions 2021-02-22 06:33:48 -07:00
blk-rq-qos.c block: avoid cpu_hotplug_lock depedency on freeze_lock 2025-08-21 07:11:11 -06:00
blk-rq-qos.h block: validate QoS before calling __rq_qos_done_bio() 2025-08-26 10:34:08 -06:00
blk-settings.c block: add lockdep to queue_limits_commit_update() 2025-11-11 07:51:08 -07:00
blk-stat.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
blk-stat.h treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
blk-sysfs.c block: Remove queue freezing from several sysfs store callbacks 2025-11-18 15:00:11 -07:00
blk-throttle.c block/blk-throttle: Remove throtl_slice from struct throtl_data 2025-11-17 09:39:48 -07:00
blk-throttle.h blk-throttle: fix access race during throttle policy activation 2025-09-08 08:24:44 -06:00
blk-timeout.c block: blk-timeout: delete duplicated word 2020-07-31 16:29:47 -06:00
blk-wbt.c blk-wbt: Eliminate ambiguity in the comments of struct rq_wb 2025-08-11 10:21:38 -06:00
blk-wbt.h blk-wbt: remove the separate write cache tracking 2023-12-26 09:28:10 -07:00
blk-zoned.c block: fix NULL pointer dereference in disk_report_zones() 2025-11-13 09:10:04 -07:00
blk.h block: unify elevator tags and type xarrays into struct elv_change_ctx 2025-11-13 09:27:49 -07:00
bsg-lib.c block: remove unused parameter 'q' parameter in __blk_rq_map_sg() 2025-03-13 05:46:19 -06:00
bsg.c SCSI misc on 20230629 2023-06-30 11:57:07 -07:00
disk-events.c block: move bdev_mark_dead out of disk_check_media_change 2023-10-28 13:29:23 +02:00
early-lookup.c wrapper for access to ->bd_partno 2024-05-02 17:48:09 -04:00
elevator.c block: use {alloc|free}_sched data methods 2025-11-13 09:27:49 -07:00
elevator.h block: remove the declaration of elevator_init_mq function 2025-11-18 16:27:19 -07:00
fops.c block: move bio_iov_iter_get_bdev_pages to block/fops.c 2025-10-07 08:05:44 -06:00
genhd.c block: Remove references to __device_add_disk() 2025-11-25 10:36:37 -07:00
holder.c block: fix deadlock between bd_link_disk_holder and partition scan 2024-02-23 07:44:19 -07:00
ioctl.c block: introduce BLKREPORTZONESV2 ioctl 2025-11-05 08:07:21 -07:00
ioprio.c block: remove test of incorrect io priority level 2025-05-08 09:04:12 -06:00
Kconfig block: Remove obsolete configs BLK_MQ_{PCI,VIRTIO} 2025-05-14 05:43:56 -06:00
Kconfig.iosched block: Default to use cgroup support for BFQ 2023-01-30 09:42:42 -07:00
kyber-iosched.c block: define alloc_sched_data and free_sched_data methods for kyber 2025-11-13 09:27:49 -07:00
Makefile blk-mq: move the DMA mapping code to a separate file 2025-05-16 08:43:41 -06:00
mq-deadline.c block/mq-deadline: Switch back to a single dispatch list 2025-10-20 10:37:42 -06:00
opal_proto.h block: sed-opal: handle empty atoms when parsing response 2024-02-16 15:52:45 -07:00
sed-opal.c block: sed-opal: add ioctl IOC_OPAL_SET_SID_PW 2024-10-22 08:16:40 -06:00
t10-pi.c block: rename tuple_size field in blk_integrity to metadata_size 2025-07-01 14:00:14 +02:00