block-5.17-2022-03-04
-----BEGIN PGP SIGNATURE----- iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmIihP0QHGF4Ym9lQGtl cm5lbC5kawAKCRD301j7KXHgpvWwD/4/Rwu4a7plr7HHYKfS5MaTS62edwWIf2Li zMZaGS0kuS4DSV3Lk5Y4AlGyz7FrWjbV+hWlotQNZuvmGntlLeBmscuYlSdN55NL afRjwhFRmLOfhOJXCsAE2dSqDvReuRdSn9XkDTL/ViByb35UZUaxGR+nTrGQ8B6J DyoA2JVpTVs9B7jtnWoCXKz6TgjFIqT7v29Zd2xE5BrJ/vKpvq0z/4BdJlMBSSKT FJ5IQjuE1dyudxJAVYc7X4+t7HRw0afRItZIxrn294COoMmdazhBelnES65CMLfN u309J2/HGL0hIRI7tb1Gljp2U8oxYgKeg66VPx1LYFoQ0sUqC9rW+sqU8zZky7SG oTzG6ZppSrhTSFhgMYIobChIOKmBRW+tj2BvO6ipKwNJVZbMMFmZogf9K75MJ5U7 L52RdFxf8D5t7lYzl22puBRgzq5G4m2yi6gbV2EMUfWb2SkbbngdVzuG/uJRQv+D 7zE8XqqevOgLsUgS71+1oAgc1h07j4b2ihe1UIY2Zo0rZ27y9MV66cbllG8s0R3y la5xSSi+HuMNcUpmCeERWLf8uXB3Jzwrwo5l7UvpJuPEGSes4jmE+dHsN3r79bV4 I5Td7wjBASFu7LKEJlP1OinKdQWJvbJhahNN+pqQtNMxyK6IvNlQRgqh0EwGJhH+ dqwVNNgkIQ== =drk+ -----END PGP SIGNATURE----- Merge tag 'block-5.17-2022-03-04' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Just a small UAF fix for blktrace" * tag 'block-5.17-2022-03-04' of git://git.kernel.dk/linux-block: blktrace: fix use after free for struct blk_trace
This commit is contained in:
commit
ac84e82f78
|
@ -310,10 +310,20 @@ record_it:
|
|||
local_irq_restore(flags);
|
||||
}
|
||||
|
||||
static void blk_trace_free(struct blk_trace *bt)
|
||||
static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
|
||||
{
|
||||
relay_close(bt->rchan);
|
||||
debugfs_remove(bt->dir);
|
||||
|
||||
/*
|
||||
* If 'bt->dir' is not set, then both 'dropped' and 'msg' are created
|
||||
* under 'q->debugfs_dir', thus lookup and remove them.
|
||||
*/
|
||||
if (!bt->dir) {
|
||||
debugfs_remove(debugfs_lookup("dropped", q->debugfs_dir));
|
||||
debugfs_remove(debugfs_lookup("msg", q->debugfs_dir));
|
||||
} else {
|
||||
debugfs_remove(bt->dir);
|
||||
}
|
||||
free_percpu(bt->sequence);
|
||||
free_percpu(bt->msg_data);
|
||||
kfree(bt);
|
||||
|
@ -335,10 +345,10 @@ static void put_probe_ref(void)
|
|||
mutex_unlock(&blk_probe_mutex);
|
||||
}
|
||||
|
||||
static void blk_trace_cleanup(struct blk_trace *bt)
|
||||
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
|
||||
{
|
||||
synchronize_rcu();
|
||||
blk_trace_free(bt);
|
||||
blk_trace_free(q, bt);
|
||||
put_probe_ref();
|
||||
}
|
||||
|
||||
|
@ -352,7 +362,7 @@ static int __blk_trace_remove(struct request_queue *q)
|
|||
return -EINVAL;
|
||||
|
||||
if (bt->trace_state != Blktrace_running)
|
||||
blk_trace_cleanup(bt);
|
||||
blk_trace_cleanup(q, bt);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -572,7 +582,7 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
|
|||
ret = 0;
|
||||
err:
|
||||
if (ret)
|
||||
blk_trace_free(bt);
|
||||
blk_trace_free(q, bt);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -1616,7 +1626,7 @@ static int blk_trace_remove_queue(struct request_queue *q)
|
|||
|
||||
put_probe_ref();
|
||||
synchronize_rcu();
|
||||
blk_trace_free(bt);
|
||||
blk_trace_free(q, bt);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1647,7 +1657,7 @@ static int blk_trace_setup_queue(struct request_queue *q,
|
|||
return 0;
|
||||
|
||||
free_bt:
|
||||
blk_trace_free(bt);
|
||||
blk_trace_free(q, bt);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue