| Message ID | 20221215033132.230023-1-longman@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | blk-cgroup: Fix potential UAF & flush rstat at blkgs destruction path | expand |
On 12/14/22 22:31, Waiman Long wrote: > v4: > - Update comment and commit logs for both patches. > > v3: > - Drop v2 patch 2 as it may not be needed. > - Replace css_tryget() with percpu_ref_is_zero() in patch 1 as > suggested by Tejun. > - Expand comment on patch 2 to elaborate the reason for this patch. > > v2: > - Remove unnecessary rcu_read_{lock|unlock} from > cgroup_rstat_css_cpu_flush() in patch 3. > > It was found that blkcg_destroy_blkgs() may be called with all blkcg > references gone. This may potentially cause user-after-free and so should > be fixed. The second patch flushes rstat when calling blkcg_destroy_blkgs(). > > Waiman Long (2): > bdi, blk-cgroup: Fix potential UAF of blkcg > blk-cgroup: Flush stats at blkgs destruction path > > block/blk-cgroup.c | 23 +++++++++++++++++++++++ > include/linux/cgroup.h | 1 + > kernel/cgroup/rstat.c | 18 ++++++++++++++++++ > mm/backing-dev.c | 8 ++++++-- > 4 files changed, 48 insertions(+), 2 deletions(-) > Ping! Any comments on these patches. Thanks, Longman
v4: - Update comment and commit logs for both patches. v3: - Drop v2 patch 2 as it may not be needed. - Replace css_tryget() with percpu_ref_is_zero() in patch 1 as suggested by Tejun. - Expand comment on patch 2 to elaborate the reason for this patch. v2: - Remove unnecessary rcu_read_{lock|unlock} from cgroup_rstat_css_cpu_flush() in patch 3. It was found that blkcg_destroy_blkgs() may be called with all blkcg references gone. This may potentially cause user-after-free and so should be fixed. The second patch flushes rstat when calling blkcg_destroy_blkgs(). Waiman Long (2): bdi, blk-cgroup: Fix potential UAF of blkcg blk-cgroup: Flush stats at blkgs destruction path block/blk-cgroup.c | 23 +++++++++++++++++++++++ include/linux/cgroup.h | 1 + kernel/cgroup/rstat.c | 18 ++++++++++++++++++ mm/backing-dev.c | 8 ++++++-- 4 files changed, 48 insertions(+), 2 deletions(-)