Message ID | 20210907121242.2885564-1-lijinlin3@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() | expand |
On 9/7/21 6:12 AM, Li Jinlin wrote: > From: Li Jinlin <lijinlin3@huawei.com> > > The pending timer has been set up in blk_throtl_init(). However, the > timer is not deleted in blk_throtl_exit(). This means that the timer > handler may still be running after freeing the timer, which would > result in a use-after-free. > > Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit(). Applied, thanks.
diff --git a/block/blk-throttle.c b/block/blk-throttle.c index 55c49015e533..dbe49e181a88 100644 --- a/block/blk-throttle.c +++ b/block/blk-throttle.c @@ -2458,6 +2458,7 @@ int blk_throtl_init(struct request_queue *q) void blk_throtl_exit(struct request_queue *q) { BUG_ON(!q->td); + del_timer_sync(&q->td->service_queue.pending_timer); throtl_shutdown_wq(q); blkcg_deactivate_policy(q, &blkcg_policy_throtl); free_percpu(q->td->latency_buckets[READ]);