summaryrefslogtreecommitdiffstats
path: root/block/genhd.c
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2017-03-08 17:48:32 +0100
committerJens Axboe <axboe@fb.com>2017-03-08 10:55:17 -0700
commitdf23de55615fa7a190a85f49a950ccecdd9102f3 (patch)
treef8523dabf60992d2b56af7dfa6c447291023db19 /block/genhd.c
parentb6f8fec4448aa52a8c36a392aa1ca2ea99acd460 (diff)
downloadlinux-0-day-df23de55615fa7a190a85f49a950ccecdd9102f3.tar.gz
linux-0-day-df23de55615fa7a190a85f49a950ccecdd9102f3.tar.xz
bdi: Fix use-after-free in wb_congested_put()
bdi_writeback_congested structures get created for each blkcg and bdi regardless whether bdi is registered or not. When they are created in unregistered bdi and the request queue (and thus bdi) is then destroyed while blkg still holds reference to bdi_writeback_congested structure, this structure will be referencing freed bdi and last wb_congested_put() will try to remove the structure from already freed bdi. With commit 165a5e22fafb "block: Move bdi_unregister() to del_gendisk()", SCSI started to destroy bdis without calling bdi_unregister() first (previously it was calling bdi_unregister() even for unregistered bdis) and thus the code detaching bdi_writeback_congested in cgwb_bdi_destroy() was not triggered and we started hitting this use-after-free bug. It is enough to boot a KVM instance with virtio-scsi device to trigger this behavior. Fix the problem by detaching bdi_writeback_congested structures in bdi_exit() instead of bdi_unregister(). This is also more logical as they can get attached to bdi regardless whether it ever got registered or not. Fixes: 165a5e22fafb127ecb5914e12e8c32a1f0d3f820 Signed-off-by: Jan Kara <jack@suse.cz> Tested-by: Omar Sandoval <osandov@fb.com> Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'block/genhd.c')
0 files changed, 0 insertions, 0 deletions