summaryrefslogtreecommitdiffstats
path: root/block
diff options
context:
space:
mode:
authorYu Kuai <yukuai3@huawei.com>2024-09-02 15:03:27 +0200
committerJens Axboe <axboe@kernel.dk>2024-09-03 17:51:54 +0200
commit0e456dba86c7f9a19792204a044835f1ca2c8dbb (patch)
treea786f1a3a6f64aaddb45d069d49cb2621a127517 /block
parentblock, bfq: fix possible UAF for bfqq->bic with merge chain (diff)
downloadlinux-0e456dba86c7f9a19792204a044835f1ca2c8dbb.tar.xz
linux-0e456dba86c7f9a19792204a044835f1ca2c8dbb.zip
block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()
Consider the following merge chain: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \--------------\ \-------------\ \-------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 IO from Process 1 will get bfqf2 from BIC1 first, then bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then handle this IO from bfqq3. However, the merge chain can be much deeper and bfqq3 can be merged to other bfqq as well. Fix this problem by iterating to the last bfqq in bfq_setup_cooperator(). Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") Signed-off-by: Yu Kuai <yukuai3@huawei.com> Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'block')
-rw-r--r--block/bfq-iosched.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index 83adac3e71db..ffaa0d56328a 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -2911,8 +2911,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq,
struct bfq_iocq_bfqq_data *bfqq_data = &bic->bfqq_data[a_idx];
/* if a merge has already been setup, then proceed with that first */
- if (bfqq->new_bfqq)
- return bfqq->new_bfqq;
+ new_bfqq = bfqq->new_bfqq;
+ if (new_bfqq) {
+ while (new_bfqq->new_bfqq)
+ new_bfqq = new_bfqq->new_bfqq;
+ return new_bfqq;
+ }
/*
* Check delayed stable merge for rotational or non-queueing