diff options
author | Yu Kuai <yukuai3@huawei.com> | 2024-09-02 15:03:27 +0200 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2024-09-03 17:51:54 +0200 |
commit | 0e456dba86c7f9a19792204a044835f1ca2c8dbb (patch) | |
tree | a786f1a3a6f64aaddb45d069d49cb2621a127517 /block | |
parent | block, bfq: fix possible UAF for bfqq->bic with merge chain (diff) | |
download | linux-0e456dba86c7f9a19792204a044835f1ca2c8dbb.tar.xz linux-0e456dba86c7f9a19792204a044835f1ca2c8dbb.zip |
block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()
Consider the following merge chain:
Process 1 Process 2 Process 3 Process 4
(BIC1) (BIC2) (BIC3) (BIC4)
Λ | | |
\--------------\ \-------------\ \-------------\|
V V V
bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
IO from Process 1 will get bfqf2 from BIC1 first, then
bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then
handle this IO from bfqq3. However, the merge chain can be much deeper
and bfqq3 can be merged to other bfqq as well.
Fix this problem by iterating to the last bfqq in
bfq_setup_cooperator().
Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'block')
-rw-r--r-- | block/bfq-iosched.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 83adac3e71db..ffaa0d56328a 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -2911,8 +2911,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, struct bfq_iocq_bfqq_data *bfqq_data = &bic->bfqq_data[a_idx]; /* if a merge has already been setup, then proceed with that first */ - if (bfqq->new_bfqq) - return bfqq->new_bfqq; + new_bfqq = bfqq->new_bfqq; + if (new_bfqq) { + while (new_bfqq->new_bfqq) + new_bfqq = new_bfqq->new_bfqq; + return new_bfqq; + } /* * Check delayed stable merge for rotational or non-queueing |