Re: [PATCH] blkcg: Fix use-after-free of q->root_blkg andq->root_rl.blkg
From: Tejun Heo
Date: Thu Oct 18 2012 - 17:21:29 EST
On Wed, Oct 17, 2012 at 05:45:36PM +0900, Jun'ichi Nomura wrote:
> blk_put_rl() does not call blkg_put() for q->root_rl because we
> don't take request list reference on q->root_blkg.
> However, if root_blkg is once attached then detached (freed),
> blk_put_rl() is confused by the bogus pointer in q->root_blkg.
>
> For example, with !CONFIG_BLK_DEV_THROTTLING &&
> CONFIG_CFQ_GROUP_IOSCHED,
> switching IO scheduler from cfq to deadline will cause system stall
> after the following warning with 3.6:
...
> This patch clears q->root_blkg and q->root_rl.blkg when root blkg
> is destroyed.
>
> Signed-off-by: Jun'ichi Nomura <j-nomura@xxxxxxxxxxxxx>
> Acked-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
> Cc: Tejun Heo <tj@xxxxxxxxxx>
> Cc: Jens Axboe <axboe@xxxxxxxxx>
Acked-by: Tejun Heo <tj@xxxxxxxxxx>
Jens, this one needs Cc: stable.
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/