block, bfq: fix re-introduced UAF in bic_set_bfqq()

Commit eca0025faa96ac ("block, bfq: split sync bfq_queues on a
per-actuator basis"), which is a backport of 9778369a2d6c5e ("block,
bfq: split sync bfq_queues on a per-actuator basis") re-introduces UAF
bug originally fixed by b600de2d7d3a16 ("block, bfq: fix uaf for bfqq in
bic_set_bfqq()") and backported to 6.1 in cb1876fc33af26 ("block, bfq:
fix uaf for bfqq in bic_set_bfqq()").

bfq_release_process_ref() may release the sync_bfqq variable, which
points to the same bfqq as bic->bfqq member for call context from
__bfq_bic_change_cgroup(). bic_set_bfqq() then accesses bic->bfqq member
which leads to the UAF condition.

Fix this by bringing the incriminated function calls back in correct
order.

Fixes: eca0025faa96ac ("block, bfq: split sync bfq_queues on a per-actuator basis")
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Cc: Hagar Hemdan <hagarhem@amazon.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index 5d202b775beb49672d6cb741a4ebefe58f1f3326..c202e2527d0536f0d53521e44faf3e15aeaa1fa4 100644 (file)
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -739,8 +739,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd,
                 * old cgroup.
                 */
                bfq_put_cooperator(sync_bfqq);
-               bfq_release_process_ref(bfqd, sync_bfqq);
                bic_set_bfqq(bic, NULL, true, act_idx);
+               bfq_release_process_ref(bfqd, sync_bfqq);
        }
 }