Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Unverified Commit d6f18f6a authored by Lee Jones's avatar Lee Jones Committed by Michael Bestas
Browse files

mm: backing-dev: Take a reference to the bdi in use to prevent UAF



KASAN reports a reproducible issue in the BDI handling code due to a
dereference of a previously freed pointer to 'struct backing_dev_info'
in bdi_unregister().

Because of a distinct lack of locking and/or reference taking,
blk_cleanup_queue() puts the final taken reference to the bdi, which
is then promptly freed by release_bdi().  However, del_gendisk() calls
bdi_unregister() after the fact, which then attempts to dereference
it causing the kernel to panic.

Bug: 182815710
Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
Change-Id: Iaf3dadf3b983a4b7d74d4e273fc676350cfc387f
parent 219ba82c
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment