CVE-2022-50086

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: don&amp;#39;t allow the same type rq_qos add more than once<br /> <br /> In our test of iocost, we encountered some list add/del corruptions of<br /> inner_walk list in ioc_timer_fn.<br /> <br /> The reason can be described as follows:<br /> <br /> cpu 0 cpu 1<br /> ioc_qos_write ioc_qos_write<br /> <br /> ioc = q_to_ioc(queue);<br /> if (!ioc) {<br /> ioc = kzalloc();<br /> ioc = q_to_ioc(queue);<br /> if (!ioc) {<br /> ioc = kzalloc();<br /> ...<br /> rq_qos_add(q, rqos);<br /> }<br /> ...<br /> rq_qos_add(q, rqos);<br /> ...<br /> }<br /> <br /> When the io.cost.qos file is written by two cpus concurrently, rq_qos may<br /> be added to one disk twice. In that case, there will be two iocs enabled<br /> and running on one disk. They own different iocgs on their active list. In<br /> the ioc_timer_fn function, because of the iocgs from two iocs have the<br /> same root iocg, the root iocg&amp;#39;s walk_list may be overwritten by each other<br /> and this leads to list add/del corruptions in building or destroying the<br /> inner_walk list.<br /> <br /> And so far, the blk-rq-qos framework works in case that one instance for<br /> one type rq_qos per queue by default. This patch make this explicit and<br /> also fix the crash above.