All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Ming Lei <ming.lei@redhat.com>,
	Bart Van Assche <bart.vanassche@wdc.com>,
	xiao jin <jin.xiao@intel.com>, Jens Axboe <axboe@kernel.dk>,
	Guenter Roeck <linux@roeck-us.net>,
	Alessio Balsini <balsini@android.com>
Subject: [PATCH 4.9 26/32] block: blk_init_allocated_queue() set q->fq as NULL in the fail case
Date: Fri,  9 Aug 2019 15:45:29 +0200	[thread overview]
Message-ID: <20190809133923.771602436@linuxfoundation.org> (raw)
In-Reply-To: <20190809133922.945349906@linuxfoundation.org>

From: xiao jin <jin.xiao@intel.com>

commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream.

We find the memory use-after-free issue in __blk_drain_queue()
on the kernel 4.14. After read the latest kernel 4.18-rc6 we
think it has the same problem.

Memory is allocated for q->fq in the blk_init_allocated_queue().
If the elevator init function called with error return, it will
run into the fail case to free the q->fq.

Then the __blk_drain_queue() uses the same memory after the free
of the q->fq, it will lead to the unpredictable event.

The patch is to set q->fq as NULL in the fail case of
blk_init_allocated_queue().

Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery")
Cc: <stable@vger.kernel.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: xiao jin <jin.xiao@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[groeck: backport to v4.4.y/v4.9.y (context change)]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Alessio Balsini <balsini@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -881,6 +881,7 @@ blk_init_allocated_queue(struct request_
 
 fail:
 	blk_free_flush_queue(q->fq);
+	q->fq = NULL;
 	return NULL;
 }
 EXPORT_SYMBOL(blk_init_allocated_queue);



  parent reply	other threads:[~2019-08-09 13:47 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-09 13:45 [PATCH 4.9 00/32] 4.9.189-stable review Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 01/32] scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 02/32] ARM: dts: Add pinmuxing for i2c2 and i2c3 for LogicPD SOM-LV Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 03/32] ARM: dts: Add pinmuxing for i2c2 and i2c3 for LogicPD torpedo Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 04/32] ARM: dts: logicpd-som-lv: Fix Audio Mute Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 05/32] arm64: cpufeature: Fix CTR_EL0 field definitions Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 06/32] arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 07/32] tcp: be more careful in tcp_fragment() Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 08/32] HID: wacom: fix bit shift for Cintiq Companion 2 Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 09/32] HID: Add quirk for HP X1200 PIXART OEM mouse Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 10/32] RDMA: Directly cast the sockaddr union to sockaddr Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 11/32] [PATCH] IB: directly cast the sockaddr union to aockaddr Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 12/32] objtool: Add machine_real_restart() to the noreturn list Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 13/32] objtool: Add rewind_stack_do_exit() " Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 14/32] libceph: use kbasename() and kill ceph_file_part() Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 15/32] atm: iphase: Fix Spectre v1 vulnerability Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 16/32] net: bridge: delete local fdb on device init failure Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 17/32] net: bridge: mcast: dont delete permanent entries when fast leave is enabled Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 18/32] net: fix ifindex collision during namespace removal Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 19/32] net/mlx5: Use reversed order when unregister devices Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 20/32] net: sched: Fix a possible null-pointer dereference in dequeue_func() Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 21/32] tipc: compat: allow tipc commands without arguments Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 22/32] compat_ioctl: pppoe: fix PPPOEIOCSFWD handling Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 23/32] ip6_tunnel: fix possible use-after-free on xmit Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 24/32] ife: error out when nla attributes are empty Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 25/32] bnx2x: Disable multi-cos feature Greg Kroah-Hartman
2019-08-09 13:45 ` Greg Kroah-Hartman [this message]
2019-08-09 13:45 ` [PATCH 4.9 27/32] spi: bcm2835: Fix 3-wire mode if DMA is enabled Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 28/32] x86: cpufeatures: Sort feature word 7 Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 29/32] x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 30/32] x86/speculation: Enable " Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 31/32] x86/entry/64: Use JMP instead of JMPQ Greg Kroah-Hartman
2019-08-09 13:45 ` [PATCH 4.9 32/32] x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS Greg Kroah-Hartman
2019-08-09 19:59 ` [PATCH 4.9 00/32] 4.9.189-stable review Daniel Díaz
2019-08-10 10:14   ` Greg Kroah-Hartman
2019-08-09 22:07 ` shuah
2019-08-10  7:09   ` Greg Kroah-Hartman
2019-08-10  4:55 ` kernelci.org bot
2019-08-10 15:45 ` Guenter Roeck
2019-08-11  7:37   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190809133923.771602436@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=axboe@kernel.dk \
    --cc=balsini@android.com \
    --cc=bart.vanassche@wdc.com \
    --cc=jin.xiao@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=ming.lei@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.